fix: 修复cname服务普通用户access访问权限问题

2025-11-25 09:10:11 +08:00 · 2024-10-20 11:47:35 +08:00
parent e8b5fcf3ee
commit c1e3e2ee1f
12 changed files with 65 additions and 28 deletions
--- a/packages/ui/certd-server/src/controller/sys/cname/cname-provider-controller.ts
+++ b/packages/ui/certd-server/src/controller/sys/cname/cname-provider-controller.ts
@@ -34,11 +34,13 @@ export class CnameRecordController extends CrudController<CnameProviderService>
      disabled: false,
    };
    merge(bean, def);
+    bean.userId = this.getUserId();
    return super.add(bean);
  }

  @Post('/update', { summary: 'sys:settings:edit' })
  async update(@Body(ALL) bean: any) {
+    bean.userId = this.getUserId();
    return super.update(bean);
  }

--- a/packages/ui/certd-server/src/modules/cname/entity/cname_provider.ts
+++ b/packages/ui/certd-server/src/modules/cname/entity/cname_provider.ts
@@ -7,6 +7,8 @@ import { Column, Entity, PrimaryGeneratedColumn } from 'typeorm';
 export class CnameProviderEntity {
  @PrimaryGeneratedColumn()
  id: number;
+  @Column({ comment: 'userId', name: 'user_id' })
+  userId: number;
  @Column({ comment: '域名', length: 100 })
  domain: string;
  @Column({ comment: 'DNS提供商类型', name: 'dns_provider_type', length: 20 })
--- a/packages/ui/certd-server/src/modules/cname/service/cname-record-service.ts
+++ b/packages/ui/certd-server/src/modules/cname/service/cname-record-service.ts
@@ -5,7 +5,7 @@ import { BaseService, ValidateException } from '@certd/lib-server';
 import { CnameRecordEntity, CnameRecordStatusType } from '../entity/cname-record.js';
 import { v4 as uuidv4 } from 'uuid';
 import { createDnsProvider, IDnsProvider, parseDomain } from '@certd/plugin-cert';
-import { cache, http, logger, utils } from '@certd/pipeline';
+import { cache, CnameProvider, http, logger, utils } from '@certd/pipeline';
 import { AccessService } from '../../pipeline/service/access-service.js';
 import { isDev } from '../../../utils/env.js';
 import { walkTxtRecord } from '@certd/acme-client';
@@ -109,16 +109,22 @@ export class CnameRecordService extends BaseService<CnameRecordEntity> {
    return await super.update(param);
  }

-  async validate(id: number) {
-    const info = await this.info(id);
-    if (info.status === 'success') {
-      return true;
-    }
+  // async validate(id: number) {
+  //   const info = await this.info(id);
+  //   if (info.status === 'success') {
+  //     return true;
+  //   }
+  //
+  //   //开始校验
+  //   // 1.  dnsProvider
+  //   // 2.  添加txt记录
+  //   // 3.  检查原域名是否有cname记录
+  // }

-    //开始校验
-    // 1.  dnsProvider
-    // 2.  添加txt记录
-    // 3.  检查原域名是否有cname记录
+  async getWithAccessByDomain(domain: string, userId: number) {
+    const record = await this.getByDomain(domain, userId);
+    record.cnameProvider.access = await this.accessService.getAccessById(record.cnameProvider.accessId, false);
+    return record;
  }

  async getByDomain(domain: string, userId: number, createOnNotFound = true) {
@@ -143,7 +149,9 @@ export class CnameRecordService extends BaseService<CnameRecordEntity> {

    return {
      ...record,
-      cnameProvider: provider,
+      cnameProvider: {
+        ...provider,
+      } as CnameProvider,
    };
  }

