wiki图片权限判断

zyplayer-doc-data/src/main/java/com/zyplayer/doc/data/config/security/DocUserUtil.java

@@ -14,10 +14,12 @@ public class DocUserUtil {
 	 */
 	public static DocUserDetails getCurrentUser() {
 		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-		Object principal = null;
 		if (authentication != null) {
-			principal = authentication.getPrincipal();
+			Object principal = authentication.getPrincipal();
+			if (principal instanceof DocUserDetails) {
+				return (DocUserDetails) principal;
+			}
 		}
-		return (DocUserDetails) principal;
+		return null;
 	}
 }

zyplayer-doc-manage/src/main/java/com/zyplayer/doc/manage/framework/config/security/WebSecurityConfig.java

@@ -50,6 +50,8 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 			// 开放接口的静态文件和接口
 			"/open-doc.html", "/webjars/open-doc/**", "/swagger-mg-ui/open-doc/**",
 			"/open-wiki.html", "/webjars/doc-wiki/**", "/zyplayer-doc-wiki/open-api/**",
+			// 文件访问接口，开放文档需要能使用，在接口里面做权限判断
+			"/zyplayer-doc-wiki/common/file",
 			// http代理请求接口，有白名单限制，也不怕随便请求到内网资源了
 			"/swagger-mg-ui/http/**",
 			// 静态资源

zyplayer-doc-wiki/src/main/java/com/zyplayer/doc/wiki/controller/WikiCommonController.java

@@ -7,8 +7,12 @@ import com.zyplayer.doc.core.json.DocResponseJson;
 import com.zyplayer.doc.core.json.ResponseJson;
 import com.zyplayer.doc.data.config.security.DocUserDetails;
 import com.zyplayer.doc.data.config.security.DocUserUtil;
+import com.zyplayer.doc.data.repository.manage.entity.WikiPage;
 import com.zyplayer.doc.data.repository.manage.entity.WikiPageFile;
+import com.zyplayer.doc.data.repository.manage.entity.WikiSpace;
 import com.zyplayer.doc.data.service.manage.WikiPageFileService;
+import com.zyplayer.doc.data.service.manage.WikiPageService;
+import com.zyplayer.doc.data.service.manage.WikiSpaceService;
 import com.zyplayer.doc.wiki.framework.consts.Const;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
@@ -45,6 +49,10 @@ public class WikiCommonController {
 	
 	@Resource
 	WikiPageFileService wikiPageFileService;
+	@Resource
+	WikiPageService wikiPageService;
+	@Resource
+	WikiSpaceService wikiSpaceService;
 	
 	@PostMapping("/wangEditor/upload")
 	public Map<String, Object> wangEditorUpload(WikiPageFile wikiPageFile, @RequestParam("files") MultipartFile file) {
@@ -100,6 +108,16 @@ public class WikiCommonController {
 		if (pageFile == null) {
 			return DocResponseJson.warn("未找到指定文件");
 		}
+		// 未登录访问文件，需要判断是否是开放空间的文件
+		Long pageId = Optional.ofNullable(pageFile.getPageId()).orElse(0L);
+		DocUserDetails currentUser = DocUserUtil.getCurrentUser();
+		if (pageId > 0 && currentUser == null) {
+			WikiPage wikiPage = wikiPageService.getById(pageId);
+			WikiSpace wikiSpace = wikiSpaceService.getById(wikiPage.getSpaceId());
+			if (wikiSpace.getOpenDoc() == 0) {
+				return DocResponseJson.warn("登陆后才可访问此文件");
+			}
+		}
 		try {
 			String fileName = Optional.ofNullable(pageFile.getFileName()).orElse("");
 			File file = new File(pageFile.getFileUrl());