feat: enhance permission control and label management

drivers/alist_v3/driver.go

@@ -56,7 +56,7 @@ func (d *AListV3) Init(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	if resp.Data.Role == model.GUEST {
+	if utils.SliceContains(resp.Data.Role, model.GUEST) {
 		u := d.Address + "/api/public/settings"
 		res, err := base.RestyClient.R().Get(u)
 		if err != nil {

drivers/alist_v3/types.go

@@ -76,7 +76,7 @@ type MeResp struct {
 	Username   string `json:"username"`
 	Password   string `json:"password"`
 	BasePath   string `json:"base_path"`
-	Role       int    `json:"role"`
+	Role       []int  `json:"role"`
 	Disabled   bool   `json:"disabled"`
 	Permission int    `json:"permission"`
 	SsoId      string `json:"sso_id"`

drivers/quqi/types.go

@@ -83,7 +83,7 @@ type Group struct {
 	Type            int    `json:"type"`
 	Name            string `json:"name"`
 	IsAdministrator int    `json:"is_administrator"`
-	Role            int    `json:"role"`
+	Role            []int  `json:"role"`
 	Avatar          string `json:"avatar_url"`
 	IsStick         int    `json:"is_stick"`
 	Nickname        string `json:"nickname"`

internal/bootstrap/data/data.go

@@ -3,6 +3,7 @@ package data
 import "github.com/alist-org/alist/v3/cmd/flags"
 
 func InitData() {
+	initRoles()
 	initUser()
 	initSettings()
 	initTasks()

internal/bootstrap/data/dev.go

@@ -26,7 +26,7 @@ func initDevData() {
 		Username:   "Noah",
 		Password:   "hsu",
 		BasePath:   "/data",
-		Role:       0,
+		Role:       nil,
 		Permission: 512,
 	})
 	if err != nil {

internal/bootstrap/data/role.go

@@ -0,0 +1,52 @@
+package data
+
+// initRoles creates the default admin and guest roles if missing.
+// These roles are essential and must not be modified or removed.
+
+import (
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/op"
+	"github.com/alist-org/alist/v3/pkg/utils"
+	"github.com/pkg/errors"
+	"gorm.io/gorm"
+)
+
+func initRoles() {
+	guestRole, err := op.GetRoleByName("guest")
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			guestRole = &model.Role{
+				ID:          uint(model.GUEST),
+				Name:        "guest",
+				Description: "Guest",
+				PermissionScopes: []model.PermissionEntry{
+					{Path: "/", Permission: 0},
+				},
+			}
+			if err := op.CreateRole(guestRole); err != nil {
+				utils.Log.Fatalf("[init role] Failed to create guest role: %v", err)
+			}
+		} else {
+			utils.Log.Fatalf("[init role] Failed to get guest role: %v", err)
+		}
+	}
+
+	_, err = op.GetRoleByName("admin")
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			adminRole := &model.Role{
+				ID:          uint(model.ADMIN),
+				Name:        "admin",
+				Description: "Administrator",
+				PermissionScopes: []model.PermissionEntry{
+					{Path: "/", Permission: 0xFFFF},
+				},
+			}
+			if err := op.CreateRole(adminRole); err != nil {
+				utils.Log.Fatalf("[init role] Failed to create admin role: %v", err)
+			}
+		} else {
+			utils.Log.Fatalf("[init role] Failed to get admin role: %v", err)
+		}
+	}
+}

internal/bootstrap/data/user.go

@@ -1,10 +1,10 @@
 package data
 
 import (
+	"github.com/alist-org/alist/v3/internal/db"
 	"os"
 
 	"github.com/alist-org/alist/v3/cmd/flags"
-	"github.com/alist-org/alist/v3/internal/db"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/pkg/utils"
@@ -14,6 +14,28 @@ import (
 )
 
 func initUser() {
+	guest, err := op.GetGuest()
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			salt := random.String(16)
+			guestRole, _ := op.GetRoleByName("guest")
+			guest = &model.User{
+				Username:   "guest",
+				PwdHash:    model.TwoHashPwd("guest", salt),
+				Salt:       salt,
+				Role:       model.Roles{int(guestRole.ID)},
+				BasePath:   "/",
+				Permission: 0,
+				Disabled:   true,
+				Authn:      "[]",
+			}
+			if err := db.CreateUser(guest); err != nil {
+				utils.Log.Fatalf("[init user] Failed to create guest user: %v", err)
+			}
+		} else {
+			utils.Log.Fatalf("[init user] Failed to get guest user: %v", err)
+		}
+	}
 	admin, err := op.GetAdmin()
 	adminPassword := random.String(8)
 	envpass := os.Getenv("ALIST_ADMIN_PASSWORD")
@@ -25,15 +47,16 @@ func initUser() {
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			salt := random.String(16)
+			adminRole, _ := op.GetRoleByName("admin")
 			admin = &model.User{
 				Username: "admin",
 				Salt:     salt,
 				PwdHash:  model.TwoHashPwd(adminPassword, salt),
-				Role:     model.ADMIN,
+				Role:     model.Roles{int(adminRole.ID)},
 				BasePath: "/",
 				Authn:    "[]",
 				// 0(can see hidden) - 7(can remove) & 12(can read archives) - 13(can decompress archives)
-				Permission: 0x30FF,
+				Permission: 0xFFFF,
 			}
 			if err := op.CreateUser(admin); err != nil {
 				panic(err)
@@ -44,25 +67,4 @@ func initUser() {
 			utils.Log.Fatalf("[init user] Failed to get admin user: %v", err)
 		}
 	}
-	guest, err := op.GetGuest()
-	if err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			salt := random.String(16)
-			guest = &model.User{
-				Username:   "guest",
-				PwdHash:    model.TwoHashPwd("guest", salt),
-				Salt:       salt,
-				Role:       model.GUEST,
-				BasePath:   "/",
-				Permission: 0,
-				Disabled:   true,
-				Authn:      "[]",
-			}
-			if err := db.CreateUser(guest); err != nil {
-				utils.Log.Fatalf("[init user] Failed to create guest user: %v", err)
-			}
-		} else {
-			utils.Log.Fatalf("[init user] Failed to get guest user: %v", err)
-		}
-	}
 }

