diff --git a/server/resource.go b/server/resource.go index 91426fe2..abfeaa78 100644 --- a/server/resource.go +++ b/server/resource.go @@ -356,6 +356,18 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) { if err != nil { return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err) } + + resourceVisibility, err := CheckResourceVisibility(ctx, s.Store, resourceID) + if err != nil { + return echo.NewHTTPError(http.StatusBadRequest, "Failed to get resource visibility").SetInternal(err) + } + + // Protected resource require a logined user + userID, ok := c.Get(getUserIDContextKey()).(int) + if resourceVisibility == store.Protected && (!ok || userID <= 0) { + return echo.NewHTTPError(http.StatusUnauthorized, "Resource visibility not match").SetInternal(err) + } + publicID, err := url.QueryUnescape(c.Param("publicId")) if err != nil { return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("publicID is invalid: %s", c.Param("publicId"))).SetInternal(err) @@ -370,6 +382,11 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) { return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find resource by ID: %v", resourceID)).SetInternal(err) } + // Private resource require logined user is the creator + if resourceVisibility == store.Private && (!ok || userID != resource.CreatorID) { + return echo.NewHTTPError(http.StatusUnauthorized, "Resource visibility not match").SetInternal(err) + } + blob := resource.Blob if resource.InternalPath != "" { src, err := os.Open(resource.InternalPath) @@ -401,6 +418,18 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) { if err != nil { return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err) } + + resourceVisibility, err := CheckResourceVisibility(ctx, s.Store, resourceID) + if err != nil { + return echo.NewHTTPError(http.StatusBadRequest, "Failed to get resource visibility").SetInternal(err) + } + + // Protected resource require a logined user + userID, ok := c.Get(getUserIDContextKey()).(int) + if resourceVisibility == store.Protected && (!ok || userID <= 0) { + return echo.NewHTTPError(http.StatusUnauthorized, "Resource visibility not match").SetInternal(err) + } + publicID, err := url.QueryUnescape(c.Param("publicId")) if err != nil { return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("publicID is invalid: %s", c.Param("publicId"))).SetInternal(err) @@ -420,6 +449,11 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) { return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find resource by ID: %v", resourceID)).SetInternal(err) } + // Private resource require logined user is the creator + if resourceVisibility == store.Private && (!ok || userID != resource.CreatorID) { + return echo.NewHTTPError(http.StatusUnauthorized, "Resource visibility not match").SetInternal(err) + } + blob := resource.Blob if resource.InternalPath != "" { resourcePath := resource.InternalPath @@ -552,3 +586,48 @@ func getOrGenerateThumbnailImage(srcBlob []byte, dstPath string) ([]byte, error) } return dstBlob, nil } + +func CheckResourceVisibility(ctx context.Context, s *store.Store, resourceID int) (store.Visibility, error) { + memoResourceFind := &api.MemoResourceFind{ + ResourceID: &resourceID, + } + + memoResources, err := s.FindMemoResourceList(ctx, memoResourceFind) + if err != nil { + return store.Private, err + } + + // If resource is belongs to no memo, it'll always PRIVATE + if len(memoResources) == 0 { + return store.Private, nil + } + + memoIDs := make([]int, 0, len(memoResources)) + for _, memoResource := range memoResources { + memoIDs = append(memoIDs, memoResource.MemoID) + } + visibilityList, err := s.FindMemosVisibilityList(ctx, memoIDs) + if err != nil { + return store.Private, err + } + + var isProtected bool + for _, visibility := range visibilityList { + // If any memo is PUBLIC, resource do + if visibility == store.Public { + return store.Public, nil + } + + if visibility == store.Protected { + isProtected = true + } + } + + // If no memo is PUBLIC, but any memo is PROTECTED, resource do + if isProtected { + return store.Protected, nil + } + + // If all memo is PRIVATE, the resource do + return store.Private, nil +} diff --git a/store/memo.go b/store/memo.go index 19c5595b..7c261f90 100644 --- a/store/memo.go +++ b/store/memo.go @@ -227,6 +227,46 @@ func (s *Store) DeleteMemo(ctx context.Context, delete *DeleteMemoMessage) error return err } +func (s *Store) FindMemosVisibilityList(ctx context.Context, memoIDs []int) ([]Visibility, error) { + tx, err := s.db.BeginTx(ctx, nil) + if err != nil { + return nil, FormatError(err) + } + defer tx.Rollback() + + args := make([]any, 0, len(memoIDs)) + list := make([]string, 0, len(memoIDs)) + for _, memoID := range memoIDs { + args = append(args, memoID) + list = append(list, "?") + } + + where := fmt.Sprintf("id in (%s)", strings.Join(list, ",")) + + query := `SELECT DISTINCT(visibility) FROM memo WHERE ` + where + + rows, err := tx.QueryContext(ctx, query, args...) + if err != nil { + return nil, FormatError(err) + } + defer rows.Close() + + visibilityList := make([]Visibility, 0) + for rows.Next() { + var visibility Visibility + if err := rows.Scan(&visibility); err != nil { + return nil, FormatError(err) + } + visibilityList = append(visibilityList, visibility) + } + + if err := rows.Err(); err != nil { + return nil, FormatError(err) + } + + return visibilityList, nil +} + func listMemos(ctx context.Context, tx *sql.Tx, find *FindMemoMessage) ([]*MemoMessage, error) { where, args := []string{"1 = 1"}, []any{}