chore: user permissions

server/controllers/aria2.go

@@ -44,7 +44,7 @@ type AddAria2Req struct {
 
 func AddAria2(c *gin.Context) {
 	user := c.MustGet("user").(*model.User)
-	if !user.IsAdmin() && !user.Aira2 {
+	if !user.CanAddAria2Tasks() {
 		common.ErrorStrResp(c, "permission denied", 403)
 		return
 	}

server/controllers/fsmanage.go

@@ -3,6 +3,7 @@ package controllers
 import (
 	"fmt"
 	"github.com/alist-org/alist/v3/internal/db"
+	"github.com/alist-org/alist/v3/internal/errs"
 	"github.com/alist-org/alist/v3/internal/fs"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/sign"
@@ -25,14 +26,14 @@ func FsMkdir(c *gin.Context) {
 	}
 	user := c.MustGet("user").(*model.User)
 	req.Path = stdpath.Join(user.BasePath, req.Path)
-	if !user.CanWrite() {
+	if !user.CanMkdir() {
 		meta, err := db.GetNearestMeta(req.Path)
 		if err != nil {
 			common.ErrorResp(c, err, 500)
 			return
 		}
 		if !canMkdirOrPut(meta, req.Path) {
-			common.ErrorStrResp(c, "Permission denied", 403)
+			common.ErrorResp(c, errs.PermissionDenied, 403)
 			return
 		}
 	}
@@ -67,6 +68,10 @@ func FsMove(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	if !user.CanMove() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	req.SrcDir = stdpath.Join(user.BasePath, req.SrcDir)
 	req.DstDir = stdpath.Join(user.BasePath, req.DstDir)
 	for _, name := range req.Names {
@@ -90,6 +95,10 @@ func FsCopy(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	if !user.CanCopy() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	req.SrcDir = stdpath.Join(user.BasePath, req.SrcDir)
 	req.DstDir = stdpath.Join(user.BasePath, req.DstDir)
 	var addedTask []string
@@ -122,6 +131,10 @@ func FsRename(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	if !user.CanRename() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	req.Path = stdpath.Join(user.BasePath, req.Path)
 	if err := fs.Rename(c, req.Path, req.Name); err != nil {
 		common.ErrorResp(c, err, 500)
@@ -146,6 +159,10 @@ func FsRemove(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	if !user.CanRemove() {
+		common.ErrorResp(c, errs.PermissionDenied, 403)
+		return
+	}
 	req.Path = stdpath.Join(user.BasePath, req.Path)
 	for _, name := range req.Names {
 		err := fs.Remove(c, stdpath.Join(req.Path, name))
@@ -161,14 +178,14 @@ func FsPut(c *gin.Context) {
 	path := c.GetHeader("File-Path")
 	user := c.MustGet("user").(*model.User)
 	path = stdpath.Join(user.BasePath, path)
-	if !user.CanWrite() {
+	if !user.CanUpload() {
 		meta, err := db.GetNearestMeta(path)
 		if err != nil {
 			common.ErrorResp(c, err, 500)
 			return
 		}
 		if !canMkdirOrPut(meta, path) {
-			common.ErrorStrResp(c, "Permission denied", 403)
+			common.ErrorResp(c, errs.PermissionDenied, 403)
 			return
 		}
 	}

server/controllers/fsread.go

@@ -71,7 +71,7 @@ func FsList(c *gin.Context) {
 
 func canAccess(user *model.User, meta *model.Meta, path string, password string) bool {
 	// if is not guest, can access
-	if user.IsAdmin() || user.IgnorePassword {
+	if user.CanAccessWithoutPassword() {
 		return true
 	}
 	// if meta is nil or password is empty, can access

server/controllers/task.go

@@ -0,0 +1 @@
+package controllers

server/middlewares/auth.go

@@ -60,13 +60,3 @@ func AuthAdmin(c *gin.Context) {
 		c.Next()
 	}
 }
-
-func AuthManage(c *gin.Context) {
-	user := c.MustGet("user").(*model.User)
-	if user.CanWrite() {
-		c.Next()
-		return
-	}
-	common.ErrorStrResp(c, "You have no write access", 403)
-	c.Abort()
-}

server/router.go

@@ -51,20 +51,24 @@ func Init(r *gin.Engine) {
 	setting.POST("/save", controllers.SaveSettings)
 	setting.POST("/delete", controllers.DeleteSetting)
 	setting.POST("/reset_token", controllers.ResetToken)
+	setting.POST("/set_aria2", controllers.SetAria2)
 
+	// guest can
 	public := api.Group("/public")
 	public.GET("/settings", controllers.PublicSettings)
 	public.Any("/list", controllers.FsList)
 	public.Any("/get", controllers.FsGet)
 
+	// gust can't
 	fs := api.Group("/fs")
 	fs.POST("/mkdir", controllers.FsMkdir)
-	fs.POST("/rename", middlewares.AuthManage, controllers.FsRename)
-	fs.POST("/move", middlewares.AuthManage, controllers.FsMove)
-	fs.POST("/copy", middlewares.AuthManage, controllers.FsCopy)
-	fs.POST("/remove", middlewares.AuthManage, controllers.FsRemove)
+	fs.POST("/rename", controllers.FsRename)
+	fs.POST("/move", controllers.FsMove)
+	fs.POST("/copy", controllers.FsCopy)
+	fs.POST("/remove", controllers.FsRemove)
 	fs.POST("/put", controllers.FsPut)
 	fs.POST("/link", middlewares.AuthAdmin, controllers.Link)
+	fs.POST("/add_aria2", controllers.AddAria2)
 }
 
 func Cors(r *gin.Engine) {