From 383519027c5a21d5d092f7db3f9a8df041265472 Mon Sep 17 00:00:00 2001 From: Daniel <845765@qq.com> Date: Mon, 2 Mar 2026 18:04:43 +0800 Subject: [PATCH] :lock: Authentication is performed on paths such as widgets, plugins, and templates https://github.com/siyuan-note/siyuan/issues/17118 Signed-off-by: Daniel <845765@qq.com> --- kernel/server/serve.go | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/kernel/server/serve.go b/kernel/server/serve.go index 7e686b6dd..05d579bc9 100644 --- a/kernel/server/serve.go +++ b/kernel/server/serve.go @@ -342,19 +342,23 @@ func serveExport(ginServer *gin.Engine) { } func serveWidgets(ginServer *gin.Engine) { - ginServer.Static("/widgets/", filepath.Join(util.DataDir, "widgets")) + widgets := ginServer.Group("/widgets/", model.CheckAuth) + widgets.Static("", filepath.Join(util.DataDir, "widgets")) } func servePlugins(ginServer *gin.Engine) { - ginServer.Static("/plugins/", filepath.Join(util.DataDir, "plugins")) + plugins := ginServer.Group("/plugins/", model.CheckAuth) + plugins.Static("", filepath.Join(util.DataDir, "plugins")) } func serveEmojis(ginServer *gin.Engine) { - ginServer.Static("/emojis/", filepath.Join(util.DataDir, "emojis")) + emojis := ginServer.Group("/emojis/", model.CheckAuth) + emojis.Static("", filepath.Join(util.DataDir, "emojis")) } func serveTemplates(ginServer *gin.Engine) { - ginServer.Static("/templates/", filepath.Join(util.DataDir, "templates")) + templates := ginServer.Group("/templates/", model.CheckAuth) + templates.Static("", filepath.Join(util.DataDir, "templates")) } func servePublic(ginServer *gin.Engine) { @@ -363,7 +367,7 @@ func servePublic(ginServer *gin.Engine) { } func serveSnippets(ginServer *gin.Engine) { - ginServer.Handle("GET", "/snippets/*filepath", func(c *gin.Context) { + ginServer.Handle("GET", "/snippets/*filepath", model.CheckAuth, func(c *gin.Context) { filePath := strings.TrimPrefix(c.Request.URL.Path, "/snippets/") ext := filepath.Ext(filePath) name := strings.TrimSuffix(filePath, ext)