增强系统配置接口的权限检查

internal/rpc/services/service_sys_setting.go

@@ -3,8 +3,10 @@ package services
 import (
 	"context"
 	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
-	rpcutils "github.com/TeaOSLab/EdgeAPI/internal/rpc/utils"
+	"github.com/TeaOSLab/EdgeAPI/internal/errors"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/systemconfigs"
+	"github.com/iwind/TeaGo/lists"
 )
 
 type SysSettingService struct {
@@ -14,7 +16,8 @@ type SysSettingService struct {
 // UpdateSysSetting 更改配置
 func (this *SysSettingService) UpdateSysSetting(ctx context.Context, req *pb.UpdateSysSettingRequest) (*pb.RPCSuccess, error) {
 	// 校验请求
-	_, _, _, err := rpcutils.ValidateRequest(ctx, rpcutils.UserTypeAdmin, rpcutils.UserTypeUser)
+	// 不要允许用户修改
+	_, err := this.ValidateAdmin(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -32,13 +35,27 @@ func (this *SysSettingService) UpdateSysSetting(ctx context.Context, req *pb.Upd
 // ReadSysSetting 读取配置
 func (this *SysSettingService) ReadSysSetting(ctx context.Context, req *pb.ReadSysSettingRequest) (*pb.ReadSysSettingResponse, error) {
 	// 校验请求
-	_, _, _, err := rpcutils.ValidateRequest(ctx, rpcutils.UserTypeAdmin, rpcutils.UserTypeUser)
+	_, userId, err := this.ValidateAdminAndUser(ctx)
 	if err != nil {
 		return nil, err
 	}
 
 	var tx = this.NullTx()
 
+	// 检查权限
+	if userId > 0 {
+		// TODO 限制用户只能为专有用户，比如1_000_000_000
+		if !lists.ContainsString([]string{
+			systemconfigs.SettingCodeUserRegisterConfig,
+			systemconfigs.SettingCodeUserServerConfig,
+			systemconfigs.SettingCodeUserUIConfig,
+			systemconfigs.SettingCodeNSUserConfig,
+			systemconfigs.SettingCodeUserOrderConfig,
+		}, req.Code) {
+			return nil, errors.New("can not read setting code '" + req.Code + "'")
+		}
+	}
+
 	valueJSON, err := models.SharedSysSettingDAO.ReadSetting(tx, req.Code)
 	if err != nil {
 		return nil, err