mirror of https://github.com/cloudreve/Cloudreve
96 lines
2.3 KiB
Go
96 lines
2.3 KiB
Go
package middleware
|
|
|
|
import (
|
|
"github.com/cloudreve/Cloudreve/v4/application/dependency"
|
|
"github.com/cloudreve/Cloudreve/v4/inventory/types"
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/filemanager/manager"
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/hashid"
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/util"
|
|
"github.com/cloudreve/Cloudreve/v4/pkg/wopi"
|
|
"github.com/gin-gonic/gin"
|
|
"net/http"
|
|
"strings"
|
|
)
|
|
|
|
// WopiWriteAccess validates if write access is obtained.
|
|
func WopiWriteAccess() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
session := c.MustGet(wopi.WopiSessionCtx).(*wopi.SessionCache)
|
|
if session.Action != wopi.ActionEdit {
|
|
c.Status(http.StatusNotFound)
|
|
c.Header(wopi.ServerErrorHeader, "read-only access")
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
func ViewerSessionValidation() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
dep := dependency.FromContext(c)
|
|
store := dep.KV()
|
|
settings := dep.SettingProvider()
|
|
|
|
accessToken := strings.Split(c.Query(wopi.AccessTokenQuery), ".")
|
|
if len(accessToken) != 2 {
|
|
c.Status(http.StatusForbidden)
|
|
c.Header(wopi.ServerErrorHeader, "malformed access token")
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
sessionRaw, exist := store.Get(manager.ViewerSessionCachePrefix + accessToken[0])
|
|
if !exist {
|
|
c.Status(http.StatusForbidden)
|
|
c.Header(wopi.ServerErrorHeader, "invalid access token")
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
session := sessionRaw.(manager.ViewerSessionCache)
|
|
if err := SetUserCtx(c, session.UserID); err != nil {
|
|
c.Status(http.StatusInternalServerError)
|
|
c.Header(wopi.ServerErrorHeader, "user not found")
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
fileId := hashid.FromContext(c)
|
|
if fileId != session.FileID {
|
|
c.Status(http.StatusForbidden)
|
|
c.Header(wopi.ServerErrorHeader, "invalid file")
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
// Check if the viewer is still available
|
|
viewers := settings.FileViewers(c)
|
|
var v *types.Viewer
|
|
for _, group := range viewers {
|
|
for _, viewer := range group.Viewers {
|
|
if viewer.ID == session.ViewerID && !viewer.Disabled {
|
|
v = &viewer
|
|
break
|
|
}
|
|
}
|
|
|
|
if v != nil {
|
|
break
|
|
}
|
|
}
|
|
|
|
if v == nil {
|
|
c.Status(http.StatusInternalServerError)
|
|
c.Header(wopi.ServerErrorHeader, "viewer not found")
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
util.WithValue(c, manager.ViewerCtx{}, v)
|
|
util.WithValue(c, manager.ViewerSessionCacheCtx{}, &session)
|
|
c.Next()
|
|
}
|
|
}
|