feat: add permission decorator to enhance API access control

2026-06-17 05:19:46 +08:00 · 2026-02-09 12:32:25 +08:00
parent f444ec46cc
commit 451e8555d5
15 changed files with 269 additions and 98 deletions
--- a/domain/virtual_fs/api.py
+++ b/domain/virtual_fs/api.py
@@ -5,7 +5,7 @@ from fastapi import APIRouter, Depends, File, Query, Request, UploadFile
 from api.response import success
 from domain.audit import AuditAction, audit
 from domain.auth import User, get_current_active_user
-from domain.permission.service import PermissionService
+from domain.permission import require_path_permission
 from domain.permission.types import PathAction
 from .service import VirtualFSService
 from .types import MkdirRequest, MoveRequest
@@ -15,12 +15,12 @@ router = APIRouter(prefix="/api/fs", tags=["virtual-fs"])

@router.get("/file/{full_path:path}")
@audit(action=AuditAction.DOWNLOAD, description="获取文件")
+@require_path_permission(PathAction.READ, "full_path")
 async def get_file(
    full_path: str,
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
 ):
-    await PermissionService.require_path_permission(current_user.id, full_path, PathAction.READ)
    return await VirtualFSService.serve_file(full_path, request.headers.get("Range"))


@@ -47,13 +47,13 @@ async def stream_endpoint(

@router.get("/temp-link/{full_path:path}")
@audit(action=AuditAction.SHARE, description="创建临时链接")
+@require_path_permission(PathAction.READ, "full_path")
 async def get_temp_link(
    full_path: str,
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
    expires_in: int = Query(3600, description="有效时间(秒), 0或负数表示永久"),
 ):
-    await PermissionService.require_path_permission(current_user.id, full_path, PathAction.READ)
    data = await VirtualFSService.create_temp_link(full_path, expires_in)
    return success(data)

@@ -79,25 +79,25 @@ async def access_public_file_with_name(

@router.get("/stat/{full_path:path}")
@audit(action=AuditAction.READ, description="查看文件信息")
+@require_path_permission(PathAction.READ, "full_path")
 async def get_file_stat(
    full_path: str,
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
 ):
-    await PermissionService.require_path_permission(current_user.id, full_path, PathAction.READ)
    stat = await VirtualFSService.stat(full_path)
    return success(stat)


@router.post("/file/{full_path:path}")
@audit(action=AuditAction.UPLOAD, description="上传文件")
+@require_path_permission(PathAction.WRITE, "full_path")
 async def put_file(
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
    full_path: str,
    file: UploadFile = File(...),
 ):
-    await PermissionService.require_path_permission(current_user.id, full_path, PathAction.WRITE)
    data = await file.read()
    result = await VirtualFSService.write_uploaded_file(full_path, data)
    return success(result)
@@ -105,62 +105,60 @@ async def put_file(

@router.post("/mkdir")
@audit(action=AuditAction.CREATE, description="创建目录", body_fields=["path"])
+@require_path_permission(PathAction.WRITE, "body.path")
 async def api_mkdir(
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
    body: MkdirRequest,
 ):
-    await PermissionService.require_path_permission(current_user.id, body.path, PathAction.WRITE)
    result = await VirtualFSService.mkdir(body.path)
    return success(result)


@router.post("/move")
@audit(action=AuditAction.UPDATE, description="移动路径", body_fields=["src", "dst"])
+@require_path_permission(PathAction.WRITE, "body.dst")
+@require_path_permission(PathAction.DELETE, "body.src")
 async def api_move(
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
    body: MoveRequest,
    overwrite: bool = Query(False, description="是否允许覆盖已存在目标"),
 ):
-    # 移动需要源路径的删除权限和目标路径的写权限
-    await PermissionService.require_path_permission(current_user.id, body.src, PathAction.DELETE)
-    await PermissionService.require_path_permission(current_user.id, body.dst, PathAction.WRITE)
    result = await VirtualFSService.move(body.src, body.dst, overwrite)
    return success(result)


@router.post("/rename")
@audit(action=AuditAction.UPDATE, description="重命名路径", body_fields=["src", "dst"])
+@require_path_permission(PathAction.WRITE, "body.src")
 async def api_rename(
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
    body: MoveRequest,
    overwrite: bool = Query(False, description="是否允许覆盖已存在目标"),
 ):
-    # 重命名需要写权限
-    await PermissionService.require_path_permission(current_user.id, body.src, PathAction.WRITE)
    result = await VirtualFSService.rename(body.src, body.dst, overwrite)
    return success(result)