internal/bootstrap/patch/all.go

@@ -4,6 +4,7 @@ import (
 	"github.com/alist-org/alist/v3/internal/bootstrap/patch/v3_24_0"
 	"github.com/alist-org/alist/v3/internal/bootstrap/patch/v3_32_0"
 	"github.com/alist-org/alist/v3/internal/bootstrap/patch/v3_41_0"
+	"github.com/alist-org/alist/v3/internal/bootstrap/patch/v3_46_0"
 )
 
 type VersionPatches struct {
@@ -32,4 +33,10 @@ var UpgradePatches = []VersionPatches{
 			v3_41_0.GrantAdminPermissions,
 		},
 	},
+	{
+		Version: "v3.46.0",
+		Patches: []func(){
+			v3_46_0.ConvertLegacyRoles,
+		},
+	},
 }

internal/bootstrap/patch/v3_46_0/convert_role.go

@@ -0,0 +1,129 @@
+package v3_46_0
+
+import (
+	"errors"
+	"github.com/alist-org/alist/v3/internal/db"
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/op"
+	"github.com/alist-org/alist/v3/pkg/utils"
+	"gorm.io/gorm"
+)
+
+// ConvertLegacyRoles migrates old integer role values to a new role model with permission scopes.
+func ConvertLegacyRoles() {
+	guestRole, err := op.GetRoleByName("guest")
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			guestRole = &model.Role{
+				ID:          uint(model.GUEST),
+				Name:        "guest",
+				Description: "Guest",
+				PermissionScopes: []model.PermissionEntry{
+					{
+						Path:       "/",
+						Permission: 0,
+					},
+				},
+			}
+			if err = op.CreateRole(guestRole); err != nil {
+				utils.Log.Errorf("[convert roles] failed to create guest role: %v", err)
+				return
+			}
+		} else {
+			utils.Log.Errorf("[convert roles] failed to get guest role: %v", err)
+			return
+		}
+	}
+
+	adminRole, err := op.GetRoleByName("admin")
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			adminRole = &model.Role{
+				ID:          uint(model.ADMIN),
+				Name:        "admin",
+				Description: "Administrator",
+				PermissionScopes: []model.PermissionEntry{
+					{
+						Path:       "/",
+						Permission: 0x33FF,
+					},
+				},
+			}
+			if err = op.CreateRole(adminRole); err != nil {
+				utils.Log.Errorf("[convert roles] failed to create admin role: %v", err)
+				return
+			}
+		} else {
+			utils.Log.Errorf("[convert roles] failed to get admin role: %v", err)
+			return
+		}
+	}
+
+	generalRole, err := op.GetRoleByName("general")
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			generalRole = &model.Role{
+				ID:          uint(model.NEWGENERAL),
+				Name:        "general",
+				Description: "General User",
+				PermissionScopes: []model.PermissionEntry{
+					{
+						Path:       "/",
+						Permission: 0,
+					},
+				},
+			}
+			if err = op.CreateRole(generalRole); err != nil {
+				utils.Log.Errorf("[convert roles] failed create general role: %v", err)
+				return
+			}
+		} else {
+			utils.Log.Errorf("[convert roles] failed get general role: %v", err)
+			return
+		}
+	}
+
+	users, _, err := op.GetUsers(1, -1)
+	if err != nil {
+		utils.Log.Errorf("[convert roles] failed to get users: %v", err)
+		return
+	}
+
+	for i := range users {
+		user := users[i]
+		if user.Role == nil {
+			continue
+		}
+		changed := false
+		var roles model.Roles
+		for _, r := range user.Role {
+			switch r {
+			case model.ADMIN:
+				roles = append(roles, int(adminRole.ID))
+				if int(adminRole.ID) != r {
+					changed = true
+				}
+			case model.GUEST:
+				roles = append(roles, int(guestRole.ID))
+				if int(guestRole.ID) != r {
+					changed = true
+				}
+			case model.GENERAL:
+				roles = append(roles, int(generalRole.ID))
+				if int(generalRole.ID) != r {
+					changed = true
+				}
+			default:
+				roles = append(roles, r)
+			}
+		}
+		if changed {
+			user.Role = roles
+			if err := db.UpdateUser(&user); err != nil {
+				utils.Log.Errorf("[convert roles] failed to update user %s: %v", user.Username, err)
+			}
+		}
+	}
+
+	utils.Log.Infof("[convert roles] completed role conversion for %d users", len(users))
+}

internal/db/db.go

@@ -12,7 +12,7 @@ var db *gorm.DB
 
 func Init(d *gorm.DB) {
 	db = d
-	err := AutoMigrate(new(model.Storage), new(model.User), new(model.Meta), new(model.SettingItem), new(model.SearchNode), new(model.TaskItem), new(model.SSHPublicKey))
+	err := AutoMigrate(new(model.Storage), new(model.User), new(model.Meta), new(model.SettingItem), new(model.SearchNode), new(model.TaskItem), new(model.SSHPublicKey), new(model.Role), new(model.Label), new(model.LabelFileBinDing), new(model.ObjFile))
 	if err != nil {
 		log.Fatalf("failed migrate database: %s", err.Error())
 	}