From 1f64d92dd2e058a8c247d098028b4a9beef42344 Mon Sep 17 00:00:00 2001 From: zicla Date: Sat, 4 May 2019 01:23:31 +0800 Subject: [PATCH] Refine the checkUser api. --- code/rest/alien_controller.go | 8 ++++---- code/rest/alien_service.go | 2 +- code/rest/base_bean.go | 10 +++++----- code/rest/base_controller.go | 2 +- code/rest/footprint_service.go | 13 ++++++++++--- code/rest/image_cache_controller.go | 8 ++++---- code/rest/matter_controller.go | 26 +++++++++++++------------- code/rest/preference_controller.go | 2 +- code/rest/share_controller.go | 14 +++++++------- code/rest/user_controller.go | 10 +++++----- code/support/tank_router.go | 4 ++-- 11 files changed, 53 insertions(+), 46 deletions(-) diff --git a/code/rest/alien_controller.go b/code/rest/alien_controller.go index c383686..5971a15 100644 --- a/code/rest/alien_controller.go +++ b/code/rest/alien_controller.go @@ -174,7 +174,7 @@ func (this *AlienController) FetchUploadToken(writer http.ResponseWriter, reques //文件夹路径,以 / 开头。 dir := request.FormValue("dir") - user := this.checkUser(writer, request) + user := this.checkUser(request) dirMatter := this.matterService.CreateDirectories(user, dir) mm, _ := time.ParseDuration(fmt.Sprintf("%ds", expire)) @@ -203,7 +203,7 @@ func (this *AlienController) Confirm(writer http.ResponseWriter, request *http.R panic("matterUuid必填") } - user := this.checkUser(writer, request) + user := this.checkUser(request) matter := this.matterDao.CheckByUuid(matterUuid) if matter.UserUuid != user.Uuid { @@ -333,7 +333,7 @@ func (this *AlienController) CrawlDirect(writer http.ResponseWriter, request *ht } } - user := this.checkUser(writer, request) + user := this.checkUser(request) dirMatter := this.matterService.CreateDirectories(user, dir) matter := this.matterService.AtomicCrawl(url, filename, user, dirMatter, privacy) @@ -349,7 +349,7 @@ func (this *AlienController) FetchDownloadToken(writer http.ResponseWriter, requ panic("matterUuid必填") } - user := this.checkUser(writer, request) + user := this.checkUser(request) matter := this.matterDao.CheckByUuid(matterUuid) if matter.UserUuid != user.Uuid { diff --git a/code/rest/alien_service.go b/code/rest/alien_service.go index 8742c9c..16cd0db 100644 --- a/code/rest/alien_service.go +++ b/code/rest/alien_service.go @@ -109,7 +109,7 @@ func (this *AlienService) PreviewOrDownload( } else { //判断文件的所属人是否正确 - operator := this.findUser(writer, request) + operator := this.findUser(request) //可以使用分享码的形式授权。 shareUuid := request.FormValue("shareUuid") diff --git a/code/rest/base_bean.go b/code/rest/base_bean.go index a86f14b..e493663 100644 --- a/code/rest/base_bean.go +++ b/code/rest/base_bean.go @@ -30,7 +30,7 @@ func (this *BaseBean) PanicError(err error) { } //能找到一个user就找到一个 -func (this *BaseBean) findUser(writer http.ResponseWriter, request *http.Request) *User { +func (this *BaseBean) findUser(request *http.Request) *User { //验证用户是否已经登录。 //登录身份有效期以数据库中记录的为准 @@ -63,10 +63,10 @@ func (this *BaseBean) findUser(writer http.ResponseWriter, request *http.Request } //获取当前登录的用户,找不到就返回登录错误 -func (this *BaseBean) checkUser(writer http.ResponseWriter, request *http.Request) *User { - if this.findUser(writer, request) == nil { - panic(result.ConstWebResult(result.LOGIN)) +func (this *BaseBean) checkUser(request *http.Request) *User { + if this.findUser(request) == nil { + panic(result.LOGIN) } else { - return this.findUser(writer, request) + return this.findUser(request) } } diff --git a/code/rest/base_controller.go b/code/rest/base_controller.go index 31bea44..2c1e818 100644 --- a/code/rest/base_controller.go +++ b/code/rest/base_controller.go @@ -54,7 +54,7 @@ func (this *BaseController) Wrap(f func(writer http.ResponseWriter, request *htt //只有游客接口不需要登录 if qualifiedRole != USER_ROLE_GUEST { - user := this.checkUser(writer, request) + user := this.checkUser(request) if user.Status == USER_STATUS_DISABLED { //判断用户是否被禁用。 