✨ Support read-only publish service

* 🎨 kernel supports read-only publishing services * 🐛 Fix authentication vulnerabilities * 🎨 Protect secret information * 🎨 Adjust the permission control * 🎨 Adjust the permission control * 🎨 Fixed the vulnerability that `getFile` gets file `conf.json` * 🎨 Add API `/api/setting/setPublish` * 🎨 Add API `/api/setting/getPublish` * 🐛 Fixed the issue that PWA-related files could not pass BasicAuth * 🎨 Add a settings panel for publishing features * 📝 Add guide for `Publish Service` * 📝 Update Japanese user guide * 🎨 Merge fixed static file services
2025-12-24 02:20:13 +01:00 · 2024-06-12 21:03:51 +08:00 · 2024-06-12 21:03:51 +08:00 · ba2193403d
commit ba2193403d
parent 536879cb84
47 changed files with 3690 additions and 375 deletions
--- a/kernel/api/file.go
+++ b/kernel/api/file.go
@ -166,13 +166,31 @@ func getFile(c *gin.Context) {
 		return
 	}
 	if info.IsDir() {
-		logging.LogErrorf("file [%s] is a directory", fileAbsPath)
+		logging.LogErrorf("path [%s] is a directory path", fileAbsPath)
 		ret.Code = http.StatusMethodNotAllowed
-		ret.Msg = "file is a directory"
+		ret.Msg = "This is a directory path"
 		c.JSON(http.StatusAccepted, ret)
 		return
 	}

+	// REF: https://github.com/siyuan-note/siyuan/issues/11364
+	if role := model.GetGinContextRole(c); !model.IsValidRole(role, []model.Role{
+		model.RoleAdministrator,
+	}) {
+		if relPath, err := filepath.Rel(util.ConfDir, fileAbsPath); err != nil {
+			logging.LogErrorf("Get a relative path from [%s] to [%s] failed: %s", util.ConfDir, fileAbsPath, err)
+			ret.Code = http.StatusInternalServerError
+			ret.Msg = err.Error()
+			c.JSON(http.StatusAccepted, ret)
+			return
+		} else if relPath == "conf.json" {
+			ret.Code = http.StatusForbidden
+			ret.Msg = http.StatusText(http.StatusForbidden)
+			c.JSON(http.StatusAccepted, ret)
+			return
+		}
+	}
+
 	data, err := filelock.ReadFile(fileAbsPath)
 	if nil != err {
 		logging.LogErrorf("read file [%s] failed: %s", fileAbsPath, err)