diff --git a/domain_admin/api/address_api.py b/domain_admin/api/address_api.py index 83dedf2171..313631304b 100644 --- a/domain_admin/api/address_api.py +++ b/domain_admin/api/address_api.py @@ -11,7 +11,7 @@ from domain_admin.model.address_model import AddressModel from domain_admin.model.domain_model import DomainModel from domain_admin.service import domain_service, auth_service -from domain_admin.utils.flask_ext.app_exception import AppException +from domain_admin.utils.flask_ext.app_exception import AppException, DataNotFoundAppException, ForbiddenAppException @auth_service.permission(role=RoleEnum.USER) @@ -28,6 +28,15 @@ def get_address_list_by_domain_id(): page = request.json.get('page', 1) size = request.json.get('size', 10) + # check + domain_row = DomainModel.select().where( + DomainModel.id == domain_id, + DomainModel.user_id == current_user_id + ).first() + + if not domain_row: + raise ForbiddenAppException() + query = AddressModel.select().where( AddressModel.domain_id == domain_id, ) @@ -56,6 +65,7 @@ def get_address_list_by_domain_id(): "total": total } + @auth_service.permission(role=RoleEnum.USER) def add_address(): """ @@ -74,7 +84,14 @@ def add_address(): # ssl_auto_update = request.json.get('ssl_auto_update', True) # ssl_expire_monitor = request.json.get('ssl_expire_monitor', True) - domain_row = DomainModel.get_by_id(domain_id) + # check + domain_row = DomainModel.select().where( + DomainModel.id == domain_id, + DomainModel.user_id == current_user_id + ).first() + + if not domain_row: + raise ForbiddenAppException() data = { 'domain_id': domain_id, @@ -110,11 +127,19 @@ def delete_address_by_id(): # update to cert address_row = AddressModel.get_by_id(address_id) + # check + domain_row = DomainModel.select().where( + DomainModel.id == address_row.domain_id, + DomainModel.user_id == current_user_id + ).first() + + if not domain_row: + raise ForbiddenAppException() + AddressModel.delete().where( AddressModel.id == address_id ).execute() - domain_row = DomainModel.get_by_id(address_row.domain_id) domain_service.sync_address_info_to_domain_info(domain_row) @@ -131,7 +156,9 @@ def delete_address_by_ids(): address_ids = request.json['address_ids'] # update to cert - address_rows = AddressModel.select(AddressModel.domain_id).where( + address_rows = AddressModel.select( + AddressModel.domain_id + ).where( AddressModel.id.in_(address_ids) ) @@ -142,7 +169,8 @@ def delete_address_by_ids(): domain_ids = [row.domain_id for row in address_rows] domain_rows = DomainModel.select().where( - DomainModel.id.in_(domain_ids) + DomainModel.id.in_(domain_ids), + DomainModel.user_id == current_user_id ) for domain_row in domain_rows: diff --git a/domain_admin/api/certificate_api.py b/domain_admin/api/certificate_api.py index 31d7b4547f..0d0cbb2494 100644 --- a/domain_admin/api/certificate_api.py +++ b/domain_admin/api/certificate_api.py @@ -9,7 +9,7 @@ from domain_admin.enums.role_enum import RoleEnum from domain_admin.model.certificate_model import CertificateModel from domain_admin.service import certificate_service, auth_service -from domain_admin.utils.flask_ext.app_exception import AppException, DataNotFoundAppException +from domain_admin.utils.flask_ext.app_exception import AppException, DataNotFoundAppException, ForbiddenAppException @auth_service.permission(role=RoleEnum.USER) @@ -28,6 +28,9 @@ def get_certificate_list(): order_prop = request.json.get('order_prop') or 'create_time' order_type = request.json.get('order_type') or 'desc' + if order_prop not in ['create_time']: + raise AppException('params error: order_prop') + if order_type not in ['desc', 'asc']: raise AppException('params error: order_type') @@ -116,7 +119,7 @@ def update_certificate_by_id(): ).first() if not certificate_row: - raise AppException('数据不存在') + raise DataNotFoundAppException() data = { 'domain': domain, @@ -151,7 +154,7 @@ def delete_certificate_by_id(): ).first() if not certificate_row: - raise AppException('数据不存在') + raise DataNotFoundAppException() # delete CertificateModel.delete().where( diff --git a/domain_admin/api/dns_api.py b/domain_admin/api/dns_api.py index 917953c155..e6ae0206ef 100644 --- a/domain_admin/api/dns_api.py +++ b/domain_admin/api/dns_api.py @@ -9,7 +9,7 @@ from domain_admin.enums.role_enum import RoleEnum from domain_admin.model.dns_model import DnsModel from domain_admin.service import auth_service -from domain_admin.utils.flask_ext.app_exception import AppException +from domain_admin.utils.flask_ext.app_exception import AppException, DataNotFoundAppException @auth_service.permission(role=RoleEnum.USER) @@ -50,13 +50,14 @@ def update_dns_by_id(): access_key = request.json['access_key'] secret_key = request.json['secret_key'] + # data check dns_row = DnsModel.select().where( DnsModel.id == dns_id, DnsModel.user_id == current_user_id ).first() if not dns_row: - raise AppException('数据不存在') + raise DataNotFoundAppException() DnsModel.update( dns_type_id=dns_type_id, @@ -83,7 +84,7 @@ def get_dns_by_id(): ).first() if not dns_row: - raise AppException('数据不存在') + raise DataNotFoundAppException() return dns_row @@ -103,7 +104,7 @@ def delete_dns_by_id(): ).first() if not dns_row: - raise AppException('数据不存在') + raise DataNotFoundAppException() return DnsModel.delete_by_id(dns_row.id) diff --git a/domain_admin/api/domain_api.py b/domain_admin/api/domain_api.py index 1aab33251b..8d028b69f5 100644 --- a/domain_admin/api/domain_api.py +++ b/domain_admin/api/domain_api.py @@ -22,7 +22,7 @@ from domain_admin.service import file_service from domain_admin.utils import datetime_util, domain_util from domain_admin.utils.cert_util import cert_consts -from