Merge pull request #800 from Go-Go-Farther/private_blog_opt

opt&bugfix: 私密文章访问优化 Fixes mindoc-org/mindoc#774
2022-06-27 13:19:40 +08:00 · 2022-06-27 13:19:40 +08:00 · b4b7528e3f
parent c15da23bf2 3ef9801a75
commit b4b7528e3f
4 changed files with 18 additions and 5 deletions
--- a/conf/lang/en-us.ini
+++ b/conf/lang/en-us.ini
@ -313,6 +313,7 @@ prev = prev
 next = next
 no = no
 edit_title = Edit Blog
+private_blog_tips = Private blog is accessible only to author and administrator

 [doc]
 modify_doc = Modify Document
--- a/conf/lang/zh-cn.ini
+++ b/conf/lang/zh-cn.ini
@ -313,6 +313,7 @@ prev = 上一篇
 next = 下一篇
 no = 无
 edit_title = 编辑文章
+private_blog_tips = 加密文章，仅作者和管理员可访问

 [doc]
 modify_doc = 修改文档
--- a/controllers/BlogController.go
+++ b/controllers/BlogController.go
@ -56,12 +56,23 @@ func (c *BlogController) Index() {
 		if blog.BlogStatus == "password" && password != blog.Password {
 			c.JsonResult(6001, i18n.Tr(c.Lang, "message.blog_pwd_incorrect"))
 		} else if blog.BlogStatus == "password" && password == blog.Password {
-			//如果密码输入正确，则存入session中
-			_ = c.CruSession.Set(context.TODO(), blogReadSession, blogId)
+			// If the password is correct, then determine whether the user is correct
+			if c.Member != nil && (blog.MemberId == c.Member.MemberId || c.Member.IsAdministrator()) {
+				/* Private blog is accessible only to author and administrator.
+				   Anonymous users are not allowed access. */
+				// Store the session value
+				_ = c.CruSession.Set(context.TODO(), blogReadSession, blogId)
+				c.JsonResult(0, "OK")
+			} else {
+				c.JsonResult(6002, i18n.Tr(c.Lang, "blog.private_blog_tips"))
+			}
+		} else {
 			c.JsonResult(0, "OK")
 		}
-		c.JsonResult(0, "OK")
-	} else if blog.BlogStatus == "password" && (c.CruSession.Get(context.TODO(), blogReadSession) == nil || (c.Member != nil && blog.MemberId != c.Member.MemberId && !c.Member.IsAdministrator())) {
+	} else if blog.BlogStatus == "password" &&
+		(c.CruSession.Get(context.TODO(), blogReadSession) == nil || // Read session doesn't exist
+			c.Member == nil || // Anonymous, Not Allow
+			(blog.MemberId != c.Member.MemberId && !c.Member.IsAdministrator())) { // User isn't author or administrator
 		//如果不存在已输入密码的标记
 		c.TplName = "blog/index_password.tpl"
 	}
--- a/views/blog/index_password.tpl
+++ b/views/blog/index_password.tpl
@ -105,7 +105,7 @@
        <input type="password" name="password" placeholder="{{i18n .Lang "blog.access_pass"}}" class="inp"/>
    </div>
    <div class="btn">
-        <span id="error" style="color: #919191; font-size: 13px;"></span>
+        <span id="error" style="color: #919191; font-size: 13px;">{{i18n .Lang "blog.private_blog_tips"}}</span>
        <input type="submit" value="{{i18n .Lang "doc.commit"}}" class="button"/>
    </div>
    <div class="clear"></div>