From b472c2ee180e035e7d1853862ead9485cd6aab92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BE=AE=E5=87=89?= <927625802@qq.com>
Date: Thu, 13 Jan 2022 21:23:27 +0800
Subject: [PATCH] :lock: not allowed delete root folder

---
 server/common/common.go           | 10 ++++++++++
 server/controllers/account.go     |  4 ++--
 server/controllers/file/delete.go |  7 +++++--
 server/controllers/file/upload.go |  5 ++---
 server/controllers/proxy.go       |  2 +-
 server/middlewares/account.go     |  5 ++---
 server/middlewares/auth.go        |  5 ++---
 server/middlewares/down.go        |  3 +--
 server/middlewares/path.go        |  5 ++---
 9 files changed, 27 insertions(+), 19 deletions(-)

diff --git a/server/common/common.go b/server/common/common.go
index d264d94b..b03775fa 100644
--- a/server/common/common.go
+++ b/server/common/common.go
@@ -60,6 +60,16 @@ func ErrorResp(c *gin.Context, err error, code int) {
 	c.Abort()
 }
 
+func ErrorStrResp(c *gin.Context, str string, code int) {
+	log.Error(str)
+	c.JSON(200, Resp{
+		Code:    code,
+		Message: str,
+		Data:    nil,
+	})
+	c.Abort()
+}
+
 func SuccessResp(c *gin.Context, data ...interface{}) {
 	if len(data) == 0 {
 		c.JSON(200, Resp{
diff --git a/server/controllers/account.go b/server/controllers/account.go
index cef514e5..d1a47594 100644
--- a/server/controllers/account.go
+++ b/server/controllers/account.go
@@ -28,7 +28,7 @@ func CreateAccount(c *gin.Context) {
 	}
 	driver, ok := base.GetDriver(req.Type)
 	if !ok {
-		common.ErrorResp(c, fmt.Errorf("no [%s] driver", req.Type), 400)
+		common.ErrorStrResp(c, fmt.Sprintf("No [%s] driver", req.Type), 400)
 		return
 	}
 	now := time.Now()
@@ -54,7 +54,7 @@ func SaveAccount(c *gin.Context) {
 	}
 	driver, ok := base.GetDriver(req.Type)
 	if !ok {
-		common.ErrorResp(c, fmt.Errorf("no [%s] driver", req.Type), 400)
+		common.ErrorStrResp(c, fmt.Sprintf("No [%s] driver", req.Type), 400)
 		return
 	}
 	old, err := model.GetAccountById(req.ID)
diff --git a/server/controllers/file/delete.go b/server/controllers/file/delete.go
index cdbd36d0..25f96ff0 100644
--- a/server/controllers/file/delete.go
+++ b/server/controllers/file/delete.go
@@ -1,7 +1,6 @@
 package file
 
 import (
-	"errors"
 	"github.com/Xhofe/alist/drivers/base"
 	"github.com/Xhofe/alist/drivers/operate"
 	"github.com/Xhofe/alist/server/common"
@@ -21,7 +20,7 @@ func DeleteFiles(c *gin.Context) {
 		return
 	}
 	if len(req.Names) == 0 {
-		common.ErrorResp(c, errors.New("empty file names"), 400)
+		common.ErrorStrResp(c, "Empty file names", 400)
 		return
 	}
 	for i, name := range req.Names {
@@ -30,6 +29,10 @@ func DeleteFiles(c *gin.Context) {
 			common.ErrorResp(c, err, 500)
 			return
 		}
+		if path_ == "/" {
+			common.ErrorStrResp(c, "Delete root folder is not allowed", 400)
+			return
+		}
 		clearCache := false
 		if i == len(req.Names)-1 {
 			clearCache = true
diff --git a/server/controllers/file/upload.go b/server/controllers/file/upload.go
index 3983f4b1..d6e8ba28 100644
--- a/server/controllers/file/upload.go
+++ b/server/controllers/file/upload.go
@@ -1,7 +1,6 @@
 package file
 