domain_admin.utils.flask_ext.app_exception import AppException +from domain_admin.utils.flask_ext.app_exception import AppException, DataNotFoundAppException @auth_service.permission(role=RoleEnum.USER) @@ -111,7 +111,14 @@ def update_domain_by_id(): data['update_time'] = datetime_util.get_datetime() data['group_id'] = data.get('group_id') or 0 - before_domain_row = DomainModel.get_by_id(domain_id) + # data check + before_domain_row = DomainModel.select().where( + DomainModel.id == domain_id, + DomainModel.user_id == current_user_id + ).first() + + if not before_domain_row: + raise DataNotFoundAppException() DomainModel.update(data).where( DomainModel.id == domain_id @@ -139,6 +146,15 @@ def update_domain_expire_monitor_by_id(): domain_id = request.json.get('domain_id') + # data check + domain_row = DomainModel.select().where( + DomainModel.id == domain_id, + DomainModel.user_id == current_user_id + ).first() + + if not domain_row: + raise DataNotFoundAppException() + data = { "is_monitor": request.json.get('is_monitor', True) } @@ -146,7 +162,7 @@ def update_domain_expire_monitor_by_id(): DomainModel.update( data ).where( - DomainModel.id == domain_id + DomainModel.id == domain_row.id ).execute() @@ -175,8 +191,17 @@ def update_domain_field_by_id(): field: value, } + # data check + domain_row = DomainModel.select().where( + DomainModel.id == domain_id, + DomainModel.user_id == current_user_id + ).first() + + if not domain_row: + raise DataNotFoundAppException() + DomainModel.update(data).where( - DomainModel.id == domain_id + DomainModel.id == domain_row.id ).execute() @@ -193,12 +218,16 @@ def update_domain_field_by_ids(): field = request.json.get('field') value = request.json.get('value') + if field not in ['auto_update']: + raise AppException("not allow field") + data = { field: value, } DomainModel.update(data).where( - DomainModel.id.in_(domain_ids) + DomainModel.id.in_(domain_ids), + DomainModel.user_id == current_user_id ).execute() @@ -219,10 +248,16 @@ def delete_domain_by_id(): # domain_service.check_permission_and_get_row(domain_id, current_user_id) - DomainModel.delete().where( + # data check + domain_row = DomainModel.select().where( DomainModel.id == domain_id, - DomainModel.user_id == current_user_id, - ).execute() + DomainModel.user_id == current_user_id + ).first() + + if not domain_row: + raise DataNotFoundAppException() + + DomainModel.delete_by_id(domain_row.id) # 同时移除主机信息 AddressModel.delete().where( @@ -268,9 +303,19 @@ def get_domain_by_id(): domain_id = request.json.get('domain_id') or request.json['id'] # row = domain_service.check_permission_and_get_row(domain_id, current_user_id) - row = DomainModel.get_by_id(domain_id) + # row = DomainModel.get_by_id(domain_id) + + # data check + domain_row = DomainModel.select().where( + DomainModel.id == domain_id, + DomainModel.user_id == current_user_id + ).first() + + if not domain_row: + raise DataNotFoundAppException() + row = model_to_dict( - model=row, + model=domain_row, extra_attrs=[ 'real_time_expire_days', 'domain_url', @@ -316,6 +361,7 @@ def update_all_domain_cert_info(): domain_service.update_all_domain_cert_info() +@auth_service.permission(role=RoleEnum.USER) def update_all_domain_cert_info_of_user(): """ 更新当前用户的所有域名信息 @@ -340,9 +386,18 @@ def update_domain_row_info_by_id(): domain_id = request.json.get('domain_id') or request.json['id'] # row = domain_service.check_permission_and_get_row(domain_id, current_user_id) - row = DomainModel.get_by_id(domain_id) + # row = DomainModel.get_by_id(domain_id) + + # data check + domain_row = DomainModel.select().where( + DomainModel.id == domain_id, + DomainModel.user_id == current_user_id + ).first() + + if not domain_row: + raise DataNotFoundAppException() - domain_service.update_domain_row(row) + domain_service.update_domain_row(domain_row=domain_row) @auth_service.permission(role=RoleEnum.USER) @@ -465,7 +520,8 @@ def domain_relation_group(): DomainModel.update( group_id=group_id ).where( - DomainModel.id.in_(domain_ids) + DomainModel.id.in_(domain_ids), + DomainModel.user_id == current_user_id ).execute() diff --git a/domain_admin/api/domain_info_api.py b/domain_admin/api/domain_info_api.py index 626ee6ac68..dc6644f499 100644 --- a/domain_admin/api/domain_info_api.py +++ b/domain_admin/api/domain_info_api.py @@ -21,9 +21,10 @@ from domain_admin.service import domain_info_service, async_task_service, file_service, group_service, \ operation_service, group_user_service, domain_service, common_service, domain_icp_service, tag_service, auth_service from domain_admin.utils import domain_util, time_util, icp_util -from domain_admin.utils.flask_ext.app_exception import AppException +from domain_admin.utils.flask_ext.app_exception import AppException, DataNotFoundAppException from domain_admin.utils.open_api import crtsh_api + @auth_service.permission(role=RoleEnum.USER) @operation_service.operation_log_decorator( model=DomainInfoModel, @@ -81,6 +82,7 @@ def add_domain_info(): return {'domain_info_id': row.id} + @auth_service.permission(role=RoleEnum.USER) @operation_service.operation_log_decorator( model=DomainInfoModel, @@ -109,7 +111,15 @@ def update_domain_info_by_id(): icp_licence = request.json.get('icp_licence', '') user_id = request.json.get('user_id') - domain_info_row = DomainInfoModel.get_by_id(domain_info_id) + # check data + domain_info_row = DomainInfoModel.select().where( + DomainInfoModel.id == domain_info_id, + DomainInfoModel.user_id == current_user_id + ).first() + + if not domain_info_row: + raise DataNotFoundAppException() + # is_auto_update = request.json.get('is_auto_update', True) # is_expire_monitor = request.json.get('is_expire_monitor', True) @@ -161,6 +171,7 @@ def update_domain_info_by_id(): tag_service.add_tags(tags) + @auth_service.permission(role=RoleEnum.USER) @operation_service.operation_log_decorator( model=DomainInfoModel, @@ -186,10 +197,20 @@ def update_domain_info_field_by_id(): field: value, } + # check data + domain_info_row = DomainInfoModel.select().where( + DomainInfoModel.id == domain_info_id, + DomainInfoModel.user_id == current_user_id + ).first() + + if not domain_info_row: + raise DataNotFoundAppException() + DomainInfoModel.update(data).where( - DomainInfoModel.id == domain_info_id + DomainInfoModel.id == domain_info_row.id ).execute() + @auth_service.permission(role=RoleEnum.USER) @operation_service.operation_log_decorator( model=DomainInfoModel, @@ -205,7 +226,17 @@ def delete_domain_info_by_id(): domain_info_id = request.json['domain_info_id'] - DomainInfoModel.delete_by_id(domain_info_id) + # check data + domain_info_row = DomainInfoModel.select().where( + DomainInfoModel.id == domain_info_id, + DomainInfoModel.user_id == current_user_id + ).first() + + if not domain_info_row: + raise DataNotFoundAppException() + + DomainInfoModel.delete_by_id(domain_info_row.id) + @auth_service.permission(role=RoleEnum.USER) @operation_service.operation_log_decorator( @@ -226,6 +257,7 @@ def delete_domain_info_by_ids(): DomainInfoModel.user_id == current_user_id ).execute() + @auth_service.permission(role=RoleEnum.USER) def get_domain_info_by_id(): """ @@ -236,10 +268,17 @@ def get_domain_info_by_id(): domain_info_id = request.json['domain_info_id'] - domain_row = DomainInfoModel.get_by_id(domain_info_id) + # check data + domain_info_row = DomainInfoModel.select().where( + DomainInfoModel.id == domain_info_id, + DomainInfoModel.user_id == current_user_id + ).first() + + if not domain_info_row: + raise DataNotFoundAppException() domain_row = model_to_dict( - model=domain_row, + model=domain_info_row, extra_attrs=[ 'real_domain_expire_days', 'update_time_label', @@ -271,17 +310,28 @@ def get_domain_info_by_id(): return domain_row + @auth_service.permission(role=RoleEnum.USER) def update_domain_info_row_by_id(): """ 更新当前行的域名信息 :return: """ + current_user_id = g.user_id + domain_info_id = request.json['domain_info_id'] - row = DomainInfoModel.get_by_id(domain_info_id) + # check data + domain_info_row = DomainInfoModel.select().where( + DomainInfoModel.id == domain_info_id, + DomainInfoModel.user_id == current_user_id + ).first() + + if not domain_info_row: + raise DataNotFoundAppException() + + domain_info_service.update_domain_info_row(row=domain_info_row) - domain_info_service.update_domain_info_row(row) @auth_service.permission(role=RoleEnum.USER) def update_all_domain_info_of_user(): @@ -294,6 +344,7 @@ def update_all_domain_info_of_user(): domain_info_service.update_all_domain_info_of_user(user_id=current_user_id) # async_task_service.submit_task(fn=domain_info_service.update_all_domain_info_of_user, user_id=current_user_id) + @auth_service.permission(role=RoleEnum.USER) def update_all_domain_icp_of_user(): """ @@ -306,6 +357,7 @@ def update_all_domain_icp_of_user(): # async_task_service.submit_task(fn=domain_info_service.update_all_domain_icp_of_user, user_id=current_user_id) + @auth_service.permission(role=RoleEnum.USER) def update_domain_row_icp(): """ @@ -316,9 +368,17 @@ def update_domain_row_icp(): domain_info_id = request.json['domain_info_id'] - row = DomainInfoModel.get_by_id(domain_info_id) + # check data + domain_info_row = DomainInfoModel.select().where( + DomainInfoModel.id == domain_info_id, + DomainInfoModel.user_id == current_user_id + ).first() + + if not domain_info_row: + raise DataNotFoundAppException() + + domain_info_service.update_domain_row_icp(row=domain_info_row) - domain_info_service.update_domain_row_icp(row) @auth_service.permission(role=RoleEnum.USER) def import_domain_info_from_file(): @@ -340,6 +400,7 @@ def import_domain_info_from_file(): domain_info_service.handle_auto_import_domain_info(current_user_id) # async_task_service.submit_task(fn=domain_info_service.update_all_domain_info_of_user, user_id=current_user_id) + @auth_service.permission(role=RoleEnum.USER) def export_domain_info_file(): """ @@ -395,6 +456,7 @@ def export_domain_info_file(): 'url': file_service.resolve_temp_url(filename) } + @auth_service.permission(role=RoleEnum.USER) def get_domain_info_list(): """ @@ -497,6 +559,7 @@ def get_domain_info_list(): 'total': total, } + @auth_service.permission(role=RoleEnum.USER) def get_domain_info_group_filter(): """ @@ -546,6 +609,7 @@ def get_domain_info_group_filter(): 'total': len(lst), } + @auth_service.permission(role=RoleEnum.USER) def get_icp(): """ @@ -566,6 +630,7 @@ def get_icp(): return res + @auth_service.permission(role=RoleEnum.USER) def get_sub_domain_cert(): """ @@ -581,6 +646,7 @@ def get_sub_domain_cert(): 'total': len(lst) } + @auth_service.permission(role=RoleEnum.USER) def auto_import_subdomain_by_ids(): """ @@ -593,7 +659,8 @@ def auto_import_subdomain_by_ids(): domain_ids = request.json['domain_ids'] rows = DomainInfoModel.select().where( - DomainInfoModel.id.in_(domain_ids) + DomainInfoModel.id.in_(domain_ids), + DomainInfoModel.user_id == current_user_id ) # 异步提交 diff --git a/domain_admin/api/group_api.py b/domain_admin/api/group_api.py index aea6e80063..d6187e1156 100644 --- a/domain_admin/api/group_api.py +++ b/domain_admin/api/group_api.py @@ -13,6 +13,7 @@ from domain_admin.model.group_model import GroupModel from domain_admin.model.group_user_model import GroupUserModel from domain_admin.service import group_service, operation_service, group_user_service, auth_service +from domain_admin.utils.flask_ext.app_exception