@router.post("/copy")
@audit(action=AuditAction.CREATE, description="复制路径", body_fields=["src", "dst"])
+@require_path_permission(PathAction.WRITE, "body.dst")
+@require_path_permission(PathAction.READ, "body.src")
 async def api_copy(
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
    body: MoveRequest,
    overwrite: bool = Query(False, description="是否覆盖已存在目标"),
 ):
-    # 复制需要源路径的读权限和目标路径的写权限
-    await PermissionService.require_path_permission(current_user.id, body.src, PathAction.READ)
-    await PermissionService.require_path_permission(current_user.id, body.dst, PathAction.WRITE)
    result = await VirtualFSService.copy(body.src, body.dst, overwrite)
    return success(result)


@router.post("/upload/{full_path:path}")
@audit(action=AuditAction.UPLOAD, description="流式上传文件")
+@require_path_permission(PathAction.WRITE, "full_path")
 async def upload_stream(
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
@@ -169,13 +167,13 @@ async def upload_stream(
    overwrite: bool = Query(True, description="是否覆盖已存在文件"),
    chunk_size: int = Query(1024 * 1024, ge=8 * 1024, le=8 * 1024 * 1024, description="单次读取块大小"),
 ):
-    await PermissionService.require_path_permission(current_user.id, full_path, PathAction.WRITE)
    result = await VirtualFSService.upload_stream_from_upload_file(full_path, file, chunk_size, overwrite)
    return success(result)


@router.get("/{full_path:path}")
@audit(action=AuditAction.READ, description="浏览目录")
+@require_path_permission(PathAction.READ, "full_path")
 async def browse_fs(
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
@@ -185,7 +183,6 @@ async def browse_fs(
    sort_by: str = Query("name", description="按字段排序: name, size, mtime"),
    sort_order: str = Query("asc", description="排序顺序: asc, desc"),
 ):
-    await PermissionService.require_path_permission(current_user.id, full_path, PathAction.READ)
    data = await VirtualFSService.list_directory_with_permission(
        full_path, current_user.id, page_num, page_size, sort_by, sort_order
    )
@@ -194,12 +191,12 @@ async def browse_fs(

@router.delete("/{full_path:path}")
@audit(action=AuditAction.DELETE, description="删除路径")
+@require_path_permission(PathAction.DELETE, "full_path")
 async def api_delete(
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
    full_path: str,
 ):
-    await PermissionService.require_path_permission(current_user.id, full_path, PathAction.DELETE)
    result = await VirtualFSService.delete(full_path)
    return success(result)

--- a/domain/virtual_fs/mapping/webdav_api.py
+++ b/domain/virtual_fs/mapping/webdav_api.py
@@ -11,6 +11,8 @@ import xml.etree.ElementTree as ET
 from domain.audit import AuditAction, audit
 from domain.auth import AuthService, User, UserInDB
 from domain.config import ConfigService
+from domain.permission.service import PermissionService
+from domain.permission.types import PathAction
 from domain.virtual_fs import VirtualFSService


@@ -65,11 +67,26 @@ async def _get_basic_user(request: Request) -> User:
        if not user_or_false:
            raise HTTPException(401, detail="Invalid credentials", headers={"WWW-Authenticate": "Basic realm=webdav"})
        u: UserInDB = user_or_false
-        return User(id=u.id, username=u.username, email=u.email, full_name=u.full_name, disabled=u.disabled)
+        return User(
+            id=u.id,
+            username=u.username,
+            email=u.email,
+            full_name=u.full_name,
+            disabled=u.disabled,
+            is_admin=u.is_admin,
+        )
    elif scheme_lower == "bearer":
        if not param:
            raise HTTPException(401, detail="Invalid Bearer token")
-        return User(id=0, username="bearer", email=None, full_name=None, disabled=False)
+        u = await AuthService.get_current_user(param)
+        return User(
+            id=u.id,
+            username=u.username,
+            email=u.email,
+            full_name=u.full_name,
+            disabled=u.disabled,
+            is_admin=u.is_admin,
+        )
    else:
        raise HTTPException(401, detail="Unsupported auth", headers={"WWW-Authenticate": "Basic realm=webdav"})

