feat: user roles (#852)

* [WIP] feat: user roles * update * update * admin handler * update * feat: user-specific connection secret * simplify some logics * cleanup * update waf * update user api error handling * update waf api * fix codeql * update waf table * fix several problems * add pagination for waf api * update permission checks * switch to runtime check * 1 * cover? * some changes
2026-05-06 13:48:52 +00:00 · 2024-12-22 00:05:41 +08:00
parent 50ee62172f
commit 653d0cf2e9
35 changed files with 841 additions and 180 deletions
@@ -1,7 +1,6 @@
 package controller

 import (
-	"fmt"
 	"strconv"

 	"github.com/gin-gonic/gin"
@@ -50,6 +49,18 @@ func createCron(c *gin.Context) (uint64, error) {
 		return 0, err
 	}

+	singleton.ServerLock.RLock()
+	for _, sid := range cf.Servers {
+		if server, ok := singleton.ServerList[sid]; ok {
+			if !server.HasPermission(c) {
+				singleton.ServerLock.RUnlock()
+				return 0, singleton.Localizer.ErrorT("permission denied")
+			}
+		}
+	}
+	singleton.ServerLock.RUnlock()
+
+	cr.UserID = getUid(c)
 	cr.TaskType = cf.TaskType
 	cr.Name = cf.Name
 	cr.Scheduler = cf.Scheduler
@@ -104,9 +115,24 @@ func updateCron(c *gin.Context) (any, error) {
 		return 0, err
 	}

+	singleton.ServerLock.RLock()
+	for _, sid := range cf.Servers {
+		if server, ok := singleton.ServerList[sid]; ok {
+			if !server.HasPermission(c) {
+				singleton.ServerLock.RUnlock()
+				return nil, singleton.Localizer.ErrorT("permission denied")
+			}
+		}
+	}
+	singleton.ServerLock.RUnlock()
+
 	var cr model.Cron
 	if err := singleton.DB.First(&cr, id).Error; err != nil {
-		return nil, fmt.Errorf("task id %d does not exist", id)
+		return nil, singleton.Localizer.ErrorT("task id %d does not exist", id)
+	}
+
+	if !cr.HasPermission(c) {
+		return nil, singleton.Localizer.ErrorT("permission denied")
 	}

 	cr.TaskType = cf.TaskType
@@ -156,12 +182,19 @@ func manualTriggerCron(c *gin.Context) (any, error) {
 		return nil, err
 	}

-	var cr model.Cron
-	if err := singleton.DB.First(&cr, id).Error; err != nil {
+	singleton.CronLock.RLock()
+	cr, ok := singleton.Crons[id]
+	if !ok {
+		singleton.CronLock.RUnlock()
 		return nil, singleton.Localizer.ErrorT("task id %d does not exist", id)
 	}
+	singleton.CronLock.RUnlock()

-	singleton.ManualTrigger(&cr)
+	if !cr.HasPermission(c) {
+		return nil, singleton.Localizer.ErrorT("permission denied")
+	}
+
+	singleton.ManualTrigger(cr)
 	return nil, nil
 }

@@ -178,11 +211,21 @@ func manualTriggerCron(c *gin.Context) (any, error) {
 // @Router /batch-delete/cron [post]
 func batchDeleteCron(c *gin.Context) (any, error) {
 	var cr []uint64
-
 	if err := c.ShouldBindJSON(&cr); err != nil {
 		return nil, err
 	}

+	singleton.CronLock.RLock()
+	for _, crID := range cr {
+		if crn, ok := singleton.Crons[crID]; ok {
+			if !crn.HasPermission(c) {
+				singleton.CronLock.RUnlock()
+				return nil, singleton.Localizer.ErrorT("permission denied")
+			}
+		}
+	}
+	singleton.CronLock.RUnlock()
+
 	if err := singleton.DB.Unscoped().Delete(&model.Cron{}, "id in (?)", cr).Error; err != nil {
 		return nil, newGormError("%v", err)
 	}