fix: error user role

2025-09-17 07:56:38 +08:00 · 2024-09-24 17:48:09 +08:00 · 2024-09-24 17:48:09 +08:00 · 221894d972
commit 221894d972
parent 50eab6b4e4
5 changed files with 46 additions and 12 deletions
--- a/common/constants.go
+++ b/common/constants.go
@ -126,6 +126,10 @@ const (
 	RoleRootUser   = 100
 )

+func IsValidateRole(role int) bool {
+	return role == RoleGuestUser || role == RoleCommonUser || role == RoleAdminUser || role == RoleRootUser
+}
+
 var (
 	FileUploadPermission    = RoleGuestUser
 	FileDownloadPermission  = RoleGuestUser
--- a/controller/user.go
+++ b/controller/user.go
@ -7,6 +7,7 @@ import (
 	"one-api/common"
 	"one-api/model"
 	"strconv"
+	"strings"
 	"sync"

 	"github.com/gin-contrib/sessions"
@ -616,6 +617,7 @@ func DeleteSelf(c *gin.Context) {
 func CreateUser(c *gin.Context) {
 	var user model.User
 	err := json.NewDecoder(c.Request.Body).Decode(&user)
+	user.Username = strings.TrimSpace(user.Username)
 	if err != nil || user.Username == "" || user.Password == "" {
 		c.JSON(http.StatusOK, gin.H{
 			"success": false,
@ -663,8 +665,8 @@ func CreateUser(c *gin.Context) {
 }

 type ManageRequest struct {
-	Username string `json:"username"`
-	Action   string `json:"action"`
+	Id     int    `json:"id"`
+	Action string `json:"action"`
 }

 // ManageUser Only admin user can do this
@ -680,7 +682,7 @@ func ManageUser(c *gin.Context) {
 		return
 	}
 	user := model.User{
-		Username: req.Username,
+		Id: req.Id,
 	}
 	// Fill attributes
 	model.DB.Unscoped().Where(&user).First(&user)
--- a/middleware/auth.go
+++ b/middleware/auth.go
@ -10,6 +10,17 @@ import (
 	"strings"
 )

+func validUserInfo(username string, role int) bool {
+	// check username is empty
+	if strings.TrimSpace(username) == "" {
+		return false
+	}
+	if !common.IsValidateRole(role) {
+		return false
+	}
+	return true
+}
+
 func authHelper(c *gin.Context, minRole int) {
 	session := sessions.Default(c)
 	username := session.Get("username")
@ -30,6 +41,14 @@ func authHelper(c *gin.Context, minRole int) {
 		}
 		user := model.ValidateAccessToken(accessToken)
 		if user != nil && user.Username != "" {
+			if !validUserInfo(user.Username, user.Role) {
+				c.JSON(http.StatusOK, gin.H{
+					"success": false,
+					"message": "无权进行此操作，用户信息无效",
+				})
+				c.Abort()
+				return
+			}
 			// Token is valid
 			username = user.Username
 			role = user.Role
@ -91,6 +110,14 @@ func authHelper(c *gin.Context, minRole int) {
 		c.Abort()
 		return
 	}
+	if !validUserInfo(username.(string), role.(int)) {
+		c.JSON(http.StatusOK, gin.H{
+			"success": false,
+			"message": "无权进行此操作，用户信息无效",
+		})
+		c.Abort()
+		return
+	}
 	c.Set("username", username)
 	c.Set("role", role)
 	c.Set("id", id)
--- a/model/user.go
+++ b/model/user.go
@ -295,11 +295,12 @@ func (user *User) ValidateAndFill() (err error) {
 	// that means if your field’s value is 0, '', false or other zero values,
 	// it won’t be used to build query conditions
 	password := user.Password
-	if user.Username == "" || password == "" {
+	username := strings.TrimSpace(user.Username)
+	if username == "" || password == "" {
 		return errors.New("用户名或密码为空")
 	}
 	// find buy username or email
-	DB.Where("username = ? OR email = ?", user.Username, user.Username).First(user)
+	DB.Where("username = ? OR email = ?", username, username).First(user)
 	okay := common.ValidatePasswordAndHash(password, user.Password)
 	if !okay || user.Status != common.UserStatusEnabled {
 		return errors.New("用户名或密码错误，或用户已被封禁")
--- a/web/src/components/UsersTable.js
+++ b/web/src/components/UsersTable.js
@ -151,7 +151,7 @@ const UsersTable = () => {
                title='确定？'
                okType={'warning'}
                onConfirm={() => {
-                  manageUser(record.username, 'promote', record);
+                  manageUser(record.id, 'promote', record);
                }}
              >
                <Button theme='light' type='warning' style={{ marginRight: 1 }}>
@ -162,7 +162,7 @@ const UsersTable = () => {
                title='确定？'
                okType={'warning'}
                onConfirm={() => {
-                  manageUser(record.username, 'demote', record);
+                  manageUser(record.id, 'demote', record);
                }}
              >
                <Button
@ -179,7 +179,7 @@ const UsersTable = () => {
                  type='warning'
                  style={{ marginRight: 1 }}
                  onClick={async () => {
-                    manageUser(record.username, 'disable', record);
+                    manageUser(record.id, 'disable', record);
                  }}
                >
                  禁用
@ -190,7 +190,7 @@ const UsersTable = () => {
                  type='secondary'
                  style={{ marginRight: 1 }}
                  onClick={async () => {
-                    manageUser(record.username, 'enable', record);
+                    manageUser(record.id, 'enable', record);
                  }}
                  disabled={record.status === 3}
                >
@ -214,7 +214,7 @@ const UsersTable = () => {
                okType={'danger'}
                position={'left'}
                onConfirm={() => {
-                  manageUser(record.username, 'delete', record).then(() => {
+                  manageUser(record.id, 'delete', record).then(() => {
                    removeRecord(record.id);
                  });
                }}
@ -303,9 +303,9 @@ const UsersTable = () => {
    fetchGroups().then();
  }, []);

-  const manageUser = async (username, action, record) => {
+  const manageUser = async (userId, action, record) => {
    const res = await API.post('/api/user/manage', {
-      username,
+      id: userId,
      action,
    });
    const { success, message } = res.data;