From 8747d6a21bbc52d1d8e2f0ee8c6abda97618ad0e Mon Sep 17 00:00:00 2001
From: Wu Qing <3184394176@qq.com>
Date: Wed, 27 May 2026 00:54:44 +0800
Subject: [PATCH] =?UTF-8?q?fix(security):=20=E8=8A=82=E7=82=B9=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E6=B5=8F=E8=A7=88=E9=99=90=E5=88=B6=E4=B8=BA=E9=9D=9E?=
 =?UTF-8?q?=20viewer=20(#78)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GET /api/nodes/:id/fs/list 加 RequireNotViewer() 守卫，杜绝只读 viewer 枚举节点文件系统目录（信息泄露）；与备份任务配置的权限级别对齐。
---
 server/internal/http/router.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/internal/http/router.go b/server/internal/http/router.go
index 62d5a64..3dedcb5 100644
--- a/server/internal/http/router.go
+++ b/server/internal/http/router.go
@@ -292,7 +292,10 @@ func NewRouter(deps RouterDependencies) *gin.Engine {
 		nodes.POST("", RequireRole("admin"), nodeHandler.Create)
 		nodes.PUT("/:id", RequireRole("admin"), nodeHandler.Update)
 		nodes.DELETE("/:id", RequireRole("admin"), nodeHandler.Delete)
-		nodes.GET("/:id/fs/list", nodeHandler.ListDirectory)
+		// 文件浏览会枚举节点文件系统目录（含 /etc、/root 等），属敏感读操作：
+		// 限制为非 viewer（admin/operator），与"创建备份任务需选源路径"的权限对齐，
+		// 避免只读 viewer 借此探查服务器目录结构。
+		nodes.GET("/:id/fs/list", RequireNotViewer(), nodeHandler.ListDirectory)
 		nodes.POST("/batch", RequireRole("admin"), nodeHandler.BatchCreate)
 		nodes.POST("/:id/install-tokens", RequireRole("admin"), nodeHandler.CreateInstallToken)
 		nodes.POST("/:id/rotate-token", RequireRole("admin"), nodeHandler.RotateToken)