@@ -178,7 +186,10 @@ export class CnameRecordService extends BaseService<CnameRecordEntity> {

    const buildDnsProvider = async () => {
      const cnameProvider = await this.cnameProviderService.info(bean.cnameProviderId);
-      const access = await this.accessService.getById(cnameProvider.accessId, bean.userId);
+      if (cnameProvider == null) {
+        throw new ValidateException(`CNAME服务:${bean.cnameProviderId} 已被删除，请修改CNAME记录，重新选择CNAME服务`);
+      }
+      const access = await this.accessService.getById(cnameProvider.accessId, cnameProvider.userId);
      const context = { access, logger, http, utils };
      const dnsProvider: IDnsProvider = await createDnsProvider({
        dnsProviderType: cnameProvider.dnsProviderType,
--- a/packages/ui/certd-server/src/modules/pipeline/service/access-getter.ts
+++ b/packages/ui/certd-server/src/modules/pipeline/service/access-getter.ts
@@ -11,4 +11,8 @@ export class AccessGetter implements IAccessService {
  async getById<T = any>(id: any) {
    return await this.getter<T>(id, this.userId);
  }
+
+  async getCommonById<T = any>(id: any) {
+    return await this.getter<T>(id, 0);
+  }
 }
--- a/packages/ui/certd-server/src/modules/pipeline/service/access-service.ts
+++ b/packages/ui/certd-server/src/modules/pipeline/service/access-service.ts
@@ -107,14 +107,20 @@ export class AccessService extends BaseService<AccessEntity> {
    return await super.update(param);
  }

-  async getById(id: any, userId: number): Promise<any> {
+  async getAccessById(id: any, checkUserId: boolean, userId?: number): Promise<any> {
    const entity = await this.info(id);
    if (entity == null) {
      throw new Error(`该授权配置不存在,请确认是否已被删除:id=${id}`);
    }
-    if (userId !== entity.userId && entity.userId !== 0) {
-      throw new PermissionException('您对该Access授权无访问权限');
+    if (checkUserId) {
+      if (userId == null) {
+        throw new ValidateException('userId不能为空');
+      }
+      if (userId !== entity.userId) {
+        throw new PermissionException('您对该Access授权无访问权限');
+      }
    }
+
    // const access = accessRegistry.get(entity.type);
    const setting = this.decryptAccessEntity(entity);
    const input = {
@@ -124,6 +130,10 @@ export class AccessService extends BaseService<AccessEntity> {
    return newAccess(entity.type, input);
  }

+  async getById(id: any, userId: number): Promise<any> {
+    return await this.getAccessById(id, true, userId);
+  }
+
  decryptAccessEntity(entity: AccessEntity): any {
    let setting = {};
    if (entity.encryptSetting && entity.encryptSetting !== '{}') {
--- a/packages/ui/certd-server/src/modules/pipeline/service/cname-proxy-service.ts
+++ b/packages/ui/certd-server/src/modules/pipeline/service/cname-proxy-service.ts
@@ -8,7 +8,7 @@ export class CnameProxyService implements ICnameProxyService {
    this.getter = getter;
  }

-  getByDomain(domain: string): Promise<CnameRecord> {
-    return this.getter<CnameRecord>(domain, this.userId);
+  async getByDomain(domain: string): Promise<CnameRecord> {
+    return await this.getter<CnameRecord>(domain, this.userId);
  }
 }
--- a/packages/ui/certd-server/src/modules/pipeline/service/pipeline-service.ts
+++ b/packages/ui/certd-server/src/modules/pipeline/service/pipeline-service.ts
@@ -354,7 +354,7 @@ export class PipelineService extends BaseService<PipelineEntity> {
      role: userIsAdmin ? 'admin' : 'user',
    };
    const accessGetter = new AccessGetter(userId, this.accessService.getById.bind(this.accessService));
-    const cnameProxyService = new CnameProxyService(userId, this.cnameRecordService.getByDomain.bind(this.cnameRecordService));
+    const cnameProxyService = new CnameProxyService(userId, this.cnameRecordService.getWithAccessByDomain.bind(this.cnameRecordService));
    const executor = new Executor({
      user,
      pipeline,