fix: error permission for the admin api

saltbo · Feb 20, 2021 · 66034d6 · 66034d6
1 parent cc59d4c
commit 66034d6
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 5 deletions.
diff --git a/internal/app/dao/storage.go b/internal/app/dao/storage.go
@@ -26,9 +26,12 @@ func (s *Storage) Find(id interface{}) (*model.Storage, error) {
  return storage, nil
 }
 
-func (s *Storage) FindAll(offset, limit int) (list []model.Storage, total int64, err error) {
+func (s *Storage) FindAll(offset, limit int) (storages []model.Storage, total int64, err error) {
  gdb.Model(model.Storage{}).Count(&total)
- err = gdb.Find(&list).Offset(offset).Limit(limit).Error
+ err = gdb.Find(&storages).Offset(offset).Limit(limit).Error
+ for idx, storage := range storages {
+ storages[idx].SecretKey = storage.SKAsterisk() // 对外隐藏SK
+ }
  return
 }
 
@@ -41,11 +44,16 @@ func (s *Storage) Create(storage *model.Storage) error {
 }
 
 func (s *Storage) Update(id string, storage *model.Storage) error {
- if err := gdb.First(&model.Storage{}, id).Error; errors.Is(err, gorm.ErrRecordNotFound) {
+ existStorage := new(model.Storage)
+ if err := gdb.First(existStorage, id).Error; errors.Is(err, gorm.ErrRecordNotFound) {
  return fmt.Errorf("storage not found")
  }
 
  storage.Id, _ = strconv.ParseInt(id, 10, 64)
+ // 如果SK没有发生改变则不允许更新SK，避免改错SK
+ if storage.SecretKey == existStorage.SKAsterisk() {
+ storage.SecretKey = existStorage.SecretKey
+ }
  return gdb.Save(storage).Error
 }
 

diff --git a/internal/app/model/storage.go b/internal/app/model/storage.go
@@ -37,3 +37,10 @@ func (Storage) TableName() string {
 func (s *Storage) PublicRead() bool {
  return s.Mode == StorageModeFileDisk
 }
+
+func (s *Storage) SKAsterisk() (sk string) {
+ for range s.SecretKey {
+ sk += "*"
+ }
+ return
+}
diff --git a/internal/pkg/middleware/auth_rbac.yml b/internal/pkg/middleware/auth_rbac.yml
@@ -59,20 +59,34 @@
 - id: 102
  host: "*"
  path: "/api/storages/**"
- method: "{PUT,DELETE}"
+ method: "{PUT,PATCH,DELETE}"
  authorized_roles:
  - "admin"
 
 - id: 103
+ host: "*"
+ path: "/api/users"
+ method: "GET"
+ authorized_roles:
+ - "admin"
+
+- id: 104
  host: "*"
  path: "/api/users/**"
  method: "{PUT,DELETE}"
  authorized_roles:
  - "admin"
 
-- id: 104
+- id: 105
  host: "*"
  path: "/api/system/options/*"
  method: "PUT"
  authorized_roles:
  - "admin"
+
+- id: 106
+ host: "*"
+ path: "/api/system/options/core.email"
+ method: "GET"
+ authorized_roles:
+ - "admin"