mirror of
https://github.com/whyour/qinglong.git
synced 2025-12-15 08:25:38 +08:00
Add log isolation and admin-only access for system/login logs
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
parent
6aefc61be6
commit
07fcb09cc6
151
back/api/log.ts
151
back/api/log.ts
|
|
@ -8,8 +8,12 @@ import {
|
||||||
readDirs,
|
readDirs,
|
||||||
removeAnsi,
|
removeAnsi,
|
||||||
rmPath,
|
rmPath,
|
||||||
|
IFile,
|
||||||
} from '../config/util';
|
} from '../config/util';
|
||||||
import LogService from '../services/log';
|
import LogService from '../services/log';
|
||||||
|
import CronService from '../services/cron';
|
||||||
|
import { UserRole } from '../data/user';
|
||||||
|
import { Crontab } from '../data/cron';
|
||||||
const route = Router();
|
const route = Router();
|
||||||
const blacklist = ['.tmp'];
|
const blacklist = ['.tmp'];
|
||||||
|
|
||||||
|
|
@ -20,6 +24,39 @@ export default (app: Router) => {
|
||||||
const logger: Logger = Container.get('logger');
|
const logger: Logger = Container.get('logger');
|
||||||
try {
|
try {
|
||||||
const result = await readDirs(config.logPath, config.logPath, blacklist);
|
const result = await readDirs(config.logPath, config.logPath, blacklist);
|
||||||
|
|
||||||
|
// Filter logs based on user permissions
|
||||||
|
if (req.user?.role !== UserRole.admin && req.user?.userId) {
|
||||||
|
const cronService = Container.get(CronService);
|
||||||
|
const { data: userCrons } = await cronService.crontabs({
|
||||||
|
searchValue: '',
|
||||||
|
page: '0',
|
||||||
|
size: '0',
|
||||||
|
sorter: '',
|
||||||
|
filters: '',
|
||||||
|
queryString: '',
|
||||||
|
userId: req.user.userId,
|
||||||
|
});
|
||||||
|
|
||||||
|
// Build a set of log paths that the user has access to
|
||||||
|
const allowedLogPaths = new Set(
|
||||||
|
userCrons
|
||||||
|
.filter((cron: Crontab) => cron.log_name && cron.log_name !== '/dev/null')
|
||||||
|
.map((cron: Crontab) => cron.log_name)
|
||||||
|
);
|
||||||
|
|
||||||
|
// Filter the result to only include logs the user owns
|
||||||
|
const filteredResult = (result as IFile[]).filter((item: IFile) =>
|
||||||
|
item.type === 'directory' && (allowedLogPaths.has(item.title) || allowedLogPaths.has(`${item.title}/`))
|
||||||
|
);
|
||||||
|
|
||||||
|
res.send({
|
||||||
|
code: 200,
|
||||||
|
data: filteredResult,
|
||||||
|
});
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
res.send({
|
res.send({
|
||||||
code: 200,
|
code: 200,
|
||||||
data: result,
|
data: result,
|
||||||
|
|
@ -45,6 +82,35 @@ export default (app: Router) => {
|
||||||
message: '暂无权限',
|
message: '暂无权限',
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if user has permission to view this log
|
||||||
|
if (req.user?.role !== UserRole.admin && req.user?.userId) {
|
||||||
|
const cronService = Container.get(CronService);
|
||||||
|
const { data: userCrons } = await cronService.crontabs({
|
||||||
|
searchValue: '',
|
||||||
|
page: '0',
|
||||||
|
size: '0',
|
||||||
|
sorter: '',
|
||||||
|
filters: '',
|
||||||
|
queryString: '',
|
||||||
|
userId: req.user.userId,
|
||||||
|
});
|
||||||
|
|
||||||
|
const logPath = (req.query.path as string) || '';
|
||||||
|
const hasAccess = userCrons.some((cron: Crontab) =>
|
||||||
|
cron.log_name &&
|
||||||
|
cron.log_name !== '/dev/null' &&
|
||||||
|
(logPath.startsWith(cron.log_name) || cron.log_name.startsWith(logPath))
|
||||||
|
);
|
||||||
|
|
||||||
|
if (!hasAccess) {
|
||||||
|
return res.send({
|
||||||
|
code: 403,
|
||||||
|
message: '暂无权限',
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
const content = await getFileContentByName(finalPath);
