fix: add hide check to `canAccess` (close #2532)

2022-11-30 22:01:33 +08:00 · 2022-11-30 22:01:33 +08:00 · 4980b71ba3
parent b5bf5f4325
commit 4980b71ba3
3 changed files with 21 additions and 9 deletions
--- a/internal/fs/list.go
+++ b/internal/fs/list.go
@ -84,7 +84,7 @@ func hide(objs []model.Obj, meta *model.Meta) []model.Obj {
 	deleted := make([]bool, len(objs))
 	rs := strings.Split(meta.Hide, "\n")
 	for _, r := range rs {
-		re, _ := regexp.Compile(r)
+		re := regexp.MustCompile(r)
 		for i, obj := range objs {
 			if deleted[i] {
 				continue
--- a/server/common/check.go
+++ b/server/common/check.go
@ -1,6 +1,9 @@
 package common

 import (
+	"regexp"
+	"strings"
+
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/pkg/utils"
 )
@ -12,8 +15,17 @@ func CanWrite(meta *model.Meta, path string) bool {
 	return meta.WSub || meta.Path == path
 }

-func CanAccess(user *model.User, meta *model.Meta, path string, password string) bool {
-	// if is not guest, can access
+func CanAccess(user *model.User, meta *model.Meta, reqPath string, password string) bool {
+	// if the reqPath is in hide (only can check the nearest meta) and user can't see hides, can't access
+	if meta != nil && !user.CanSeeHides() {
+		for _, hide := range strings.Split(meta.Hide, "\n") {
+			re := regexp.MustCompile(hide)
+			if re.MatchString(reqPath[len(meta.Path):]) {
+				return false
+			}
+		}
+	}
+	// if is not guest and can access without password
 	if user.CanAccessWithoutPassword() {
 		return true
 	}
@ -22,7 +34,7 @@ func CanAccess(user *model.User, meta *model.Meta, path string, password string)
 		return true
 	}
 	// if meta doesn't apply to sub_folder, can access
-	if !utils.PathEqual(meta.Path, path) && !meta.PSub {
+	if !utils.PathEqual(meta.Path, reqPath) && !meta.PSub {
 		return true
 	}
 	// validate password
--- a/server/handles/fsread.go
+++ b/server/handles/fsread.go
@ -70,7 +70,7 @@ func FsList(c *gin.Context) {
 	}
 	c.Set("meta", meta)
 	if !common.CanAccess(user, meta, reqPath, req.Password) {
-		common.ErrorStrResp(c, "password is incorrect", 403)
+		common.ErrorStrResp(c, "password is incorrect or you have no permission", 403)
 		return
 	}
 	if !user.CanWrite() && !common.CanWrite(meta, reqPath) && req.Refresh {
@ -104,7 +104,7 @@ func FsDirs(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
-	var reqPath string
+	reqPath := req.Path
 	if req.ForceRoot {
 		if !user.IsAdmin() {
 			common.ErrorStrResp(c, "Permission denied", 403)
@ -127,7 +127,7 @@ func FsDirs(c *gin.Context) {
 	}
 	c.Set("meta", meta)
 	if !common.CanAccess(user, meta, reqPath, req.Password) {
-		common.ErrorStrResp(c, "password is incorrect", 403)
+		common.ErrorStrResp(c, "password is incorrect or you have no permission", 403)
 		return
 	}
 	objs, err := fs.List(c, reqPath)
@ -242,7 +242,7 @@ func FsGet(c *gin.Context) {
 	}
 	c.Set("meta", meta)
 	if !common.CanAccess(user, meta, reqPath, req.Password) {
-		common.ErrorStrResp(c, "password is incorrect", 403)
+		common.ErrorStrResp(c, "password is incorrect or you have no permission", 403)
 		return
 	}
 	obj, err := fs.Get(c, reqPath)
@ -353,7 +353,7 @@ func FsOther(c *gin.Context) {
 	}
 	c.Set("meta", meta)
 	if !common.CanAccess(user, meta, req.Path, req.Password) {
-		common.ErrorStrResp(c, "password is incorrect", 403)
+		common.ErrorStrResp(c, "password is incorrect or you have no permission", 403)
 		return
 	}
 	res, err := fs.Other(c, req.FsOtherArgs)