 import (
-	"errors"
 	"github.com/Xhofe/alist/conf"
 	"github.com/Xhofe/alist/drivers/base"
 	"github.com/Xhofe/alist/drivers/operate"
@@ -19,11 +18,11 @@ func UploadFiles(c *gin.Context) {
 		password := c.PostForm("password")
 		meta, _ := model.GetMetaByPath(path)
 		if meta == nil || !meta.Upload {
-			common.ErrorResp(c, errors.New("not allow upload"), 403)
+			common.ErrorStrResp(c, "Not allow upload", 403)
 			return
 		}
 		if meta.Password != "" && meta.Password != password {
-			common.ErrorResp(c, errors.New("wrong password"), 403)
+			common.ErrorStrResp(c, "Wrong password", 403)
 			return
 		}
 	}
diff --git a/server/controllers/proxy.go b/server/controllers/proxy.go
index 6d66bd13..dd800643 100644
--- a/server/controllers/proxy.go
+++ b/server/controllers/proxy.go
@@ -36,7 +36,7 @@ func Proxy(c *gin.Context) {
 			_, ok = c.Get("sign")
 		}
 		if !ok {
-			common.ErrorResp(c, fmt.Errorf("[%s] not allowed proxy", account.Name), 403)
+			common.ErrorStrResp(c, fmt.Sprintf("[%s] not allowed proxy", account.Name), 403)
 			return
 		}
 	}
diff --git a/server/middlewares/account.go b/server/middlewares/account.go
index 9a821b4b..041ce1d1 100644
--- a/server/middlewares/account.go
+++ b/server/middlewares/account.go
@@ -1,7 +1,6 @@
 package middlewares
 
 import (
-	"fmt"
 	"github.com/Xhofe/alist/model"
 	"github.com/Xhofe/alist/server/common"
 	"github.com/gin-gonic/gin"
@@ -9,8 +8,8 @@ import (
 
 func CheckAccount(c *gin.Context) {
 	if model.AccountsCount() == 0 {
-		common.ErrorResp(c, fmt.Errorf("no accounts,please add one first"), 1001)
+		common.ErrorStrResp(c, "No accounts,please add one first", 1001)
 		return
 	}
 	c.Next()
-}
\ No newline at end of file
+}
diff --git a/server/middlewares/auth.go b/server/middlewares/auth.go
index cd6f2975..066fde15 100644
--- a/server/middlewares/auth.go
+++ b/server/middlewares/auth.go
@@ -1,7 +1,6 @@
 package middlewares
 
 import (
-	"fmt"
 	"github.com/Xhofe/alist/conf"
 	"github.com/Xhofe/alist/server/common"
 	"github.com/gin-gonic/gin"
@@ -20,8 +19,8 @@ func Auth(c *gin.Context) {
 	//}
 	//if token != utils.GetMD5Encode(password.Value) {
 	if token != conf.Token {
-		common.ErrorResp(c, fmt.Errorf("wrong password"), 401)
+		common.ErrorStrResp(c, "Wrong password", 401)
 		return
 	}
 	c.Next()
-}
\ No newline at end of file
+}
diff --git a/server/middlewares/down.go b/server/middlewares/down.go
index a8409441..296ea000 100644
--- a/server/middlewares/down.go
+++ b/server/middlewares/down.go
@@ -1,7 +1,6 @@
 package middlewares
 
 import (
-	"fmt"
 	"github.com/Xhofe/alist/conf"
 	"github.com/Xhofe/alist/server/common"
 	"github.com/Xhofe/alist/utils"
@@ -20,7 +19,7 @@ func DownCheck(c *gin.Context) {
 	}
 	pw := c.Query("pw")
 	if !common.CheckDownLink(utils.Dir(rawPath), pw, utils.Base(rawPath)) {
-		common.ErrorResp(c, fmt.Errorf("wrong password"), 401)
+		common.ErrorStrResp(c, "Wrong password", 401)
 		c.Abort()
 		return
 	}
diff --git a/server/middlewares/path.go b/server/middlewares/path.go
index d73097d0..dc6a8431 100644
--- a/server/middlewares/path.go
+++ b/server/middlewares/path.go
@@ -1,7 +1,6 @@
 package middlewares
 
 import (
-	"fmt"
 	"github.com/Xhofe/alist/conf"
 	"github.com/Xhofe/alist/model"
 	"github.com/Xhofe/alist/server/common"
@@ -25,13 +24,13 @@ func PathCheck(c *gin.Context) {
 	meta, err := model.GetMetaByPath(req.Path)
 	if err == nil {
 		if meta.Password != "" && meta.Password != req.Password {
-			common.ErrorResp(c, fmt.Errorf("wrong password"), 401)
+			common.ErrorStrResp(c, "Wrong password", 401)
 			c.Abort()
 			return
 		}
 	} else if conf.GetBool("check parent folder") {
 		if !common.CheckParent(utils.Dir(req.Path), req.Password) {
-			common.ErrorResp(c, fmt.Errorf("wrong password"), 401)
+			common.ErrorStrResp(c, "Wrong password", 401)
 			c.Abort()
 			return
 		}