fix: 修复未登录状态可以通过uuid获取隐藏信息

2025-11-01 20:43:41 +00:00 · 2025-08-13 13:37:00 +08:00
parent 4bd9fda728
commit 15d7480547
1 changed files with 29 additions and 0 deletions
--- a/api/latestRecord.go
+++ b/api/latestRecord.go
@@ -2,14 +2,43 @@ package api

 import (
 	"github.com/gin-gonic/gin"
+	"github.com/komari-monitor/komari/database/accounts"
+	"github.com/komari-monitor/komari/database/dbcore"
+	"github.com/komari-monitor/komari/database/models"
 )

 func GetClientRecentRecords(c *gin.Context) {
 	uuid := c.Param("uuid")
+
 	if uuid == "" {
 		RespondError(c, 400, "UUID is required")
 		return
 	}
+
+	// 登录状态检查
+	isLogin := false
+	session, _ := c.Cookie("session_token")
+	_, err := accounts.GetUserBySession(session)
+	if err == nil {
+		isLogin = true
+	}
+
+	// 仅在未登录时需要 Hidden 信息做过滤
+	hiddenMap := map[string]bool{}
+	if !isLogin {
+		var hiddenClients []models.Client
+		db := dbcore.GetDBInstance()
+		_ = db.Select("uuid").Where("hidden = ?", true).Find(&hiddenClients).Error
+		for _, cli := range hiddenClients {
+			hiddenMap[cli.UUID] = true
+		}
+
+		if hiddenMap[uuid] {
+			RespondError(c, 400, "UUID is required") //防止未登录用户获取隐藏客户端数据
+			return
+		}
+	}
+
 	records, _ := Records.Get(uuid)
 	RespondSuccess(c, records)
 }