import ForbiddenAppException, DataNotFoundAppException @auth_service.permission(role=RoleEnum.USER) @@ -38,6 +39,7 @@ def add_group(): return {'id': row.id} + @auth_service.permission(role=RoleEnum.USER) @operation_service.operation_log_decorator( model=GroupModel, @@ -55,7 +57,15 @@ def update_group_by_id(): group_id = request.json['id'] name = request.json.get('name') - group_service.check_group_permission(group_id, current_user_id) + # group_service.check_group_permission(group_id, current_user_id) + # check data + group_row = GroupModel.select().where( + GroupModel.id == group_id, + GroupModel.user_id == current_user_id + ).first() + + if not group_row: + raise DataNotFoundAppException() GroupModel.update( name=name, @@ -63,6 +73,7 @@ def update_group_by_id(): GroupModel.id == group_id ).execute() + @auth_service.permission(role=RoleEnum.USER) @operation_service.operation_log_decorator( model=GroupModel, @@ -78,10 +89,16 @@ def delete_group_by_id(): group_id = request.json['id'] - GroupModel.delete().where( + # check data + group_row = GroupModel.select().where( GroupModel.id == group_id, GroupModel.user_id == current_user_id - ).execute() + ).first() + + if not group_row: + raise DataNotFoundAppException() + + GroupModel.delete_by_id(group_row.id) # 重置已分类的证书 和 域名 DomainModel.update( @@ -100,6 +117,7 @@ def delete_group_by_id(): GroupUserModel.group_id == group_id ).execute() + @auth_service.permission(role=RoleEnum.USER) @operation_service.operation_log_decorator( model=GroupModel, @@ -137,6 +155,7 @@ def delete_group_by_ids(): GroupUserModel.group_id.in_(group_ids) ).execute() + @auth_service.permission(role=RoleEnum.USER) def get_group_list(): """ @@ -252,6 +271,7 @@ def get_group_list(): 'total': total, } + @auth_service.permission(role=RoleEnum.USER) def get_group_by_id(): """ @@ -262,6 +282,14 @@ def get_group_by_id(): group_id = request.json['id'] - group_service.check_group_permission(group_id, current_user_id) + # group_service.check_group_permission(group_id, current_user_id) + # check data + group_row = GroupModel.select().where( + GroupModel.id == group_id, + GroupModel.user_id == current_user_id + ).first() + + if not group_row: + raise DataNotFoundAppException() - return GroupModel.get_by_id(group_id) + return group_row diff --git a/domain_admin/api/group_user_api.py b/domain_admin/api/group_user_api.py index cd372d16f0..c0ffbd522e 100644 --- a/domain_admin/api/group_user_api.py +++ b/domain_admin/api/group_user_api.py @@ -11,6 +11,7 @@ from domain_admin.model.group_model import GroupModel from domain_admin.model.group_user_model import GroupUserModel from domain_admin.service import group_service, operation_service, common_service, auth_service +from domain_admin.utils.flask_ext.app_exception import DataNotFoundAppException @auth_service.permission(role=RoleEnum.USER) @@ -42,6 +43,7 @@ def add_group_user(): return {'id': row.id} + @auth_service.permission(role=RoleEnum.USER) @operation_service.operation_log_decorator( model=GroupUserModel, @@ -69,6 +71,7 @@ def update_group_user_by_id(): GroupUserModel.id == group_user_id ).execute() + @auth_service.permission(role=RoleEnum.USER) @operation_service.operation_log_decorator( model=GroupUserModel, @@ -92,6 +95,7 @@ def delete_group_user_by_id(): GroupUserModel.id == group_user_id, ).execute() + @auth_service.permission(role=RoleEnum.USER) @operation_service.operation_log_decorator( model=GroupUserModel, @@ -118,6 +122,7 @@ def delete_group_user_by_ids(): GroupUserModel.id.in_(group_user_ids), ).execute() + @auth_service.permission(role=RoleEnum.USER) def get_group_user_list(): """ @@ -165,6 +170,7 @@ def get_group_user_list(): 'total': len(lst), } + @auth_service.permission(role=RoleEnum.USER) def get_group_user_by_id(): """ diff --git a/domain_admin/api/ip_api.py b/domain_admin/api/ip_api.py index f873a7ba8b..06c6b34eee 100644 --- a/domain_admin/api/ip_api.py +++ b/domain_admin/api/ip_api.py @@ -11,6 +11,7 @@ from domain_admin.service import auth_service from domain_admin.utils import ip_util, dns_util + @auth_service.permission(role=RoleEnum.USER) def get_ip_info(): """ @@ -20,6 +21,7 @@ def get_ip_info(): ip = request.json['ip'] return ip_util.get_ip_info(ip) + @auth_service.permission(role=RoleEnum.USER) def query_domain_cname(): """ diff --git a/domain_admin/api/issue_certificate_api.py b/domain_admin/api/issue_certificate_api.py index 996a81eab8..7ff080bb2c 100644 --- a/domain_admin/api/issue_certificate_api.py +++ b/domain_admin/api/issue_certificate_api.py @@ -24,6 +24,7 @@ from domain_admin.utils.open_api import aliyun_domain_api from domain_admin.utils.open_api.aliyun_domain_api import RecordTypeEnum + @auth_service.permission(role=RoleEnum.USER) def issue_certificate(): """ @@ -47,6 +48,7 @@ def issue_certificate(): return issue_certificate_row.to_dict() + @auth_service.permission(role=RoleEnum.USER) def verify_certificate(): """ @@ -58,13 +60,19 @@ def verify_certificate(): issue_certificate_id = request.json['issue_certificate_id'] challenge_type = request.json['challenge_type'] + # 验证成功后,自动添加到证书监控列表 + issue_certificate_row = IssueCertificateModel.select().where( + IssueCertificateModel.id == issue_certificate_id, + IssueCertificateModel.user_id == current_user_id, + ).first() + + if not issue_certificate_row: + raise DataNotFoundAppException() + issue_certificate_service.verify_certificate(issue_certificate_id, challenge_type) issue_certificate_service.renew_certificate(issue_certificate_id) - # 验证成功后,自动添加到证书监控列表 - issue_certificate_row = IssueCertificateModel.get_by_id(issue_certificate_id) - # fix: 过滤通配符的域名 lst = [ { @@ -82,10 +90,22 @@ def verify_certificate(): for batch in