v2.6.1:增加文件夹候选项；部分安全和体验优化

MarSeventh · MarSeventh · commit 4955ed1b8d46 · 2026-02-28T16:58:42.000+08:00
diff --git a/functions/api/directoryTree.js b/functions/api/directoryTree.js
@@ -1,5 +1,6 @@
 import { getDirectoryTree } from '../utils/indexManager';
 import { dualAuthCheck } from '../utils/dualAuth';
+import { fetchSecurityConfig } from '../utils/sysConfig';
 
 /**
  * 目录树 API 端点
@@ -11,6 +12,10 @@ import { dualAuthCheck } from '../utils/dualAuth';
  * 响应：
  * - 成功：{ tree: DirectoryTreeNode }
  * - 失败：{ error: string }
+ * 
+ * 权限说明：
+ * - 管理端鉴权成功：始终允许访问
+ * - 用户端鉴权成功：仅当 showDirectorySuggestions 开启时允许访问
  */
 export async function onRequestGet(context) {
     const { env, request } = context;
@@ -22,6 +27,19 @@ export async function onRequestGet(context) {
         return new Response('Unauthorized', { status: 401 });
     }
     
+    // 如果是用户端鉴权，检查 showDirectorySuggestions 设置
+    if (authResult.authType === 'user') {
+        const securityConfig = await fetchSecurityConfig(env);
+        const showDirectorySuggestions = securityConfig?.upload?.showDirectorySuggestions ?? true;
+        
+        if (!showDirectorySuggestions) {
+            return new Response(JSON.stringify({ error: 'Directory suggestions disabled' }), {
+                status: 403,
+                headers: { 'Content-Type': 'application/json' }
+            });
+        }
+    }
+    
     try {
         const tree = await getDirectoryTree(context);
         const cacheTime = url.searchParams.get('cacheTime') || 60;
diff --git a/functions/utils/dualAuth.js b/functions/utils/dualAuth.js
@@ -4,25 +4,26 @@ import { validateApiToken } from './tokenValidator';
 import { getDatabase } from './databaseAdapter.js';
 
 /**
- * 双重鉴权检查：用户端或管理端任意一个通过即可
+ * 双重鉴权检查：管理端或用户端任意一个通过即可
+ * 注意：管理端鉴权优先检查，确保管理员权限优先级更高
  * @param {Object} env - 环境变量
  * @param {URL} url - 请求的URL
  * @param {Request} request - 请求对象
  * @returns {Promise<{authorized: boolean, authType: string|null}>}
  */
 export async function dualAuthCheck(env, url, request) {
-    // 1. 尝试用户端鉴权 (authCode / API Token)
-    const userAuthPassed = await userAuthCheck(env, url, request, null);
-    if (userAuthPassed) {
-        return { authorized: true, authType: 'user' };
-    }
-    
-    // 2. 尝试管理端鉴权 (Basic Auth / API Token)
+    // 1. 优先尝试管理端鉴权 (Basic Auth / API Token)
     const adminAuthPassed = await adminAuthCheck(env, request);
     if (adminAuthPassed) {
         return { authorized: true, authType: 'admin' };
     }
     
+    // 2. 尝试用户端鉴权 (authCode / API Token)
+    const userAuthPassed = await userAuthCheck(env, url, request, null);
+    if (userAuthPassed) {
+        return { authorized: true, authType: 'user' };
+    }
+    
     return { authorized: false, authType: null };
 }
 
