Merge branch 'Calcium-Ion:main' into main

common/constants.go

@@ -126,6 +126,10 @@ const (
 	RoleRootUser   = 100
 )
 
+func IsValidateRole(role int) bool {
+	return role == RoleGuestUser || role == RoleCommonUser || role == RoleAdminUser || role == RoleRootUser
+}
+
 var (
 	FileUploadPermission    = RoleGuestUser
 	FileDownloadPermission  = RoleGuestUser

controller/user.go

@@ -7,6 +7,7 @@ import (
 	"one-api/common"
 	"one-api/model"
 	"strconv"
+	"strings"
 	"sync"
 
 	"github.com/gin-contrib/sessions"
@@ -616,6 +617,7 @@ func DeleteSelf(c *gin.Context) {
 func CreateUser(c *gin.Context) {
 	var user model.User
 	err := json.NewDecoder(c.Request.Body).Decode(&user)
+	user.Username = strings.TrimSpace(user.Username)
 	if err != nil || user.Username == "" || user.Password == "" {
 		c.JSON(http.StatusOK, gin.H{
 			"success": false,
@@ -663,8 +665,8 @@ func CreateUser(c *gin.Context) {
 }
 
 type ManageRequest struct {
-	Username string `json:"username"`
-	Action   string `json:"action"`
+	Id     int    `json:"id"`
+	Action string `json:"action"`
 }
 
 // ManageUser Only admin user can do this
@@ -680,7 +682,7 @@ func ManageUser(c *gin.Context) {
 		return
 	}
 	user := model.User{
-		Username: req.Username,
+		Id: req.Id,
 	}
 	// Fill attributes
 	model.DB.Unscoped().Where(&user).First(&user)

middleware/auth.go

@@ -10,6 +10,17 @@ import (
 	"strings"
 )
 
+func validUserInfo(username string, role int) bool {
+	// check username is empty
+	if strings.TrimSpace(username) == "" {
+		return false
+	}
+	if !common.IsValidateRole(role) {
+		return false
+	}
+	return true
+}
+
 func authHelper(c *gin.Context, minRole int) {
 	session := sessions.Default(c)
 	username := session.Get("username")
@@ -30,6 +41,14 @@ func authHelper(c *gin.Context, minRole int) {
 		}
 		user := model.ValidateAccessToken(accessToken)
 		if user != nil && user.Username != "" {
+			if !validUserInfo(user.Username, user.Role) {
+				c.JSON(http.StatusOK, gin.H{
+					"success": false,
+					"message": "无权进行此操作，用户信息无效",
+				})
+				c.Abort()
+				return
+			}
 			// Token is valid
 			username = user.Username
 			role = user.Role
@@ -91,6 +110,14 @@ func authHelper(c *gin.Context, minRole int) {
 		c.Abort()
 		return
 	}
+	if !validUserInfo(username.(string), role.(int)) {
+		c.JSON(http.StatusOK, gin.H{
+			"success": false,
+			"message": "无权进行此操作，用户信息无效",
+		})
+		c.Abort()
+		return
+	}
 	c.Set("username", username)
 	c.Set("role", role)
 	c.Set("id", id)

model/user.go

@@ -295,11 +295,12 @@ func (user *User) ValidateAndFill() (err error) {
 	// that means if your field’s value is 0, '', false or other zero values,
 	// it won’t be used to build query conditions
 	password := user.Password
-	if user.Username == "" || password == "" {
+	username := strings.TrimSpace(user.Username)
+	if username == "" || password == "" {
 		return errors.New("用户名或密码为空")
 	}
 	// find buy username or email
-	DB.Where("username = ? OR email = ?", user.Username, user.Username).First(user)
+	DB.Where("username = ? OR email = ?", username, username).First(user)
 	okay := common.ValidatePasswordAndHash(password, user.Password)
 	if !okay || user.Status != common.UserStatusEnabled {
 		return errors.New("用户名或密码错误，或用户已被封禁")

web/src/components/UsersTable.js

@@ -151,7 +151,7 @@ const UsersTable = () => {
                 title='确定？'
                 okType={'warning'}
                 onConfirm={() => {
-                  manageUser(record.username, 'promote', record);
+                  manageUser(record.id, 'promote', record);
                 }}
               >
                 <Button theme='light' type='warning' style={{ marginRight: 1 }}>
@@ -162,7 +162,7 @@ const UsersTable = () => {
                 title='确定？'
                 okType={'warning'}
                 onConfirm={() => {
-                  manageUser(record.username, 'demote', record);
+                  manageUser(record.id, 'demote', record);
                 }}
               >
                 <Button
@@ -179,7 +179,7 @@ const UsersTable = () => {
                   type='warning'
                   style={{ marginRight: 1 }}
                   onClick={async () => {
-                    manageUser(record.username, 'disable', record);
+                    manageUser(record.id, 'disable', record);
                   }}
                 >
                   禁用
@@ -190,7 +190,7 @@ const UsersTable = () => {
                   type='secondary'
                   style={{ marginRight: 1 }}
                   onClick={async () => {
-                    manageUser(record.username, 'enable', record);
+                    manageUser(record.id, 'enable', record);
                   }}
                   disabled={record.status === 3}
                 >
@@ -214,7 +214,7 @@ const UsersTable = () => {
                 okType={'danger'}
                 position={'left'}
                 onConfirm={() => {
-                  manageUser(record.username, 'delete', record).then(() => {
+                  manageUser(record.id, 'delete', record).then(() => {
                     removeRecord(record.id);
                   });
                 }}
@@ -303,9 +303,9 @@ const UsersTable = () => {
     fetchGroups().then();
   }, []);
 
-  const manageUser = async (username, action, record) => {
+  const manageUser = async (userId, action, record) => {
     const res = await API.post('/api/user/manage', {
-      username,
+      id: userId,
       action,
     });
     const { success, message } = res.data;