bugfix: 1. 修复私有问题访问bug;2. 重构私有文档访问逻辑代码;3. shell生成zip包中,删除go文件。 resolves mindoc-org/mindoc#751, resolves mindoc-org/mindoc#801

pull/803/head
Go-Go-Farther 2022-07-05 11:59:23 +08:00
parent b4b7528e3f
commit 0b83a53b56
6 changed files with 89 additions and 41 deletions

View File

@ -14,7 +14,7 @@ go build -v -o mindoc_linux_amd64 -ldflags="-linkmode external -extldflags '-sta
mkdir ../mindoc_linux_amd64
cp -r * ../mindoc_linux_amd64
cd ../mindoc_linux_amd64
rm -rf cache commands controllers converter .git .github graphics mail models routers utils runtime
rm -rf cache commands controllers converter .git .github graphics mail models routers utils runtime conf/*.go
rm appveyor.yml docker-compose.yml Dockerfile .travis.yml .gitattributes .gitignore go.mod go.sum main.go README.md simsun.ttc start.sh sync_host.sh build_amd64.sh build_musl_amd64.sh
zip -r mindoc_linux_amd64.zip conf static uploads views lib mindoc_linux_amd64 favicon.ico LICENSE.md
mv ./mindoc_linux_amd64.zip ../

View File

@ -14,7 +14,7 @@ go build -v -o mindoc_linux_musl_amd64 -ldflags="-linkmode external -extldflags
mkdir ../mindoc_linux_musl_amd64
cp -r * ../mindoc_linux_musl_amd64
cd ../mindoc_linux_musl_amd64
rm -rf cache commands controllers converter .git .github graphics mail models routers utils runtime
rm -rf cache commands controllers converter .git .github graphics mail models routers utils runtime conf/*.go
rm appveyor.yml docker-compose.yml Dockerfile .travis.yml .gitattributes .gitignore go.mod go.sum main.go README.md simsun.ttc start.sh sync_host.sh build_amd64.sh build_musl_amd64.sh
zip -r mindoc_linux_musl_amd64.zip conf static uploads views lib mindoc_linux_musl_amd64 favicon.ico LICENSE.md
mv ./mindoc_linux_musl_amd64.zip ../

View File

@ -190,8 +190,9 @@ func (c *BaseController) ShowErrorPage(errCode int, errMsg string) {
c.Data["ErrorCode"] = errCode
var buf bytes.Buffer
exeData := map[string]interface{}{"ErrorMessage": errMsg, "ErrorCode": errCode, "BaseUrl": conf.BaseUrl, "Lang": c.Lang}
if err := web.ExecuteViewPathTemplate(&buf, "errors/error.tpl", web.BConfig.WebConfig.ViewsPath, map[string]interface{}{"ErrorMessage": errMsg, "ErrorCode": errCode, "BaseUrl": conf.BaseUrl}); err != nil {
if err := web.ExecuteViewPathTemplate(&buf, "errors/error.tpl", web.BConfig.WebConfig.ViewsPath, exeData); err != nil {
c.Abort("500")
}
if errCode >= 200 && errCode <= 510 {