@@ -155,6 +172,8 @@ async def propfind(
    user: User = Depends(_get_basic_user),
 ):
    full_path = _normalize_fs_path(path)
+    if full_path != "/":
+        await PermissionService.require_path_permission(user.id, full_path, PathAction.READ)
    depth = request.headers.get("Depth", "1").lower()
    if depth not in ("0", "1", "infinity"):
        depth = "1"
@@ -195,7 +214,9 @@ async def propfind(

    if depth in ("1", "infinity"):
        try:
-            listing = await VirtualFSService.list_virtual_dir(full_path, page_num=1, page_size=1000)
+            listing = await VirtualFSService.list_virtual_dir_with_permission(
+                full_path, user.id, page_num=1, page_size=1000
+            )
            for ent in (listing.get("items") or []):
                is_dir = bool(ent.get("is_dir"))
                name = ent.get("name")
@@ -223,6 +244,8 @@ async def dav_get(
    user: User = Depends(_get_basic_user),
 ):
    full_path = _normalize_fs_path(path)
+    if full_path != "/":
+        await PermissionService.require_path_permission(user.id, full_path, PathAction.READ)
    range_header = request.headers.get("Range")
    return await VirtualFSService.stream_file(full_path, range_header)

@@ -236,6 +259,8 @@ async def dav_head(
    user: User = Depends(_get_basic_user),
 ):
    full_path = _normalize_fs_path(path)
+    if full_path != "/":
+        await PermissionService.require_path_permission(user.id, full_path, PathAction.READ)
    try:
        st = await VirtualFSService.stat_file(full_path)
    except FileNotFoundError:
@@ -264,6 +289,7 @@ async def dav_put(
    user: User = Depends(_get_basic_user),
 ):
    full_path = _normalize_fs_path(path)
+    await PermissionService.require_path_permission(user.id, full_path, PathAction.WRITE)
    async def body_iter():
        async for chunk in request.stream():
            if chunk:
@@ -281,6 +307,7 @@ async def dav_delete(
    user: User = Depends(_get_basic_user),
 ):
    full_path = _normalize_fs_path(path)
+    await PermissionService.require_path_permission(user.id, full_path, PathAction.DELETE)
    await VirtualFSService.delete_path(full_path)
    return Response(status_code=204, headers=_dav_headers())

@@ -294,6 +321,7 @@ async def dav_mkcol(
    user: User = Depends(_get_basic_user),
 ):
    full_path = _normalize_fs_path(path)
+    await PermissionService.require_path_permission(user.id, full_path, PathAction.WRITE)
    await VirtualFSService.make_dir(full_path)
    return Response(status_code=201, headers=_dav_headers())

@@ -322,6 +350,8 @@ async def dav_move(
    dest_header = request.headers.get("Destination")
    dst = _parse_destination(dest_header or "")
    overwrite = request.headers.get("Overwrite", "T").upper() != "F" 
+    await PermissionService.require_path_permission(user.id, full_src, PathAction.DELETE)
+    await PermissionService.require_path_permission(user.id, dst, PathAction.WRITE)
    await VirtualFSService.move_path(full_src, dst, overwrite=overwrite)
    return Response(status_code=204, headers=_dav_headers())

@@ -338,5 +368,7 @@ async def dav_copy(
    dest_header = request.headers.get("Destination")
    dst = _parse_destination(dest_header or "")
    overwrite = request.headers.get("Overwrite", "T").upper() != "F"  
+    await PermissionService.require_path_permission(user.id, full_src, PathAction.READ)
+    await PermissionService.require_path_permission(user.id, dst, PathAction.WRITE)
    await VirtualFSService.copy_path(full_src, dst, overwrite=overwrite)
    return Response(status_code=201 if not overwrite else 204, headers=_dav_headers())
--- a/domain/virtual_fs/search/search_api.py
+++ b/domain/virtual_fs/search/search_api.py
@@ -2,6 +2,8 @@ from fastapi import APIRouter, Depends, Query

 from api.response import success
 from domain.auth import User, get_current_active_user
+from domain.permission.service import PermissionService
+from domain.permission.types import PathAction
 from .search_service import VirtualFSSearchService

 router = APIRouter(prefix="/api/fs/search", tags=["search"])
@@ -24,4 +26,14 @@ async def search_files(
    page_size = max(min(page_size, 100), 1)

    data = await VirtualFSSearchService.search(q, top_k, mode, page, page_size)
+    items = data.get("items") if isinstance(data, dict) else None
+    if isinstance(items, list) and items:
+        filtered = []
+        for item in items:
+            path = getattr(item, "path", None)
+            if not path:
+                continue
+            if await PermissionService.check_path_permission(user.id, str(path), PathAction.READ):
+                filtered.append(item)
+        data["items"] = filtered
    return success(data)