diff --git a/zyplayer-doc-data/src/main/java/com/zyplayer/doc/data/config/security/DocUserUtil.java b/zyplayer-doc-data/src/main/java/com/zyplayer/doc/data/config/security/DocUserUtil.java index 26a5c652..29def8ad 100644 --- a/zyplayer-doc-data/src/main/java/com/zyplayer/doc/data/config/security/DocUserUtil.java +++ b/zyplayer-doc-data/src/main/java/com/zyplayer/doc/data/config/security/DocUserUtil.java @@ -14,10 +14,12 @@ public class DocUserUtil { */ public static DocUserDetails getCurrentUser() { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); - Object principal = null; if (authentication != null) { - principal = authentication.getPrincipal(); + Object principal = authentication.getPrincipal(); + if (principal instanceof DocUserDetails) { + return (DocUserDetails) principal; + } } - return (DocUserDetails) principal; + return null; } } diff --git a/zyplayer-doc-manage/src/main/java/com/zyplayer/doc/manage/framework/config/security/WebSecurityConfig.java b/zyplayer-doc-manage/src/main/java/com/zyplayer/doc/manage/framework/config/security/WebSecurityConfig.java index f93bd5be..a7a5c1c1 100644 --- a/zyplayer-doc-manage/src/main/java/com/zyplayer/doc/manage/framework/config/security/WebSecurityConfig.java +++ b/zyplayer-doc-manage/src/main/java/com/zyplayer/doc/manage/framework/config/security/WebSecurityConfig.java @@ -50,6 +50,8 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { // 开放接口的静态文件和接口 "/open-doc.html", "/webjars/open-doc/**", "/swagger-mg-ui/open-doc/**", "/open-wiki.html", "/webjars/doc-wiki/**", "/zyplayer-doc-wiki/open-api/**", + // 文件访问接口,开放文档需要能使用,在接口里面做权限判断 + "/zyplayer-doc-wiki/common/file", // http代理请求接口,有白名单限制,也不怕随便请求到内网资源了 "/swagger-mg-ui/http/**", // 静态资源 diff --git a/zyplayer-doc-wiki/src/main/java/com/zyplayer/doc/wiki/controller/WikiCommonController.java b/zyplayer-doc-wiki/src/main/java/com/zyplayer/doc/wiki/controller/WikiCommonController.java index 8703bd55..aafddbe0 100644 --- a/zyplayer-doc-wiki/src/main/java/com/zyplayer/doc/wiki/controller/WikiCommonController.java +++ b/zyplayer-doc-wiki/src/main/java/com/zyplayer/doc/wiki/controller/WikiCommonController.java @@ -7,8 +7,12 @@ import com.zyplayer.doc.core.json.DocResponseJson; import com.zyplayer.doc.core.json.ResponseJson; import com.zyplayer.doc.data.config.security.DocUserDetails; import com.zyplayer.doc.data.config.security.DocUserUtil; +import com.zyplayer.doc.data.repository.manage.entity.WikiPage; import com.zyplayer.doc.data.repository.manage.entity.WikiPageFile; +import com.zyplayer.doc.data.repository.manage.entity.WikiSpace; import com.zyplayer.doc.data.service.manage.WikiPageFileService; +import com.zyplayer.doc.data.service.manage.WikiPageService; +import com.zyplayer.doc.data.service.manage.WikiSpaceService; import com.zyplayer.doc.wiki.framework.consts.Const; import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; @@ -45,6 +49,10 @@ public class WikiCommonController { @Resource WikiPageFileService wikiPageFileService; + @Resource + WikiPageService wikiPageService; + @Resource + WikiSpaceService wikiSpaceService; @PostMapping("/wangEditor/upload") public Map wangEditorUpload(WikiPageFile wikiPageFile, @RequestParam("files") MultipartFile file) { @@ -100,6 +108,16 @@ public class WikiCommonController { if (pageFile == null) { return DocResponseJson.warn("未找到指定文件"); } + // 未登录访问文件,需要判断是否是开放空间的文件 + Long pageId = Optional.ofNullable(pageFile.getPageId()).orElse(0L); + DocUserDetails currentUser = DocUserUtil.getCurrentUser(); + if (pageId > 0 && currentUser == null) { + WikiPage wikiPage = wikiPageService.getById(pageId); + WikiSpace wikiSpace = wikiSpaceService.getById(wikiPage.getSpaceId()); + if (wikiSpace.getOpenDoc() == 0) { + return DocResponseJson.warn("登陆后才可访问此文件"); + } + } try { String fileName = Optional.ofNullable(pageFile.getFileName()).orElse(""); File file = new File(pageFile.getFileUrl());