rogee/quyun-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: guard unpublished content access

Browse Source
This commit is contained in:
Rogee
2026-01-09 18:34:52 +08:00
parent f1b3840dfb
commit c59353a740
1 changed files with 25 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
backend/app/services/content.go
View File

@@ -135,13 +135,6 @@ func (s *content) List(ctx context.Context, tenantID int64, filter *content_dto.
} }
func (s *content) Get(ctx context.Context, tenantID, userID, id int64) (*content_dto.ContentDetail, error) { func (s *content) Get(ctx context.Context, tenantID, userID, id int64) (*content_dto.ContentDetail, error) {
// Increment Views
update := models.ContentQuery.WithContext(ctx).Where(models.ContentQuery.ID.Eq(id))
if tenantID > 0 {
update = update.Where(models.ContentQuery.TenantID.Eq(tenantID))
}
_, _ = update.UpdateSimple(models.ContentQuery.Views.Add(1))
_, q := models.ContentQuery.QueryContext(ctx) _, q := models.ContentQuery.QueryContext(ctx)
var item models.Content var item models.Content
@@ -164,6 +157,30 @@ func (s *content) Get(ctx context.Context, tenantID, userID, id int64) (*content
return nil, errorx.ErrDatabaseError.WithCause(err) return nil, errorx.ErrDatabaseError.WithCause(err)
} }
// 未发布内容仅允许作者或租户管理员查看。
if item.Status != consts.ContentStatusPublished {
if userID == 0 {
return nil, errorx.ErrForbidden.WithMsg("内容未发布")
}
if item.UserID != userID {
exists, _ := models.TenantUserQuery.WithContext(ctx).
Where(models.TenantUserQuery.TenantID.Eq(item.TenantID),
models.TenantUserQuery.UserID.Eq(userID),
models.TenantUserQuery.Role.Contains(types.Array[consts.TenantUserRole]{consts.TenantUserRoleTenantAdmin})).
Exists()
if !exists {
return nil, errorx.ErrForbidden.WithMsg("内容未发布")
}
}
}
// Increment Views
update := models.ContentQuery.WithContext(ctx).Where(models.ContentQuery.ID.Eq(id))
if tenantID > 0 {
update = update.Where(models.ContentQuery.TenantID.Eq(tenantID))
}
_, _ = update.UpdateSimple(models.ContentQuery.Views.Add(1))
// Fetch Price // Fetch Price
var price float64 var price float64
cp, err := models.ContentPriceQuery.WithContext(ctx).Where(models.ContentPriceQuery.ContentID.Eq(id)).First() cp, err := models.ContentPriceQuery.WithContext(ctx).Where(models.ContentPriceQuery.ContentID.Eq(id)).First()
@@ -224,6 +241,7 @@ func (s *content) Get(ctx context.Context, tenantID, userID, id int64) (*content
if userID > 0 { if userID > 0 {
exists, _ := models.TenantUserQuery.WithContext(ctx). exists, _ := models.TenantUserQuery.WithContext(ctx).
Where(models.TenantUserQuery.TenantID.Eq(item.TenantID), Where(models.TenantUserQuery.TenantID.Eq(item.TenantID),
models.TenantUserQuery.UserID.Eq(userID),
models.TenantUserQuery.Role.Contains(types.Array[consts.TenantUserRole]{consts.TenantUserRoleMember})). models.TenantUserQuery.Role.Contains(types.Array[consts.TenantUserRole]{consts.TenantUserRoleMember})).
Exists() Exists()
authorIsFollowing = exists authorIsFollowing = exists