alist/drivers
千石 00120cba27
feat: enhance permission control and label management (#9215)
* 标签管理

* pr检查优化

* feat(role): Implement role management functionality

- Add role management routes in `server/router.go` for listing, getting, creating, updating, and deleting roles
- Introduce `initRoles()` in `internal/bootstrap/data/data.go` for initializing roles during bootstrap
- Create `internal/op/role.go` to handle role operations including caching and singleflight
- Implement role handler functions in `server/handles/role.go` for API responses
- Define database operations for roles in `internal/db/role.go`
- Extend `internal/db/db.go` for role model auto-migration
- Design `internal/model/role.go` to represent role structure with ID, name, description, base path, and permissions
- Initialize default roles (`admin` and `guest`) in `internal/bootstrap/data/role.go` during startup

* refactor(user roles): Support multiple roles for users

- Change the `Role` field type from `int` to `[]int` in `drivers/alist_v3/types.go` and `drivers/quqi/types.go`.
- Update the `Role` field in `internal/model/user.go` to use a new `Roles` type with JSON and database support.
- Modify `IsGuest` and `IsAdmin` methods to check for roles using `Contains` method.
- Update `GetUserByRole` method in `internal/db/user.go` to handle multiple roles.
- Add `roles.go` to define a new `Roles` type with JSON marshalling and scanning capabilities.
- Adjust code in `server/handles/user.go` to compare roles with `utils.SliceEqual`.
- Change role initialization for users in `internal/bootstrap/data/dev.go` and `internal/bootstrap/data/user.go`.
- Update `Role` handling in `server/handles/task.go`, `server/handles/ssologin.go`, and `server/handles/ldap_login.go`.

* feat(user/role): Add path limit check for user and role permissions

- Add new permission bit for checking path limits in `user.go`
- Implement `CheckPathLimit` method in `User` struct to validate path access
- Modify `JoinPath` method in `User` to enforce path limit checks
- Update `role.go` to include path limit logic in `Role` struct
- Document new permission bit in `Role` and `User` comments for clarity

* feat(permission): Add role-based permission handling

- Introduce `role_perm.go` for managing user permissions based on roles.
- Implement `HasPermission` and `MergeRolePermissions` functions.
- Update `webdav.go` to utilize role-based permissions instead of direct user checks.
- Modify `fsup.go` to integrate `CanAccessWithRoles` function.
- Refactor `fsread.go` to use `common.HasPermission` for permission validation.
- Adjust `fsmanage.go` for role-based access control checks.
- Enhance `ftp.go` and `sftp.go` to manage FTP access via roles.
- Update `fsbatch.go` to employ `MergeRolePermissions` for batch operations.
- Replace direct user permission checks with role-based permission handling across various modules.

* refactor(user): Replace integer role values with role IDs

- Change `GetAdmin()` and `GetGuest()` functions to retrieve role by name and use role ID.
- Add patch for version `v3.45.2` to convert legacy integer roles to role IDs.
- Update `dev.go` and `user.go` to use role IDs instead of integer values for roles.
- Remove redundant code in `role.go` related to guest role creation.
- Modify `ssologin.go` and `ldap_login.go` to set user roles to nil instead of using integer roles.
- Introduce `convert_roles.go` to handle conversion of legacy roles and ensure role existence in the database.

* feat(role_perm): implement support for multiple base paths for roles

- Modify role permission checks to support multiple base paths
- Update role creation and update functions to handle multiple base paths
- Add migration script to convert old base_path to base_paths
- Define new Paths type for handling multiple paths in the model
- Adjust role model to replace BasePath with BasePaths
- Update existing patches to handle roles with multiple base paths
- Update bootstrap data to reflect the new base_paths field

* feat(role): Restrict modifications to default roles (admin and guest)

- Add validation to prevent changes to "admin" and "guest" roles in `UpdateRole` and `DeleteRole` functions.
- Introduce `ErrChangeDefaultRole` error in `internal/errs/role.go` to standardize error messaging.
- Update role-related API handlers in `server/handles/role.go` to enforce the new restriction.
- Enhance comments in `internal/bootstrap/data/role.go` to clarify the significance of default roles.
- Ensure consistent error responses for unauthorized role modifications across the application.

