From 477130aa85cb7ff69f14c4014b00896b6d56f259 Mon Sep 17 00:00:00 2001
From: boojack <stevenlgtm@gmail.com>
Date: Sat, 19 Nov 2022 17:07:40 +0800
Subject: [PATCH] chore: update db filesize access control (#493)

---
 server/acl.go    |  7 ++-----
 server/system.go | 20 ++++++++++++++++----
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/server/acl.go b/server/acl.go
index 04b4b6d3..b653999c 100644
--- a/server/acl.go
+++ b/server/acl.go
@@ -55,15 +55,12 @@ func aclMiddleware(s *Server, next echo.HandlerFunc) echo.HandlerFunc {
 	return func(c echo.Context) error {
 		ctx := c.Request().Context()
 		path := c.Path()
+
 		// Skip auth.
 		if common.HasPrefixes(path, "/api/auth") {
 			return next(c)
 		}
 
-		if common.HasPrefixes(path, "/api/ping", "/api/status", "/api/user/:id") && c.Request().Method == http.MethodGet {
-			return next(c)
-		}
-
 		{
 			// If there is openId in query string and related user is found, then skip auth.
 			openID := c.QueryParam("openId")
@@ -104,7 +101,7 @@ func aclMiddleware(s *Server, next echo.HandlerFunc) echo.HandlerFunc {
 			}
 		}
 
-		if common.HasPrefixes(path, "/api/memo/all", "/api/memo/:memoId", "/api/memo/amount") && c.Request().Method == http.MethodGet {
+		if common.HasPrefixes(path, "/api/ping", "/api/status", "/api/user/:id", "/api/memo/all", "/api/memo/:memoId", "/api/memo/amount") && c.Request().Method == http.MethodGet {
 			return next(c)
 		}
 
diff --git a/server/system.go b/server/system.go
index 889d37d6..02dae990 100644
--- a/server/system.go
+++ b/server/system.go
@@ -42,6 +42,7 @@ func (s *Server) registerSystemRoutes(g *echo.Group) {
 		systemStatus := api.SystemStatus{
 			Host:             hostUser,
 			Profile:          s.Profile,
+			DBSize:           0,
 			AllowSignUp:      false,
 			AdditionalStyle:  "",
 			AdditionalScript: "",
@@ -67,11 +68,22 @@ func (s *Server) registerSystemRoutes(g *echo.Group) {
 			}
 		}
 
-		fi, err := os.Stat(s.Profile.DSN)
-		if err != nil {
-			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to read database fileinfo").SetInternal(err)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if ok {
+			user, err := s.Store.FindUser(ctx, &api.UserFind{
+				ID: &userID,
+			})
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+			}
+			if user != nil && user.Role == api.Host {
+				fi, err := os.Stat(s.Profile.DSN)
+				if err != nil {
+					return echo.NewHTTPError(http.StatusInternalServerError, "Failed to read database fileinfo").SetInternal(err)
+				}
+				systemStatus.DBSize = fi.Size()
+			}
 		}
-		systemStatus.DBSize = fi.Size()
 
 		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
 		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(systemStatus)); err != nil {