|
const content = await getFileContentByName(finalPath);
|
||||||
res.send({ code: 200, data: removeAnsi(content) });
|
res.send({ code: 200, data: removeAnsi(content) });
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
|
|
@ -68,6 +134,35 @@ export default (app: Router) => {
|
||||||
message: '暂无权限',
|
message: '暂无权限',
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if user has permission to view this log
|
||||||
|
if (req.user?.role !== UserRole.admin && req.user?.userId) {
|
||||||
|
const cronService = Container.get(CronService);
|
||||||
|
const { data: userCrons } = await cronService.crontabs({
|
||||||
|
searchValue: '',
|
||||||
|
page: '0',
|
||||||
|
size: '0',
|
||||||
|
sorter: '',
|
||||||
|
filters: '',
|
||||||
|
queryString: '',
|
||||||
|
userId: req.user.userId,
|
||||||
|
});
|
||||||
|
|
||||||
|
const logPath = (req.query.path as string) || '';
|
||||||
|
const hasAccess = userCrons.some((cron: Crontab) =>
|
||||||
|
cron.log_name &&
|
||||||
|
cron.log_name !== '/dev/null' &&
|
||||||
|
(logPath.startsWith(cron.log_name) || cron.log_name.startsWith(logPath))
|
||||||
|
);
|
||||||
|
|
||||||
|
if (!hasAccess) {
|
||||||
|
return res.send({
|
||||||
|
code: 403,
|
||||||
|
message: '暂无权限',
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
const content = await getFileContentByName(finalPath);
|
const content = await getFileContentByName(finalPath);
|
||||||
res.send({ code: 200, data: content });
|
res.send({ code: 200, data: content });
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
|
|
@ -99,6 +194,34 @@ export default (app: Router) => {
|
||||||
message: '暂无权限',
|
message: '暂无权限',
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if user has permission to delete this log
|
||||||
|
if (req.user?.role !== UserRole.admin && req.user?.userId) {
|
||||||
|
const cronService = Container.get(CronService);
|
||||||
|
const { data: userCrons } = await cronService.crontabs({
|
||||||
|
searchValue: '',
|
||||||
|
page: '0',
|
||||||
|
size: '0',
|
||||||
|
sorter: '',
|
||||||
|
filters: '',
|
||||||
|
queryString: '',
|
||||||
|
userId: req.user.userId,
|
||||||
|
});
|
||||||
|
|
||||||
|
const hasAccess = userCrons.some((cron: Crontab) =>
|
||||||
|
cron.log_name &&
|
||||||
|
cron.log_name !== '/dev/null' &&
|
||||||
|
(path.startsWith(cron.log_name) || cron.log_name.startsWith(path))
|
||||||
|
);
|
||||||
|
|
||||||
|
if (!hasAccess) {
|
||||||
|
return res.send({
|
||||||
|
code: 403,
|
||||||
|
message: '暂无权限',
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
await rmPath(finalPath);
|
await rmPath(finalPath);
|
||||||
res.send({ code: 200 });
|
res.send({ code: 200 });
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
|
|
@ -129,6 +252,34 @@ export default (app: Router) => {
|
||||||
message: '暂无权限',
|
message: '暂无权限',
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if user has permission to download this log
|
||||||
|
if (req.user?.role !== UserRole.admin && req.user?.userId) {
|
||||||
|
const cronService = Container.get(CronService);
|
||||||
|
const { data: userCrons } = await cronService.crontabs({
|
||||||
|
searchValue: '',
|
||||||
|
page: '0',
|
||||||
|
size: '0',
|
||||||
|
sorter: '',
|
||||||
|
filters: '',
|
||||||
|
queryString: '',
|
||||||
|
userId: req.user.userId,
|
||||||
|
});
|
||||||
|
|
||||||
|
const hasAccess = userCrons.some((cron: Crontab) =>
|
||||||
|
cron.log_name &&
|
||||||
|
cron.log_name !== '/dev/null' &&
|
||||||
|
(path.startsWith(cron.log_name) || cron.log_name.startsWith(path))
|
||||||
|
);
|
||||||
|
|
||||||
|
if (!hasAccess) {
|
||||||
|
return res.send({
|