* 🔄 **refactor(role): Enhance role permission handling**

- Replaced `BasePaths` with `PermissionPaths` in `Role` struct for better permission granularity.
- Introduced JSON serialization for `PermissionPaths` using `RawPermission` field in `Role` struct.
- Implemented `BeforeSave` and `AfterFind` GORM hooks for handling `PermissionPaths` serialization.
- Refactored permission calculation logic in `role_perm.go` to work with `PermissionPaths`.
- Updated role creation logic to initialize `PermissionPaths` for `admin` and `guest` roles.
- Removed deprecated `CheckPathLimit` method from `Role` struct.

* fix(model/user/role): update permission settings for admin and role

- Change `RawPermission` field in `role.go` to hide JSON representation
- Update `Permission` field in `user.go` to `0xFFFF` for full access
- Modify `PermissionScopes` in `role.go` to `0xFFFF` for enhanced permissions

* 🔒 feat(role-permissions): Enhance role-based access control

- Introduce `canReadPathByRole` function in `role_perm.go` to verify path access based on user roles
- Modify `CanAccessWithRoles` to include role-based path read check
- Add `RoleNames` and `Permissions` to `UserResp` struct in `auth.go` for enhanced user role and permission details
- Implement role details aggregation in `auth.go` to populate `RoleNames` and `Permissions`
- Update `User` struct in `user.go` to include `RolesDetail` for more detailed role information
- Enhance middleware in `auth.go` to load and verify detailed role information for users
- Move `guest` user initialization logic in `user.go` to improve code organization and avoid repetition

* 🔒 fix(permissions): Add permission checks for archive operations

- Add `MergeRolePermissions` and `HasPermission` checks to validate user access for reading archives
- Ensure users have `PermReadArchives` before proceeding with `GetNearestMeta` in specific archive paths
- Implement permission checks for decompress operations, requiring `PermDecompress` for source paths
- Return `PermissionDenied` errors with 403 status if user lacks necessary permissions

* 🔒 fix(server): Add permission check for offline download

- Add permission merging logic for user roles
- Check user has permission for offline download addition
- Return error response with "permission denied" if check fails

*  feat(role-permission): Implement path-based role permission checks

- Add `CheckPathLimitWithRoles` function to validate access based on `PermPathLimit` permission.
- Integrate `CheckPathLimitWithRoles` in `offline_download` to enforce path-based access control.
- Apply `CheckPathLimitWithRoles` across file system management operations (e.g., creation, movement, deletion).
- Ensure `CheckPathLimitWithRoles` is invoked for batch operations and archive-related actions.
- Update error handling to return `PermissionDenied` if the path validation fails.
- Import `errs` package in `offline_download` for consistent error responses.

*  feat(role-permission): Implement path-based role permission checks

- Add `CheckPathLimitWithRoles` function to validate access based on `PermPathLimit` permission.
- Integrate `CheckPathLimitWithRoles` in `offline_download` to enforce path-based access control.
- Apply `CheckPathLimitWithRoles` across file system management operations (e.g., creation, movement, deletion).
- Ensure `CheckPathLimitWithRoles` is invoked for batch operations and archive-related actions.
- Update error handling to return `PermissionDenied` if the path validation fails.
- Import `errs` package in `offline_download` for consistent error responses.

* ♻️ refactor(access-control): Update access control logic to use role-based checks

- Remove deprecated logic from `CanAccess` function in `check.go`, replacing it with `CanAccessWithRoles` for improved role-based access control.
- Modify calls in `search.go` to use `CanAccessWithRoles` for more precise handling of permissions.
- Update `fsread.go` to utilize `CanAccessWithRoles`, ensuring accurate access validation based on user roles.
- Simplify import statements in `check.go` by removing unused packages to clean up the codebase.

*  feat(fs): Improve visibility logic for hidden files

- Import `server/common` package to handle permissions more robustly
- Update `whetherHide` function to use `MergeRolePermissions` for user-specific path permissions
- Replace direct user checks with `HasPermission` for `PermSeeHides`
- Enhance logic to ensure `nil` user cases are handled explicitly

* 标签管理

* feat(db/auth/user): Enhance role handling and clean permission paths

- Comment out role modification checks in `server/handles/user.go` to allow flexible role changes.
- Improve permission path handling in `server/handles/auth.go` by normalizing and deduplicating paths.
- Introduce `addedPaths` map in `CurrentUser` to prevent duplicate permissions.