diff --git a/code/rest/footprint_service.go b/code/rest/footprint_service.go index e53a539..89bd4a4 100644 --- a/code/rest/footprint_service.go +++ b/code/rest/footprint_service.go @@ -43,7 +43,7 @@ func (this *FootprintService) Detail(uuid string) *Footprint { } //记录访问记录 -func (this *FootprintService) Trace(writer http.ResponseWriter, request *http.Request, duration time.Duration, success bool) { +func (this *FootprintService) Trace(request *http.Request, duration time.Duration, success bool) { params := make(map[string][]string) @@ -58,6 +58,13 @@ func (this *FootprintService) Trace(writer http.ResponseWriter, request *http.Re params[key] = val } + //ignore password. + for key, _ := range params { + if key == core.PASSWORD_KEY || key == "password" || key == "adminPassword" { + params[key] = []string{"******"} + } + } + //用json的方式输出返回值。 paramsString := "{}" paramsData, err := json.Marshal(params) @@ -77,7 +84,7 @@ func (this *FootprintService) Trace(writer http.ResponseWriter, request *http.Re //有可能DB尚且没有配置 直接打印出内容,并且退出 if core.CONFIG.Installed() { - user := this.findUser(writer, request) + user := this.findUser(request) userUuid := "" if user != nil { userUuid = user.Uuid @@ -87,7 +94,7 @@ func (this *FootprintService) Trace(writer http.ResponseWriter, request *http.Re } //用json的方式输出返回值。 - this.logger.Info("Ip:%s Host:%s Uri:%s Params:%s Cost:%d", footprint.Ip, footprint.Host, footprint.Uri, paramsString, int64(duration/time.Millisecond)) + this.logger.Info("Ip:%s Cost:%d Uri:%s Params:%s", footprint.Ip, int64(duration/time.Millisecond), footprint.Uri, paramsString) } diff --git a/code/rest/image_cache_controller.go b/code/rest/image_cache_controller.go index adbfec4..b9ad5f6 100644 --- a/code/rest/image_cache_controller.go +++ b/code/rest/image_cache_controller.go @@ -57,7 +57,7 @@ func (this *ImageCacheController) Detail(writer http.ResponseWriter, request *ht imageCache := this.imageCacheService.Detail(uuid) //验证当前之人是否有权限查看这么详细。 - user := this.checkUser(writer, request) + user := this.checkUser(request) if imageCache.UserUuid != user.Uuid { panic(result.UNAUTHORIZED) } @@ -79,7 +79,7 @@ func (this *ImageCacheController) Page(writer http.ResponseWriter, request *http matterUuid := request.FormValue("matterUuid") orderSize := request.FormValue("orderSize") - user := this.checkUser(writer, request) + user := this.checkUser(request) userUuid = user.Uuid var page int @@ -131,7 +131,7 @@ func (this *ImageCacheController) Delete(writer http.ResponseWriter, request *ht imageCache := this.imageCacheDao.FindByUuid(uuid) //判断图片缓存的所属人是否正确 - user := this.checkUser(writer, request) + user := this.checkUser(request) if imageCache.UserUuid != user.Uuid { panic(result.Unauthorized("没有权限")) @@ -157,7 +157,7 @@ func (this *ImageCacheController) DeleteBatch(writer http.ResponseWriter, reques imageCache := this.imageCacheDao.FindByUuid(uuid) //判断图片缓存的所属人是否正确 - user := this.checkUser(writer, request) + user := this.checkUser(request) if imageCache.UserUuid != user.Uuid { panic(result.Unauthorized("没有权限")) } diff --git a/code/rest/matter_controller.go b/code/rest/matter_controller.go index e8022b8..4a47cdf 100644 --- a/code/rest/matter_controller.go +++ b/code/rest/matter_controller.go @@ -102,7 +102,7 @@ func (this *MatterController) Detail(writer http.ResponseWriter, request *http.R matter := this.matterService.Detail(uuid) //验证当前之人是否有权限查看这么详细。 - user := this.checkUser(writer, request) + user := this.checkUser(request) if matter.UserUuid != user.Uuid { panic(result.UNAUTHORIZED) } @@ -147,14 +147,14 @@ func (this *MatterController) Page(writer http.ResponseWriter, request *http.Req panic(result.BadRequest("puuid 对应的不是文件夹")) } - user := this.findUser(writer, request) + user := this.findUser(request) //根据某个shareUuid和code,某个用户是否有权限获取 shareRootUuid 下面的 matterUuid this.shareService.ValidateMatter(shareUuid, shareCode, user, shareRootUuid, dirMatter) userUuid = dirMatter.Uuid } else { //非分享模式要求必须登录 - user := this.checkUser(writer, request) + user := this.checkUser(request) userUuid = user.Uuid } @@ -221,7 +221,7 @@ func (this *MatterController) CreateDirectory(writer http.ResponseWriter, reques name := request.FormValue("name") //管理员可以指定给某个用户创建文件夹。 - user := this.checkUser(writer, request) + user := this.checkUser(request) //找到父级matter var dirMatter *Matter @@ -247,7 +247,7 @@ func (this *MatterController) Upload(writer http.ResponseWriter, request *http.R this.PanicError(err) }() - user := this.checkUser(writer, request) + user := this.checkUser(request) privacy := privacyStr == TRUE @@ -280,7 +280,7 @@ func (this *MatterController) Crawl(writer http.ResponseWriter, request *http.Re destPath := request.FormValue("destPath") filename := request.FormValue("filename") - user := this.checkUser(writer, request) + user := this.checkUser(request) dirMatter := this.matterService.CreateDirectories(user, destPath) @@ -308,7 +308,7 @@ func (this *MatterController) Delete(writer http.ResponseWriter, request *http.R matter := this.matterDao.CheckByUuid(uuid) //判断文件的所属人是否正确 - user := this.checkUser(writer, request) + user := this.checkUser(request) if matter.UserUuid != user.Uuid { panic(result.UNAUTHORIZED) } @@ -339,7 +339,7 @@ func (this *MatterController) DeleteBatch(writer http.ResponseWriter, request *h } //判断文件的所属人是否正确 - user := this.checkUser(writer, request) + user := this.checkUser(request) if matter.UserUuid != user.Uuid { panic(result.UNAUTHORIZED) } @@ -357,7 +357,7 @@ func (this *MatterController) Rename(writer http.ResponseWriter, request *http.R uuid := request.FormValue("uuid") name := request.FormValue("name") - user := this.checkUser(writer, request) + user := this.checkUser(request) //找出该文件或者文件夹 matter := this.matterDao.CheckByUuid(uuid) @@ -387,7 +387,7 @@ func (this *MatterController) ChangePrivacy(writer http.ResponseWriter, request } //权限验证 - user := this.checkUser(writer, request) + user := this.checkUser(request) if matter.UserUuid != user.Uuid { panic(result.UNAUTHORIZED) } @@ -412,7 +412,7 @@ func (this *MatterController) Move(writer http.ResponseWriter, request *http.Req srcUuids = strings.Split(srcUuidsStr, ",") } - user := this.checkUser(writer, request) + user := this.checkUser(request) //验证dest是否有问题 var destMatter = this.matterDao.CheckWithRootByUuid(destUuid, user) @@ -470,7 +470,7 @@ func (this *MatterController) Mirror(writer http.ResponseWriter, request *http.R overwrite = true } - user := this.userDao.checkUser(writer, request) + user := this.userDao.checkUser(request) this.matterService.AtomicMirror(srcPath, destPath, overwrite, user) @@ -493,7 +493,7 @@ func (this *MatterController) Zip(writer http.ResponseWriter, request *http.Requ if matters == nil || len(matters) == 0 { panic(result.BadRequest("matters cannot be nil.")) } - user := this.checkUser(writer, request) + user := this.checkUser(request) puuid := matters[0].Puuid for _, m := range matters { diff --git a/code/rest/preference_controller.go b/code/rest/preference_controller.go index d028176..0a154b2 100644 --- a/code/rest/preference_controller.go +++ b/code/rest/preference_controller.go @@ -114,7 +114,7 @@ func (this *PreferenceController) Edit(writer http.ResponseWriter, request *http //清扫系统,所有数据全部丢失。一定要非常慎点,非常慎点!只在系统初始化的时候点击! func (this *PreferenceController) SystemCleanup(writer http.ResponseWriter, request *http.Request) *result.WebResult { - user := this.checkUser(writer, request) + user := this.checkUser(request) password := request.FormValue("password") if !util.MatchBcrypt(password, user.Password) { diff --git a/code/rest/share_controller.go b/code/rest/share_controller.go index 0d07c63..4c3f965 100644 --- a/code/rest/share_controller.go +++ b/code/rest/share_controller.go @@ -109,7 +109,7 @@ func (this *ShareController) Create(writer http.ResponseWriter, request *http.Re var name string shareType := SHARE_TYPE_MIX - user := this.checkUser(writer, request) + user := this.checkUser(request) var puuid string var matters []*Matter for key, uuid := range uuidArray { @@ -205,7 +205,7 @@ func (this *ShareController) DeleteBatch(writer http.ResponseWriter, request *ht imageCache := this.shareDao.FindByUuid(uuid) //判断图片缓存的所属人是否正确 - user := this.checkUser(writer, request) + user := this.checkUser(request) if imageCache.UserUuid != user.Uuid { panic(result.UNAUTHORIZED) } @@ -227,7 +227,7 @@ func (this *ShareController) Detail(writer http.ResponseWriter, request *http.Re share := this.shareDao.CheckByUuid(uuid) //验证当前之人是否有权限查看这么详细。 - user := this.checkUser(writer, request) + user := this.checkUser(request) if share.UserUuid != user.Uuid { panic(result.UNAUTHORIZED) @@ -245,7 +245,7 @@ func (this *ShareController) Page(writer http.ResponseWriter, request *http.Requ pageSizeStr := request.FormValue("pageSize") orderCreateTime := request.FormValue("orderCreateTime") - user := this.checkUser(writer, request) + user := this.checkUser(request) var page int if pageStr != "" { @@ -278,7 +278,7 @@ func (this *ShareController) CheckShare(writer http.ResponseWriter, request *htt //如果是根目录,那么就传入root. shareUuid := request.FormValue("shareUuid") code := request.FormValue("code") - user := this.findUser(writer, request) + user := this.findUser(request) return this.shareService.CheckShare(shareUuid, code, user) } @@ -294,7 +294,7 @@ func (this *ShareController) Browse(writer http.ResponseWriter, request *http.Re puuid := request.FormValue("puuid") rootUuid := request.FormValue("rootUuid") - user := this.findUser(writer, request) + user := this.findUser(request) share := this.shareService.CheckShare(shareUuid, code, user) bridges := this.bridgeDao.ListByShareUuid(share.Uuid) @@ -372,7 +372,7 @@ func (this *ShareController) Zip(writer http.ResponseWriter, request *http.Reque puuid := request.FormValue("puuid") rootUuid := request.FormValue("rootUuid") - user := this.findUser(writer, request) + user := this.findUser(request) if puuid == MATTER_ROOT { diff --git a/code/rest/user_controller.go b/code/rest/user_controller.go index f825858..e728259 100644 --- a/code/rest/user_controller.go +++ b/code/rest/user_controller.go @@ -139,7 +139,7 @@ func (this *UserController) Edit(writer http.ResponseWriter, request *http.Reque avatarUrl := request.FormValue("avatarUrl") uuid := request.FormValue("uuid") - currentUser := this.checkUser(writer, request) + currentUser := this.checkUser(request) user := this.userDao.CheckByUuid(uuid) if currentUser.Role == USER_ROLE_ADMINISTRATOR { @@ -191,7 +191,7 @@ func (this *UserController) Logout(writer http.ResponseWriter, request *http.Req } sessionId := sessionCookie.Value - user := this.findUser(writer, request) + user := this.findUser(request) if user != nil { session := this.sessionDao.FindByUuid(sessionId) session.ExpireTime = time.Now() @@ -274,7 +274,7 @@ func (this *UserController) ToggleStatus(writer http.ResponseWriter, request *ht uuid := request.FormValue("uuid") currentUser := this.userDao.CheckByUuid(uuid) - user := this.checkUser(writer, request) + user := this.checkUser(request) if uuid == user.Uuid { panic(result.Unauthorized("你不能操作自己的状态。")) } @@ -300,7 +300,7 @@ func (this *UserController) ChangePassword(writer http.ResponseWriter, request * panic(result.BadRequest("旧密码和新密码都不能为空")) } - user := this.checkUser(writer, request) + user := this.checkUser(request) //如果是demo账号,不提供修改密码的功能。 if user.Username == "demo" { @@ -330,7 +330,7 @@ func (this *UserController) ResetPassword(writer http.ResponseWriter, request *h panic(result.BadRequest("密码不能为空")) } - currentUser := this.checkUser(writer, request) + currentUser := this.checkUser(request) if currentUser.Role != USER_ROLE_ADMINISTRATOR { panic(result.Unauthorized("没有权限")) diff --git a/code/support/tank_router.go b/code/support/tank_router.go index d03bcfb..2ad5858 100644 --- a/code/support/tank_router.go +++ b/code/support/tank_router.go @@ -134,7 +134,7 @@ func (this *TankRouter) GlobalPanicHandler(writer http.ResponseWriter, request * //错误情况记录。 go core.RunWithRecovery(func() { - this.footprintService.Trace(writer, request, time.Now().Sub(startTime), false) + this.footprintService.Trace(request, time.Now().Sub(startTime), false) }) } } @@ -182,7 +182,7 @@ func (this *TankRouter) ServeHTTP(writer http.ResponseWriter, request *http.Requ //正常的访问记录会落到这里。 go core.RunWithRecovery(func() { - this.footprintService.Trace(writer, request, time.Now().Sub(startTime), true) + this.footprintService.Trace(request, time.Now().Sub(startTime), true) }) } else {