Merge pull request #116 from BUAA-SE-coders007/fix/112

[fix]: 增加权限控制

Author: Xian-Yu0

app/api/v1/endpoints/article.py

@@ -43,17 +43,16 @@ async def upload_to_self_folder(folder_id: int = Query(...), article: UploadFile
 @router.get("/getSelfFolders", response_model="dict")
 async def get_self_folders(page_number: Optional[int] = Query(None, ge=1), page_size: Optional[int] = Query(None, ge=1), 
                      db: AsyncSession = Depends(get_db), user: dict = Depends(get_current_user)):
-    # 获取用户id
     user_id = user.get("id")
-
     total_num, folders = await crud_get_self_folders(user_id, page_number, page_size, db)
     result = [{"folder_id": folder.id, "folder_name": folder.name} for folder in folders]
     return {"total_num": total_num, "result": result}
 
 @router.get("/getArticlesInFolder", response_model="dict")
 async def get_articles_in_folder(folder_id: int = Query(...), page_number: Optional[int] = Query(None, ge=1), page_size: Optional[int] = Query(None, ge=1), 
-                     db: AsyncSession = Depends(get_db)):
-    total_num, articles = await crud_get_articles_in_folder(folder_id, page_number, page_size, db)
+                     db: AsyncSession = Depends(get_db), user: dict = Depends(get_current_user)):
+    user_id = user.get("id")
+    total_num, articles = await crud_get_articles_in_folder(user_id, folder_id, page_number, page_size, db)
     result = [{"article_id": article.id, "article_name": article.name} for article in articles]
     return {"total_num": total_num, "result": result}
 
@@ -134,8 +133,9 @@ async def import_self_folder(folder_name: str = Query(...), zip: UploadFile = Fi
     return {"msg": "Successfully import articles"}
 
 @router.get("/exportSelfFolder", response_class=FileResponse)
-async def export_self_folder(background_tasks: BackgroundTasks, folder_id: int = Query(...), db: AsyncSession = Depends(get_db)):
-    zip_name, article_ids, article_names, article_urls = await crud_export_self_folder(folder_id, db)
+async def export_self_folder(background_tasks: BackgroundTasks, folder_id: int = Query(...), db: AsyncSession = Depends(get_db), user: dict = Depends(get_current_user)):
+    user_id = user.get("id")
+    zip_name, article_ids, article_names, article_urls = await crud_export_self_folder(folder_id, user_id, db)
 
     tmp_dir = tempfile.gettempdir()
     zip_path = os.path.join(tmp_dir, f"{zip_name}.zip")

app/api/v1/endpoints/group.py

@@ -108,13 +108,15 @@ async def leave_group(model: LeaveGroup, db: AsyncSession = Depends(get_db), use
     return {"msg": "You successfully left the group"}
 
 @router.get("/getBasicInfo", response_model=dict)
-async def get_basic_info(group_id: int = Query(...), db: AsyncSession = Depends(get_db)):
-    name, desc, avatar, time = await crud_get_basic_info(group_id, db)
+async def get_basic_info(group_id: int = Query(...), db: AsyncSession = Depends(get_db), user: dict = Depends(get_current_user)):
+    user_id = user.get("id")
+    name, desc, avatar, time = await crud_get_basic_info(group_id, user_id, db)
     return {"avatar": avatar, "name": name, "desc": desc, "time": time}
 
 @router.get("/getPeopleInfo", response_model=dict)
-async def get_people_info(group_id: int = Query(...), db: AsyncSession = Depends(get_db)):
-    leader, admins, members = await crud_get_people_info(group_id, db)
+async def get_people_info(group_id: int = Query(...), db: AsyncSession = Depends(get_db), user: dict = Depends(get_current_user)):
+    user_id = user.get("id")
+    leader, admins, members = await crud_get_people_info(group_id, user_id, db)
     return {"leader": leader, "admins": admins, "members": members}
 
 @router.get("/getMyLevel", response_model=dict)

app/curd/article.py

@@ -29,7 +29,14 @@ async def crud_get_self_folders(user_id: int, page_number: int, page_size: int,
 
     return total_num, folders
 
-async def crud_get_articles_in_folder(folder_id: int, page_number: int, page_size: int, db: AsyncSession):
+async def crud_get_articles_in_folder(user_id: int, folder_id: int, page_number: int, page_size: int, db: AsyncSession):
+    # 先检查权限
+    query = select(Folder).where(Folder.id == folder_id)
+    result = await db.execute(query)
+    folder = result.scalar_one_or_none()
+    if folder.user_id != user_id:
+        raise HTTPException(status_code=405, detail="You have no access to it")
+    # 查找
     query = select(Article).where(Article.folder_id == folder_id, Article.visible == True).order_by(Article.id.desc())
     count_query = select(func.count()).select_from(query.subquery())
     count_result = await db.execute(count_query)
@@ -151,12 +158,16 @@ async def crud_import_self_folder(folder_name: str, article_names, urls, user_id
     for new_article in new_articles:
         await db.refresh(new_article)
 
-async def crud_export_self_folder(folder_id: int, db: AsyncSession):
+async def crud_export_self_folder(folder_id: int, user_id: int, db: AsyncSession):
+    # 权限检查
     query = select(Folder).where(Folder.id == folder_id)
     result = await db.execute(query)
     folder = result.scalar_one_or_none()
+    if folder.user_id != user_id:
+        raise HTTPException(status_code=405, detail="You have no access to it")
+    # 文件夹名
     folder_name = folder.name
-
+    #文献
     query = select(Article).where(Article.folder_id == folder_id, Article.visible == True).order_by(Article.id.desc())
     result = await db.execute(query)
     articles = result.scalars().all()

app/curd/group.py

@@ -118,13 +118,26 @@ async def crud_leave_group(group_id: int, user_id: int, db: AsyncSession):
     await db.execute(query)
     await db.commit()
 
-async def crud_get_basic_info(group_id: int, db: AsyncSession):
+async def crud_get_basic_info(group_id: int, user_id: int, db: AsyncSession):
+    # 检查是否在组织中
+    query = select(user_group).where(user_group.c.user_id == user_id, user_group.c.group_id == group_id)
+    result = await db.execute(query)
+    relation = result.first()
+    if not relation:
+        raise HTTPException(status_code=405, detail="You have no access to it")
+    # 查询基本信息
     query = select(Group.name, Group.description, Group.avatar, Group.create_time).where(Group.id == group_id)
     result = await db.execute(query)
     group = result.first()
     return group.name, group.description, group.avatar, group.create_time
 
-async def crud_get_people_info(group_id: int, db: AsyncSession):
+async def crud_get_people_info(group_id: int, user_id: int, db: AsyncSession):
+    # 检查是否在组织中
+    query = select(user_group).where(user_group.c.user_id == user_id, user_group.c.group_id == group_id)
+    result = await db.execute(query)
+    relation = result.first()
+    if not relation:
+        raise HTTPException(status_code=405, detail="You have no access to it")
     # 创建者信息
     query = select(Group.leader).where(Group.id == group_id)
     result = await db.execute(query)