* feat(storage/db): Implement role permissions path prefix update

- Add `UpdateRolePermissionsPathPrefix` function in `role.go` to update role permissions paths.
- Modify `storage.go` to call the new function when the mount path is renamed.
- Introduce path cleaning and prefix matching logic for accurate path updates.
- Ensure roles are updated only if their permission scopes are modified.
- Handle potential errors with informative messages during database operations.

* feat(role-migration): Implement role conversion and introduce NEWGENERAL role

- Add `NEWGENERAL` to the roles enumeration in `user.go`
- Create new file `convert_role.go` for migrating legacy roles to new model
- Implement `ConvertLegacyRoles` function to handle role conversion with permission scopes
- Add `convert_role.go` patch to `all.go` under version `v3.46.0`

* feat(role/auth): Add role retrieval by user ID and update path prefixes

- Add `GetRolesByUserID` function for efficient role retrieval by user ID
- Implement `UpdateUserBasePathPrefix` to update user base paths
- Modify `UpdateRolePermissionsPathPrefix` to return modified role IDs
- Update `auth.go` middleware to use the new role retrieval function
- Refresh role and user caches upon path prefix updates to maintain consistency

---------

Co-authored-by: Leslie-Xy <540049476@qq.com>
2025-07-26 09:51:59 +08:00
..
115 perf: optimize IO read/write usage (#8243) 2025-04-12 16:55:31 +08:00
115_open feat(115_open): implement rate limiting for API requests 2025-05-11 13:39:32 +08:00
115_share fix(115): fix offline download (#7845 close #7794) 2025-01-27 20:20:55 +08:00
123 fix: restore user-agent header in HTTP requests 2025-07-16 20:39:05 +08:00
123_link feat: add 123 link driver (close #4924) 2023-09-10 16:50:10 +08:00
123_share feat: add `Reference` interface to driver (#7805) 2025-01-18 23:26:58 +08:00
139 feat: add UseLargeThumbnail for 139 (#8424) 2025-04-27 19:58:45 +08:00
189 feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
189pc fix: update documentation links to point to the new domain And fix 189pc getToken fail 2025-06-27 16:28:09 +08:00
alias feat(alias): support writing to non-ambiguous paths (#8216) 2025-03-27 23:17:45 +08:00
alist_v2 refactor: obj name mapping and internal path processing (#2733) 2022-12-17 19:49:05 +08:00
alist_v3 feat: enhance permission control and label management (#9215) 2025-07-26 09:51:59 +08:00
aliyundrive fix: update DriveId assignment to use DeviceID from Addition struct 2025-07-14 23:04:40 +08:00
aliyundrive_open fix(aliyundrive_open): resolve file duplication issues and improve path handling (#8358) 2025-04-19 14:22:12 +08:00
aliyundrive_share feat(alipan): replace domain (#5751 close #5747) 2023-12-31 14:29:14 +08:00
azure_blob feat(azure_blob): implement GetRootId interface in Addition struct (#8389) 2025-04-19 14:23:48 +08:00
baidu_netdisk perf: optimize IO read/write usage (#8243) 2025-04-12 16:55:31 +08:00
baidu_photo perf: optimize IO read/write usage (#8243) 2025-04-12 16:55:31 +08:00
baidu_share fix(baidu_share): large file download (#3887 close #3876) 2023-03-20 17:46:15 +08:00
base feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
chaoxing feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
cloudreve feat(cloudreve_v4): add Cloudreve V4 driver (#8470 closes #8328 #8467) 2025-05-24 13:38:43 +08:00
cloudreve_v4 feat(cloudreve_v4): add Cloudreve V4 driver (#8470 closes #8328 #8467) 2025-05-24 13:38:43 +08:00
crypt fix(crypt): premature close of MFile (#8132 close #8119) 2025-03-15 00:13:30 +08:00
doubao feat(doubao): add get_download_info API and download_api option (#8428) 2025-04-27 20:00:25 +08:00
doubao_share feat(doubao_share): support doubao_share link (#8376) 2025-04-19 14:22:43 +08:00
dropbox feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
febbox fix(febbox): panic due to slice out of range (#7898 close #7889) 2025-01-30 11:24:07 +08:00
