From d1170e7b71f9766969b909150a91af66080bac4b Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Mon, 2 Mar 2026 21:35:01 +0800
Subject: [PATCH] :lock: Perform authentication on paths such as widgets,
 plugins, and templates
 https://github.com/siyuan-note/siyuan/issues/17118#issuecomment-3984053596

Signed-off-by: Daniel <845765@qq.com>
---
 kernel/server/serve.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/server/serve.go b/kernel/server/serve.go
index 5277d3c1a..10d174f78 100644
--- a/kernel/server/serve.go
+++ b/kernel/server/serve.go
@@ -369,6 +369,13 @@ func servePublic(ginServer *gin.Engine) {
 func serveSnippets(ginServer *gin.Engine) {
 	ginServer.Handle("GET", "/snippets/*filepath", model.CheckAuth, func(c *gin.Context) {
 		filePath := strings.TrimPrefix(c.Request.URL.Path, "/snippets/")
+		if !model.IsAdminRoleContext(c) {
+			if "conf.json" == filePath {
+				c.Status(http.StatusUnauthorized)
+				return
+			}
+		}
+
 		ext := filepath.Ext(filePath)
 		name := strings.TrimSuffix(filePath, ext)
 		confSnippets, err := model.LoadSnippets()