chunked(lst, 10): DomainModel.insert_many(batch).on_conflict_ignore().execute() + @auth_service.permission(role=RoleEnum.USER) def get_certificate_challenges(): + current_user_id = g.user_id + issue_certificate_id = request.json['issue_certificate_id'] + # data check + issue_certificate_row = IssueCertificateModel.select().where( + IssueCertificateModel.id == issue_certificate_id, + IssueCertificateModel.user_id == current_user_id, + ).first() + + if not issue_certificate_row: + raise DataNotFoundAppException() + lst = issue_certificate_service.get_certificate_challenges(issue_certificate_id) return { @@ -93,6 +113,7 @@ def get_certificate_challenges(): 'list': lst } + @auth_service.permission(role=RoleEnum.USER) def get_domain_host(): domain = request.json['domain'] @@ -103,6 +124,7 @@ def get_domain_host(): 'host': host } + @auth_service.permission(role=RoleEnum.USER) def deploy_verify_file(): """ @@ -119,6 +141,15 @@ def deploy_verify_file(): if not verify_deploy_path.endswith("/"): raise AppException("verify_deploy_path must endswith '/'") + # data check + issue_certificate_row = IssueCertificateModel.select().where( + IssueCertificateModel.id == issue_certificate_id, + IssueCertificateModel.user_id == current_user_id, + ).first() + + if not issue_certificate_row: + raise DataNotFoundAppException() + # deploy issue_certificate_service.deploy_verify_file( host_id=host_id, @@ -135,6 +166,7 @@ def deploy_verify_file(): IssueCertificateModel.id == issue_certificate_id ).execute() + @auth_service.permission(role=RoleEnum.USER) def deploy_certificate_file(): """ @@ -150,17 +182,34 @@ def deploy_certificate_file(): pem_deploy_path = request.json['pem_deploy_path'] reload_cmd = request.json['reloadcmd'] - host_row = HostModel.get_by_id(host_id) + # data check + issue_certificate_row = IssueCertificateModel.select().where( + IssueCertificateModel.id == issue_certificate_id, + IssueCertificateModel.user_id == current_user_id, + ).first() + + if not issue_certificate_row: + raise DataNotFoundAppException() + + # host_row = HostModel.get_by_id(host_id) + # data check + host_row = HostModel.select().where( + HostModel.id == host_id, + HostModel.user_id == current_user_id, + ).first() + + if not host_row: + raise DataNotFoundAppException() host = host_row.host user = host_row.user password = host_row.password - issue_certificate_row = IssueCertificateModel.get_by_id(issue_certificate_id) + # issue_certificate_row = IssueCertificateModel.get_by_id(issue_certificate_id) if not issue_certificate_row.ssl_certificate: issue_certificate_service.renew_certificate(issue_certificate_id) - issue_certificate_row = IssueCertificateModel.get_by_id(issue_certificate_id) + # issue_certificate_row = IssueCertificateModel.get_by_id(issue_certificate_id) # deploy key @@ -197,6 +246,7 @@ def deploy_certificate_file(): issue_certificate_id=issue_certificate_id ) + @auth_service.permission(role=RoleEnum.USER) def renew_certificate(): """ @@ -207,6 +257,15 @@ def renew_certificate(): issue_certificate_id = request.json['issue_certificate_id'] + # data check + issue_certificate_row = IssueCertificateModel.select().where( + IssueCertificateModel.id == issue_certificate_id, + IssueCertificateModel.user_id == current_user_id, + ).first() + + if not issue_certificate_row: + raise DataNotFoundAppException() + issue_certificate_service.renew_certificate(issue_certificate_id) issue_certificate_row = IssueCertificateModel.get_by_id(issue_certificate_id) @@ -216,6 +275,7 @@ def renew_certificate(): return issue_certificate_row.to_dict() + @auth_service.permission(role=RoleEnum.USER) def get_issue_certificate_list(): """ @@ -264,6 +324,7 @@ def get_issue_certificate_list(): 'total': total, } + @auth_service.permission(role=RoleEnum.USER) def get_issue_certificate_by_id(): """ @@ -302,6 +363,7 @@ def get_issue_certificate_by_id(): return data + @auth_service.permission(role=RoleEnum.USER) def delete_issue_certificate_by_id(): """ @@ -323,6 +385,7 @@ def delete_issue_certificate_by_id(): IssueCertificateModel.delete_by_id(issue_certificate_row.id) + @auth_service.permission(role=RoleEnum.USER) def delete_certificate_by_batch(): """ @@ -339,6 +402,7 @@ def delete_certificate_by_batch(): IssueCertificateModel.user_id == current_user_id ).execute() + @auth_service.permission(role=RoleEnum.USER) def renew_issue_certificate_by_id(): """ @@ -360,6 +424,7 @@ def renew_issue_certificate_by_id(): issue_certificate_service.renew_certificate_row(issue_certificate_row) + @auth_service.permission(role=RoleEnum.USER) def get_allow_commands(): """ @@ -368,16 +433,28 @@ def get_allow_commands(): """ return fabric_util.allow_commands + @auth_service.permission(role=RoleEnum.USER) def notify_web_hook(): """ 用户调用webhook :return: """ + current_user_id = g.user_id + issue_certificate_id = request.json['issue_certificate_id'] url = request.json['url'] headers = request.json.get('headers') + # data check + issue_certificate_row = IssueCertificateModel.select().where( + IssueCertificateModel.id == issue_certificate_id, + IssueCertificateModel.user_id == current_user_id, + ).first() + + if not issue_certificate_row: + raise DataNotFoundAppException() + ret = issue_certificate_service.deploy_ssl_by_web_hook( issue_certificate_id=issue_certificate_id, url=url, @@ -401,15 +478,27 @@ def notify_web_hook(): return ret + @auth_service.permission(role=RoleEnum.USER) def deploy_cert_to_oss(): """ 部署证书到阿里云oss :return: """ + current_user_id = g.user_id + issue_certificate_id = request.json['issue_certificate_id'] dns_id = request.json['dns_id'] + # data check + issue_certificate_row = IssueCertificateModel.select().where( + IssueCertificateModel.id == issue_certificate_id, + IssueCertificateModel.user_id == current_user_id, + ).first() + + if not issue_certificate_row: + raise DataNotFoundAppException() + ret = issue_certificate_service.deploy_cert_to_oss( issue_certificate_id=issue_certificate_id, dns_id=dns_id, @@ -431,15 +520,27 @@ def deploy_cert_to_oss(): return ret + @auth_service.permission(role=RoleEnum.USER) def deploy_cert_to_cdn(): """ 部署证书到阿里云cdn :return: """ + current_user_id = g.user_id + issue_certificate_id = request.json['issue_certificate_id'] dns_id = request.json['dns_id'] + # data check + issue_certificate_row = IssueCertificateModel.select().where( + IssueCertificateModel.id == issue_certificate_id, + IssueCertificateModel.user_id == current_user_id, + ).first() + + if not issue_certificate_row: + raise DataNotFoundAppException() + ret = issue_certificate_service.deploy_cert_to_cdn( issue_certificate_id=issue_certificate_id, dns_id=dns_id, @@ -461,15 +562,27 @@ def deploy_cert_to_cdn(): return ret + @auth_service.permission(role=RoleEnum.USER) def deploy_cert_to_dcdn(): """ 部署证书到阿里云dcdn :return: """ + current_user_id = g.user_id + issue_certificate_id = request.json['issue_certificate_id'] dns_id = request.json['dns_id'] + # data check + issue_certificate_row = IssueCertificateModel.select().where( + IssueCertificateModel.id == issue_certificate_id, + IssueCertificateModel.user_id == current_user_id, + ).first() + + if not issue_certificate_row: + raise DataNotFoundAppException() + ret = issue_certificate_service.deploy_cert_to_dcdn( issue_certificate_id=issue_certificate_id, dns_id=dns_id, @@ -491,15 +604,26 @@ def deploy_cert_to_dcdn(): return ret + @auth_service.permission(role=RoleEnum.USER) def add_dns_domain_record(): """ 添加dns记录 :return: """ + current_user_id = g.user_id + dns_id = request.json['dns_id'] issue_certificate_id = request.json['issue_certificate_id'] - print(dns_id, ' ', issue_certificate_id) + + # data check + issue_certificate_row = IssueCertificateModel.select().where( + IssueCertificateModel.id == issue_certificate_id, + IssueCertificateModel.user_id == current_user_id, + ).first() + + if not issue_certificate_row: + raise DataNotFoundAppException() # 添加txt记录 issue_certificate_service.add_dns_domain_record( @@ -516,6 +640,7 @@ def add_dns_domain_record(): IssueCertificateModel.id == issue_certificate_id ).execute() + @auth_service.permission(role=RoleEnum.USER) def update_row_auto_renew(): """ @@ -546,6 +671,7 @@ def update_row_auto_renew(): else: raise AppException("不支持自动续期") + @auth_service.permission(role=RoleEnum.USER) def get_issue_certificate_options(): """ diff --git a/domain_admin/api/log_async_task_api.py b/domain_admin/api/log_async_task_api.py index 5032ebfaf5..92b7711b61 100644 --- a/domain_admin/api/log_async_task_api.py +++ b/domain_admin/api/log_async_task_api.py @@ -12,7 +12,7 @@ from domain_admin.service import common_service, auth_service -@auth_service.permission(role=RoleEnum.USER) +@auth_service.permission(role=RoleEnum.ADMIN) def get_async_task_log_list(): """ 获取操作日志列表 @@ -49,7 +49,7 @@ def get_async_task_log_list(): } -@auth_service.permission(role=RoleEnum.USER) +@auth_service.permission(role=RoleEnum.ADMIN) def clear_async_task_log_list(): """ 清空日志 diff --git a/domain_admin/api/log_monitor_api.py b/domain_admin/api/log_monitor_api.py index 00cc2af108..b7ca0c8ba8 100644 --- a/domain_admin/api/log_monitor_api.py +++ b/domain_admin/api/log_monitor_api.py @@ -12,7 +12,7 @@ from domain_admin.service import auth_service -@auth_service.permission(role=RoleEnum.USER) +@auth_service.permission(role=RoleEnum.ADMIN) def get_log_monitor_list(): """ :return: @@ -51,7 +51,8 @@ def get_log_monitor_list(): 'total': total } -@auth_service.permission(role=RoleEnum.USER) + +@auth_service.permission(role=RoleEnum.ADMIN) def clear_log_monitor(): """ :return: @@ -62,7 +63,8 @@ def clear_log_monitor(): LogMonitorModel.monitor_id == monitor_id ).execute() -@auth_service.permission(role=RoleEnum.USER) + +@auth_service.permission(role=RoleEnum.ADMIN) def clear_all_log_monitor(): """ :return: diff --git a/domain_admin/api/log_operation_api.py b/domain_admin/api/log_operation_api.py index 6c686406bd..b5497aa33f 100644 --- a/domain_admin/api/log_operation_api.py +++ b/domain_admin/api/log_operation_api.py @@ -11,7 +11,7 @@ from domain_admin.service import common_service, auth_service -@auth_service.permission(role=RoleEnum.USER) +@auth_service.permission(role=RoleEnum.ADMIN) def get_operation_log_list(): """ 获取操作日志列表 @@ -46,7 +46,7 @@ def get_operation_log_list(): } -@auth_service.permission(role=RoleEnum.USER) +@auth_service.permission(role=RoleEnum.ADMIN) def clear_log_operation_list(): """ 清空日志 diff --git a/domain_admin/api/log_scheduler_api.py b/domain_admin/api/log_scheduler_api.py index 68a4f9b3e4..cc4cefef7b 100644 --- a/domain_admin/api/log_scheduler_api.py +++ b/domain_admin/api/log_scheduler_api.py @@ -11,7 +11,7 @@ from domain_admin.service import auth_service -@auth_service.permission(role=RoleEnum.USER) +@auth_service.permission(role=RoleEnum.ADMIN) def get_log_scheduler_list(): """ 获取调度日志列表 @@ -46,7 +46,8 @@ def get_log_scheduler_list(): 'total': total } -@auth_service.permission(role=RoleEnum.USER) + +@auth_service.permission(role=RoleEnum.ADMIN) def clear_log_scheduler_list(): """ 清空日志 diff --git a/domain_admin/api/monitor_api.py b/domain_admin/api/monitor_api.py index 2e1fbd0ff5..4ce0fa5621 100644 --- a/domain_admin/api/monitor_api.py +++ b/domain_admin/api/monitor_api.py @@ -17,6 +17,7 @@ from domain_admin.model.monitor_model import MonitorModel from domain_admin.service import monitor_service, file_service, async_task_service, operation_service, auth_service