ftp feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
github perf: optimize IO read/write usage (#8243) 2025-04-12 16:55:31 +08:00
github_releases feat(github_releases): concurrently request the GitHub API (#9211) 2025-07-24 15:30:12 +08:00
google_drive feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
google_photo feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
halalcloud feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
ilanzou perf: optimize IO read/write usage (#8243) 2025-04-12 16:55:31 +08:00
ipfs_api fix(ipfs): fix problems (#8252) 2025-04-12 17:01:30 +08:00
kodbox feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
lanzou fix(lanzou): remove JavaScript comments from response data (#8386) 2025-04-19 14:24:43 +08:00
lark feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
lenovonas_share fix(lenovonas_share): the size of the directory (#7914) 2025-02-01 17:32:58 +08:00
local perf(local): avoid duplicate parsing of VideoThumbPos (#7812) 2025-04-19 14:27:13 +08:00
mediatrack feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
mega fix(mega): use newest file for same filename (#8422 close #8344) 2025-04-27 19:56:04 +08:00
misskey feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
mopan perf: optimize IO read/write usage (#8243) 2025-04-12 16:55:31 +08:00
netease_music fix(netease_music): change ListResp size fields from string to int64 (#8417) 2025-04-27 19:59:30 +08:00
onedrive fix: update documentation links to point to the new domain And fix 189pc getToken fail 2025-06-27 16:28:09 +08:00
onedrive_app feat(cloudreve_v4): add Cloudreve V4 driver (#8470 closes #8328 #8467) 2025-05-24 13:38:43 +08:00
onedrive_sharelink feat: add support for Onedrive Sharelink driver (#6793) 2024-07-17 12:21:06 +08:00
pikpak fix(pikpak&pikpak_share): fix WebPackageName (#8305) 2025-04-12 17:03:58 +08:00
pikpak_share fix(pikpak&pikpak_share): fix WebPackageName (#8305) 2025-04-12 17:03:58 +08:00
quark_uc perf: optimize IO read/write usage (#8243) 2025-04-12 16:55:31 +08:00
quark_uc_tv perf(quark_uc&quark_uc_tv): native proxy multithreading (#8287) 2025-04-03 20:50:29 +08:00
quqi feat: enhance permission control and label management (#9215) 2025-07-26 09:51:59 +08:00
s3 fix(s3): incorrectly added slash before the Bucket name (#8083 close #8001) 2025-03-15 00:21:24 +08:00
seafile feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
sftp feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
smb feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
teambition feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
template fix(driver): implement canceling and updating progress for putting for some drivers (#7847) 2025-02-01 17:29:55 +08:00
terabox feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
thunder fix(thunder): fix login issue (#8342 close #8288) 2025-04-12 17:05:58 +08:00
thunder_browser perf: optimize IO read/write usage (#8243) 2025-04-12 16:55:31 +08:00
thunderx perf: optimize IO read/write usage (#8243) 2025-04-12 16:55:31 +08:00
trainbit feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
url_tree feat(url-tree): implement the Put interface to support adding links directly to the UrlTree on the web side (#8312) 2025-04-12 17:27:56 +08:00
uss feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
virtual chore(virtual): implement the driver interface with result 2023-09-20 09:02:56 +08:00
vtencent refactor: FilterReadMeScripts (#8154 close #8150) 2025-03-18 22:02:33 +08:00
webdav feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
weiyun feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
wopan feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
yandex_disk feat(traffic): support limit task worker count & file stream rate (#7948) 2025-02-16 12:22:11 +08:00
all.go feat(cloudreve_v4): add Cloudreve V4 driver (#8470 closes #8328 #8467) 2025-05-24 13:38:43 +08:00
lark.go fix: add lark to windows target 2024-05-23 11:52:37 +08:00