From 2759f41725928781f77baf2c6b97f99790f17f26 Mon Sep 17 00:00:00 2001
From: han2015 <1019850453@qq.com>
Date: Tue, 10 Jun 2025 16:46:38 +0800
Subject: [PATCH] v0.3.3: peimission control for kkFileView

---
 code/rest/share_controller.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/code/rest/share_controller.go b/code/rest/share_controller.go
index 4e9e0a6..44ec89d 100644
--- a/code/rest/share_controller.go
+++ b/code/rest/share_controller.go
@@ -359,7 +359,7 @@ func (this *ShareController) Browse(writer http.ResponseWriter, request *http.Re
 
 	share := this.shareService.CheckShare(request, shareUuid, code, user)
 	//by han: add permitList verification feature
-	if user.Uuid != share.UserUuid && share.PermitList != "" && !strings.Contains(share.PermitList, user.Uuid) {
+	if user.Uuid == "" || (user.Uuid != share.UserUuid && share.PermitList != "" && !strings.Contains(share.PermitList, user.Uuid)) {
 		panic(result.UNAUTHORIZED)
 	}
 
@@ -440,6 +440,16 @@ func (this *ShareController) Zip(writer http.ResponseWriter, request *http.Reque
 		//download all things.
 		share := this.shareService.CheckShare(request, shareUuid, code, user)
 
+		//预览服务特别处理: 由于预览服务没有用户信息,但是文件访问又必须验证权限,
+		//id是用base64处理过的，所以这里要用base64解码
+		if user.Uuid == "" {
+			user.Uuid = request.FormValue("uid")
+			data, err := base64.StdEncoding.DecodeString(user.Uuid)
+			if err == nil {
+				user.Uuid = string(data)
+			}
+		}
+
 		//by han: add verification for downloadAPI
 		if user.Uuid != share.UserUuid && share.PermitList != "" && !strings.Contains(share.PermitList, user.Uuid) {
 			panic(result.UNAUTHORIZED)