from domain_admin.service.scheduler_service import scheduler_main +from domain_admin.utils.flask_ext.app_exception import DataNotFoundAppException @auth_service.permission(role=RoleEnum.USER) @@ -58,6 +59,14 @@ def update_monitor_by_id(): interval = request.json['interval'] allow_error_count = request.json.get('allow_error_count') or 0 + monitor_row = MonitorModel.select().where( + MonitorModel.id == monitor_id, + MonitorModel.user_id == current_user_id + ).first() + + if not monitor_row: + raise DataNotFoundAppException() + MonitorModel.update( title=title, content=json.dumps(content), @@ -75,6 +84,8 @@ def update_monitor_active(): """ :return: """ + current_user_id = g.user_id + monitor_id = request.json['monitor_id'] is_active = request.json['is_active'] @@ -83,11 +94,20 @@ def update_monitor_active(): else: next_run_time = None + # data check + monitor_row = MonitorModel.select().where( + MonitorModel.id == monitor_id, + MonitorModel.user_id == current_user_id + ).first() + + if not monitor_row: + raise DataNotFoundAppException() + MonitorModel.update( is_active=is_active, next_run_time=next_run_time ).where( - MonitorModel.id == monitor_id + MonitorModel.id == monitor_row.id ).execute() if is_active: @@ -100,9 +120,20 @@ def remove_monitor_by_id(): :return: """ + current_user_id = g.user_id + monitor_id = request.json['monitor_id'] - MonitorModel.delete_by_id(monitor_id) + # data check + monitor_row = MonitorModel.select().where( + MonitorModel.id == monitor_id, + MonitorModel.user_id == current_user_id + ).first() + + if not monitor_row: + raise DataNotFoundAppException() + + MonitorModel.delete_by_id(monitor_row.id) @auth_service.permission(role=RoleEnum.USER) @@ -133,9 +164,18 @@ def get_monitor_by_id(): :return: """ + current_user_id = g.user_id + monitor_id = request.json['monitor_id'] - monitor_row = MonitorModel.get_by_id(monitor_id) + # data check + monitor_row = MonitorModel.select().where( + MonitorModel.id == monitor_id, + MonitorModel.user_id == current_user_id + ).first() + + if not monitor_row: + raise DataNotFoundAppException() return monitor_row.to_dict() @@ -245,16 +285,4 @@ def import_monitor_from_file(): monitor_service.import_monitor_from_file(filename, current_user_id) # 异步查询 - run_init_monitor_task_async(user_id=current_user_id) - - -@auth_service.permission(role=RoleEnum.USER) -@async_task_service.async_task_decorator("更新监控信息") -def run_init_monitor_task_async(user_id): - rows = MonitorModel.select().where( - MonitorModel.user_id == user_id, - MonitorModel.version == 0 - ) - - for row in rows: - scheduler_main.run_one_monitor_task(row) + monitor_service.run_init_monitor_task_async(user_id=current_user_id) diff --git a/domain_admin/api/notify_api.py b/domain_admin/api/notify_api.py index 55e34f6b8f..9af35bbbdd 100644 --- a/domain_admin/api/notify_api.py +++ b/domain_admin/api/notify_api.py @@ -21,6 +21,7 @@ from domain_admin.model.notify_model import NotifyModel from domain_admin.service import notify_service, operation_service, auth_service from domain_admin.utils import datetime_util +from domain_admin.utils.flask_ext.app_exception import DataNotFoundAppException @auth_service.permission(role=RoleEnum.USER) @@ -168,7 +169,16 @@ def delete_notify_by_id(): notify_id = request.json['notify_id'] - NotifyModel.delete_by_id(notify_id) + # data check + notify_row = NotifyModel.select().where( + NotifyModel.id == notify_id, + NotifyModel.user_id == current_user_id, + ).first() + + if not notify_row: + raise DataNotFoundAppException() + + NotifyModel.delete_by_id(notify_row.id) @auth_service.permission(role=RoleEnum.USER) @@ -181,10 +191,17 @@ def get_notify_by_id(): notify_id = request.json['notify_id'] - row = NotifyModel.get_by_id(notify_id) + # data check + notify_row = NotifyModel.select().where( + NotifyModel.id == notify_id, + NotifyModel.user_id == current_user_id, + ).first() + + if not notify_row: + raise DataNotFoundAppException() data = model_to_dict( - model=row, + model=notify_row, exclude=[NotifyModel.value_raw], extra_attrs=[ 'value', @@ -219,6 +236,15 @@ def update_notify_by_id(): value_raw = json.dumps(value, ensure_ascii=False) groups_raw = json.dumps(groups, ensure_ascii=False) + # data check + notify_row = NotifyModel.select().where( + NotifyModel.id == notify_id, + NotifyModel.user_id == current_user_id, + ).first() + + if not notify_row: + raise DataNotFoundAppException() + NotifyModel.update( event_id=event_id, value_raw=value_raw, @@ -226,7 +252,7 @@ def update_notify_by_id(): expire_days=expire_days, comment=comment, ).where( - NotifyModel.id == notify_id + NotifyModel.id == notify_row.id ).execute() @@ -247,10 +273,19 @@ def update_notify_status_by_id(): status = request.json['status'] + # data check + notify_row = NotifyModel.select().where( + NotifyModel.id == notify_id, + NotifyModel.user_id == current_user_id, + ).first() + + if not notify_row: + raise DataNotFoundAppException() + NotifyModel.update( status=status, ).where( - NotifyModel.id == notify_id + NotifyModel.id == notify_row.id ).execute() @@ -262,7 +297,15 @@ def handle_test_notify_by_id(): """ current_user_id = g.user_id notify_id = request.json['notify_id'] - notify_row = NotifyModel.get_by_id(notify_id) + + # data check + notify_row = NotifyModel.select().where( + NotifyModel.id == notify_id, + NotifyModel.user_id == current_user_id, + ).first() + + if not notify_row: + raise DataNotFoundAppException() # days = random.randint(1, 365) # start_date = datetime.now() diff --git a/domain_admin/api/tag_api.py b/domain_admin/api/tag_api.py index ada92056b4..5149891c4e 100644 --- a/domain_admin/api/tag_api.py +++ b/domain_admin/api/tag_api.py @@ -3,11 +3,12 @@ @File : tag_api.py @Date : 2023-11-05 """ -from flask import request +from flask import request, g from domain_admin.enums.role_enum import RoleEnum from domain_admin.model.tag_model import TagModel from domain_admin.service import auth_service +from domain_admin.utils.flask_ext.app_exception import DataNotFoundAppException @auth_service.permission(role=RoleEnum.USER) @@ -16,9 +17,20 @@ def get_tag_by_id(): 添加标签 :return: """ + current_user_id = g.user_id + tag_id = request.json['tag_id'] - return TagModel.get_by_id(tag_id) + # data check + tag_row = TagModel.select().where( + TagModel.id == tag_id, + TagModel.user_id == current_user_id, + ).first() + + if not tag_row: + raise DataNotFoundAppException() + + return tag_row @auth_service.permission(role=RoleEnum.USER) @@ -27,9 +39,14 @@ def add_tag(): 添加标签 :return: """ + current_user_id = g.user_id + name = request.json['name'] - TagModel.create(name=name) + TagModel.create( + name=name, + user_id=current_user_id + ) @auth_service.permission(role=RoleEnum.USER) @@ -38,13 +55,24 @@ def update_tag_by_id(): 添加标签 :return: """ + current_user_id = g.user_id + tag_id = request.json['tag_id'] name = request.json['name'] + # data check + tag_row = TagModel.select().where( + TagModel.id == tag_id, + TagModel.user_id == current_user_id, + ).first() + + if not tag_row: + raise DataNotFoundAppException() + TagModel.update( name=name ).where( - TagModel.id == tag_id + TagModel.id == tag_row.id ).execute() @@ -54,7 +82,11 @@ def get_all_tag_list(): 获取所有标签,用于筛选器 :return: """ - query = TagModel.select() + current_user_id = g.user_id + + query = TagModel.select().where( + TagModel.user_id == current_user_id + ) lst = list(query) @@ -70,9 +102,13 @@ def get_tag_list(): 获取所有标签,用于列表显示 :return: """ + current_user_id = g.user_id + keyword = request.json.get('keyword') - query = TagModel.select() + query = TagModel.select().where( + TagModel.user_id == current_user_id + ) if keyword: query = query.where(TagModel.name.contains(keyword)) @@ -93,6 +129,17 @@ def delete_tag_by_id(): 删除标签 :return: """ + current_user_id = g.user_id + tag_id = request.json.get('tag_id') - TagModel.delete_by_id(tag_id) + # data check + tag_row = TagModel.select().where( + TagModel.id == tag_id, + TagModel.user_id == current_user_id, + ).first() + + if not tag_row: + raise DataNotFoundAppException() + + TagModel.delete_by_id(tag_row.id) diff --git a/domain_admin/api/user_api.py b/domain_admin/api/user_api.py index df20608b45..5698af20f8 100644 --- a/domain_admin/api/user_api.py +++ b/domain_admin/api/user_api.py @@ -16,7 +16,7 @@ from domain_admin.model.user_model import UserModel from domain_admin.service import auth_service from domain_admin.utils import datetime_util, bcrypt_util, secret_util -from domain_admin.utils.flask_ext.app_exception import AppException +from domain_admin.utils.flask_ext.app_exception import AppException, DataNotFoundAppException @auth_service.permission(role=RoleEnum.USER) diff --git a/domain_admin/api/whois_api.py b/domain_admin/api/whois_api.py index 611134fee6..428554b406 100644 --- a/domain_admin/api/whois_api.py +++ b/domain_admin/api/whois_api.py @@ -10,6 +10,7 @@ from domain_admin.service import auth_service from domain_admin.utils import whois_util + @auth_service.permission(role=RoleEnum.USER) def get_whois_raw(): """ diff --git a/domain_admin/model/tag_model.py b/domain_admin/model/tag_model.py index 450c7d142c..beb6123d96 100644 --- a/domain_admin/model/tag_model.py +++ b/domain_admin/model/tag_model.py @@ -6,7 +6,7 @@ from datetime import datetime -from peewee import DateTimeField, AutoField, TextField, CharField +from peewee import DateTimeField, AutoField, TextField, CharField, IntegerField from domain_admin.model.base_model import BaseModel @@ -19,6 +19,10 @@ class TagModel(BaseModel): # 标签名 name = CharField(default='', null=False, unique=True) + # 用户id + # @since v1.6.47 + user_id = IntegerField(default=0) + # 创建时间 create_time = DateTimeField(default=datetime.now) diff --git a/domain_admin/service/monitor_service.py b/domain_admin/service/monitor_service.py index 3ce168109c..196291cfc6 100644 --- a/domain_admin/service/monitor_service.py +++ b/domain_admin/service/monitor_service.py @@ -292,3 +292,14 @@ def is_between_allow_error_count(monitor_row): error_count = len([row for row in rows if row.status == MonitorStatusEnum.ERROR]) return error_count <= monitor_row.allow_error_count + + +@async_task_service.async_task_decorator("更新监控信息") +def run_init_monitor_task_async(user_id): + rows = MonitorModel.select().where( + MonitorModel.user_id == user_id, + MonitorModel.version == 0 + ) + + for row in rows: + scheduler_main.run_one_monitor_task(row) diff --git a/domain_admin/utils/acme_util/acme_v2_api.py b/domain_admin/utils/acme_util/acme_v2_api.py index 28467baea2..981295c128 100644 --- a/domain_admin/utils/acme_util/acme_v2_api.py +++ b/domain_admin/utils/acme_util/acme_v2_api.py @@ -117,7 +117,12 @@ def get_account_data_filename(directory_type=DirectoryTypeEnum.LETS_ENCRYPT): # Useful methods and classes: def new_csr_comp(domains, pkey_pem=None): - """Create certificate signing request.""" + """ + Create certificate signing request. + :param domains: list + :param pkey_pem: + :return: tuple (pkey_pem, csr_pem) + """ if pkey_pem is None: # fix: type must be an integer # Create private key. @@ -355,7 +360,7 @@ def get_acme_client(directory_type=DirectoryTypeEnum.LETS_ENCRYPT, key_type=KeyT ) else: alg = jose.RS256 - account_key = jose.JWKRSA(key=private_key) + account_key = jose.JWKRSA(key=jose.ComparableRSAKey(private_key)) net = client.ClientNetwork(account_key, alg=alg, user_agent=USER_AGENT)