viscous/cloudreve
1
0
Fork 0
mirror of https://github.com/cloudreve/cloudreve.git synced 2026-06-27 22:35:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(sse): block subscribing to single share file

Browse Source
This commit is contained in:
Aaron Liu
2026-06-13 11:02:15 +08:00
parent 3607f79bb4
commit 0b00dd308f
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
service/explorer/events.go
View File

@@ -34,7 +34,7 @@ func (s *ExplorerEventService) HandleExplorerEventsPush(c *gin.Context) error {
}
// Make sure target is a valid folder that the user can listen to
parent, _, err := m.List(c, uri, &manager.ListArgs{
parent, listRes, err := m.List(c, uri, &manager.ListArgs{
Page: 0,
PageSize: 1,
})
@@ -42,6 +42,14 @@ func (s *ExplorerEventService) HandleExplorerEventsPush(c *gin.Context) error {
return serializer.NewError(serializer.CodeParamErr, "Requested uri not available", err)
}
// Reject event subscriptions on single-file views (e.g. single-file shares).
// The listed parent is the underlying owner-side folder containing the file,
// while the subscriber is only authorized to observe the shared file itself.
// Subscribing to that folder topic would leak events about unshared siblings.
if listRes != nil && listRes.SingleFileView {
return serializer.NewError(serializer.CodeNoPermissionErr, "Event subscriptions are not supported on this view", nil)
}
requestInfo := requestinfo.RequestInfoFromContext(c)
if requestInfo.ClientID == "" {
return serializer.NewError(serializer.CodeParamErr, "Client ID is required", nil)