||||||
|
code: 403,
|
||||||
|
message: '暂无权限',
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return res.download(filePath, filename, (err) => {
|
return res.download(filePath, filename, (err) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
return next(err);
|
return next(err);
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,7 @@ import {
|
||||||
} from '../config/util';
|
} from '../config/util';
|
||||||
import dayjs from 'dayjs';
|
import dayjs from 'dayjs';
|
||||||
import multer from 'multer';
|
import multer from 'multer';
|
||||||
|
import { UserRole } from '../data/user';
|
||||||
|
|
||||||
const route = Router();
|
const route = Router();
|
||||||
const storage = multer.diskStorage({
|
const storage = multer.diskStorage({
|
||||||
|
|
@ -357,6 +358,14 @@ export default (app: Router) => {
|
||||||
}),
|
}),
|
||||||
async (req: Request, res: Response, next: NextFunction) => {
|
async (req: Request, res: Response, next: NextFunction) => {
|
||||||
try {
|
try {
|
||||||
|
// Only admin can view system logs
|
||||||
|
if (req.user?.role !== UserRole.admin) {
|
||||||
|
return res.send({
|
||||||
|
code: 403,
|
||||||
|
message: '暂无权限',
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
const systemService = Container.get(SystemService);
|
const systemService = Container.get(SystemService);
|
||||||
await systemService.getSystemLog(
|
await systemService.getSystemLog(
|
||||||
res,
|
res,
|
||||||
|
|
@ -375,6 +384,14 @@ export default (app: Router) => {
|
||||||
'/log',
|
'/log',
|
||||||
async (req: Request, res: Response, next: NextFunction) => {
|
async (req: Request, res: Response, next: NextFunction) => {
|
||||||
try {
|
try {
|
||||||
|
// Only admin can delete system logs
|
||||||
|
if (req.user?.role !== UserRole.admin) {
|
||||||
|
return res.send({
|
||||||
|
code: 403,
|
||||||
|
message: '暂无权限',
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
const systemService = Container.get(SystemService);
|
const systemService = Container.get(SystemService);
|
||||||
await systemService.deleteSystemLog();
|
await systemService.deleteSystemLog();
|
||||||
res.send({ code: 200 });
|
res.send({ code: 200 });
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ import { v4 as uuidV4 } from 'uuid';
|
||||||
import rateLimit from 'express-rate-limit';
|
import rateLimit from 'express-rate-limit';
|
||||||
import config from '../config';
|
import config from '../config';
|
||||||
import { isDemoEnv } from '../config/util';
|
import { isDemoEnv } from '../config/util';
|
||||||
|
import { UserRole } from '../data/user';
|
||||||
const route = Router();
|
const route = Router();
|
||||||
|
|
||||||
const storage = multer.diskStorage({
|
const storage = multer.diskStorage({
|
||||||
|
|
@ -179,6 +180,14 @@ export default (app: Router) => {
|
||||||
async (req: Request, res: Response, next: NextFunction) => {
|
async (req: Request, res: Response, next: NextFunction) => {
|
||||||
const logger: Logger = Container.get('logger');
|
const logger: Logger = Container.get('logger');
|
||||||
try {
|
try {
|
||||||
|
// Only admin can view login logs
|
||||||
|
if (req.user?.role !== UserRole.admin) {
|
||||||
|
return res.send({
|
||||||
|
code: 403,
|
||||||
|
message: '暂无权限',
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
const userService = Container.get(UserService);
|
const userService = Container.get(UserService);
|
||||||
const data = await userService.getLoginLog();
|
const data = await userService.getLoginLog();
|
||||||
res.send({ code: 200, data });
|
res.send({ code: 200, data });
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user