Fix: room members and room settings guest role no permission #142 #143

10 months ago · 6bb5be3a91
parent 48ed7995b1
commit 6bb5be3a91
2 changed files with 21 additions and 5 deletions
--- a/server/handlers/init.go
+++ b/server/handlers/init.go
@ -41,6 +41,8 @@ func Init(e *gin.Engine) {

 	needAuthRoomApi := api.Group("", middlewares.AuthRoomMiddleware)

+	needAuthRoomWithoutGuestApi := api.Group("", middlewares.AuthRoomWithoutGuestMiddleware)
+
 	{
 		public := api.Group("/public")

@ -58,10 +60,11 @@ func Init(e *gin.Engine) {

 	{
 		room := api.Group("/room")
-		needAuthRoom := needAuthRoomApi.Group("/room")
 		needAuthUser := needAuthUserApi.Group("/room")
+		needAuthRoom := needAuthRoomApi.Group("/room")
+		needAuthRoomWithoutGuest := needAuthRoomWithoutGuestApi.Group("/room")

-		initRoom(room, needAuthUser, needAuthRoom)
+		initRoom(room, needAuthUser, needAuthRoom, needAuthRoomWithoutGuest)
 	}

 	{
@ -160,7 +163,7 @@ func initAdmin(admin *gin.RouterGroup, root *gin.RouterGroup) {
 	}
 }

-func initRoom(room *gin.RouterGroup, needAuthUser *gin.RouterGroup, needAuthRoom *gin.RouterGroup) {
+func initRoom(room *gin.RouterGroup, needAuthUser *gin.RouterGroup, needAuthRoom *gin.RouterGroup, needAuthWithoutGuestRoom *gin.RouterGroup) {
 	room.GET("/ws", NewWebSocketHandler(utils.NewWebSocketServer()))

 	room.GET("/check", CheckRoom)
@ -177,9 +180,9 @@ func initRoom(room *gin.RouterGroup, needAuthUser *gin.RouterGroup, needAuthRoom

 	needAuthRoom.GET("/me", RoomMe)

-	needAuthRoom.GET("/settings", RoomPiblicSettings)
+	needAuthWithoutGuestRoom.GET("/settings", RoomPiblicSettings)

-	needAuthRoom.GET("/members", RoomMembers)
+	needAuthWithoutGuestRoom.GET("/members", RoomMembers)

 	{
 		needAuthRoomAdmin := needAuthRoom.Group("/admin", middlewares.AuthRoomAdminMiddleware)
--- a/server/middlewares/auth.go
+++ b/server/middlewares/auth.go
@ -292,6 +292,19 @@ func AuthRoomMiddleware(ctx *gin.Context) {
 	log.Data["uro"] = user.Role.String()
 }

+func AuthRoomWithoutGuestMiddleware(ctx *gin.Context) {
+	AuthRoomMiddleware(ctx)
+	if ctx.IsAborted() {
+		return
+	}
+
+	user := ctx.MustGet("user").(*synccache.Entry[*op.User]).Value()
+	if user.IsGuest() {
+		ctx.AbortWithStatusJSON(http.StatusForbidden, model.NewApiErrorStringResp("guest is no permission"))
+		return
+	}
+}
+
 func AuthRoomAdminMiddleware(ctx *gin.Context) {
 	AuthRoomMiddleware(ctx)
 	if ctx.IsAborted() {