View File

@ -96,6 +96,41 @@ func (c *DocumentController) Index() {
}
// CheckPassword : Handles password verification for private documents,
// and front-end requests are made through Ajax.
func (c *DocumentController) CheckPassword() {
c.Prepare()
identify := c.Ctx.Input.Param(":key")
password := c.GetString("bPassword")
if identify == "" || password == "" {
c.JsonResult(http.StatusBadRequest, i18n.Tr(c.Lang, "message.param_error"))
}
// You have not logged in and need to log in again.
if !c.EnableAnonymous && !c.isUserLoggedIn() {
logs.Info("You have not logged in and need to log in again(SessionId: %s).",
c.CruSession.SessionID(context.TODO()))
c.JsonResult(6000, i18n.Tr(c.Lang, "message.need_relogin"))
return
}
book, err := models.NewBook().FindByFieldFirst("identify", identify)
if err != nil {
logs.Error(err)
c.JsonResult(500, i18n.Tr(c.Lang, "message.item_not_exist"))
}
if book.BookPassword != password {
c.JsonResult(5001, i18n.Tr(c.Lang, "message.wrong_password"))
} else {
c.SetSession(identify, password)
c.JsonResult(0, "OK")
}
}
// 阅读文档
func (c *DocumentController) Read() {
c.Prepare()
@ -1258,48 +1293,58 @@ func (c *DocumentController) isReadable(identify, token string) *models.BookResu
bookResult.RoleId = roleId
}
}
// 如果文档是私有的
if book.PrivatelyOwned == 1 && (!c.isUserLoggedIn() || !c.Member.IsAdministrator()) {
if s, ok := c.GetSession(identify).(string); !ok || (!strings.EqualFold(s, book.PrivateToken) && !strings.EqualFold(s, book.BookPassword)) {
if book.PrivateToken != "" && !isOk && token != "" {
// 如果有访问的 Token并且该项目设置了访问 Token并且和用户提供的相匹配则记录到 Session 中。
// 如果用户未提供 Token 且用户登录了,则判断用户是否参与了该项目。
// 如果用户未登录,则从 Session 中读取 Token。
if token != "" && strings.EqualFold(token, book.PrivateToken) {
/*
* 访
* 访
* 访
* token
* token访
* token访
* password
* password访
* password访
*
* 1. 访session
* 2. session使sessiontokenpassword使tokenpassword
* 3. tokenpassword访
* 4. 使token访
*/
if book.PrivatelyOwned == 1 {
if c.isUserLoggedIn() && c.Member.IsAdministrator() {
return bookResult
}
if isOk { // Project participant.
return bookResult
}
// Use session in preference.
if tokenOrPassword, ok := c.GetSession(identify).(string); ok {
if strings.EqualFold(book.PrivateToken, tokenOrPassword) || strings.EqualFold(book.BookPassword, tokenOrPassword) {
return bookResult
}
}
// Next: Session not exist or not correct.
if book.PrivateToken != "" && book.PrivateToken == token {
c.SetSession(identify, token)
} else if token, ok := c.GetSession(identify).(string); !ok || !strings.EqualFold(token, book.PrivateToken) {
logs.Info("尝试访问文档但权限不足 ->", identify, token)
c.ShowErrorPage(403, i18n.Tr(c.Lang, "message.no_permission"))
}
} else if password := c.GetString("bPassword", ""); !isOk && book.BookPassword != "" && password != "" {
//如果设置了密码,则判断密码是否正确
if book.BookPassword != password {
c.JsonResult(5001, i18n.Tr(c.Lang, "message.wrong_password"))
} else {
c.SetSession(identify, password)
c.JsonResult(0, "OK")
}
} else if !isOk {
//如果设置了密码,则显示密码输入页面
if book.BookPassword != "" {
//判断已存在的密码是否正确
if password, ok := c.GetSession(identify).(string); !ok || !strings.EqualFold(password, book.BookPassword) {
body, err := c.ExecuteViewPathTemplate("document/document_password.tpl", map[string]string{"Identify": book.Identify})
return bookResult
} else if book.BookPassword != "" {
// Send a page for inputting password.
// For verification, see function DocumentController.CheckPassword
body, err := c.ExecuteViewPathTemplate("document/document_password.tpl",
map[string]string{"Identify": book.Identify, "Lang": c.Lang})
if err != nil {
logs.Error("显示密码页面失败 ->", err)
c.ShowErrorPage(500, i18n.Tr(c.Lang, "message.system_error"))
}
c.CustomAbort(200, body)
}
} else {
// No permission to access this book.
logs.Info("尝试访问文档但权限不足 ->", identify, token)
c.ShowErrorPage(403, i18n.Tr(c.Lang, "message.no_permission"))
}
}
}
}
return bookResult
}

View File

@ -11,6 +11,7 @@ import (
"github.com/beego/beego/v2/core/logs"
"github.com/beego/beego/v2/server/web"
"github.com/beego/beego/v2/server/web/context"
// "github.com/mindoc-org/mindoc/conf"
"github.com/mindoc-org/mindoc/controllers"
)
@ -243,6 +244,7 @@ func init() {
web.Router("/history/restore", &controllers.DocumentController{}, "*:RestoreHistory")
web.Router("/docs/:key", &controllers.DocumentController{}, "*:Index")
web.Router("/docs/:key/check-password", &controllers.DocumentController{}, "post:CheckPassword")
web.Router("/docs/:key/:id", &controllers.DocumentController{}, "*:Read")
web.Router("/docs/:key/search", &controllers.DocumentController{}, "post:Search")
web.Router("/export/:key", &controllers.DocumentController{}, "*:Export")

View File

@ -100,7 +100,7 @@
<body>
<div class="auth_form">
<div class="shell">
<form action="{{urlfor "DocumentController.Index" ":key" .Identify}}" method="post" id="auth_form">
<form action="{{urlfor "DocumentController.CheckPassword" ":key" .Identify}}" method="post" id="auth_form">
<div class="tit">{{i18n .Lang "doc.input_pwd"}}</div>
<div style="margin-top: 10px;">
<input type="password" name="bPassword" placeholder="{{i18n .Lang "doc.read_pwd"}}" class="inp"/>