From 8d6b90d093d77acc8eead322f4740c85310ff670 Mon Sep 17 00:00:00 2001 From: acooler15 Date: Sun, 21 Jan 2024 15:15:02 +0800 Subject: [PATCH] Fix: recovery permission (#494) fix #493 --- web/handlers/user.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/web/handlers/user.py b/web/handlers/user.py index ba4c36b8e4f..afe170edb11 100644 --- a/web/handlers/user.py +++ b/web/handlers/user.py @@ -444,9 +444,9 @@ async def post(self, userid): pwd = envs['adminpwd'] now=datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-%S') - if ('backupbtn' in envs): - if await self.db.user.challenge_MD5(mail, pwd, sql_session=sql_session) and (user['email'] == mail): - if user and user['role'] == "admin": + if user and await self.db.user.challenge_MD5(mail, pwd, sql_session=sql_session) and (user['email'] == mail): + if ('backupbtn' in envs): + if user['role'] == "admin": if config.db_type != "sqlite3": raise Exception(u"抱歉,暂不支持通过本页面备份MySQL数据!ヘ(;´Д`ヘ)") filename = config.sqlite3.path @@ -496,10 +496,7 @@ def progress(status, remaining, total): os.remove(savename) else: raise Exception(u"管理员才能备份数据库") - else: - raise Exception(u"账号/密码错误") - if await self.db.user.challenge_MD5(mail, pwd, sql_session=sql_session) and (user['email'] == mail): if ('backuptplsbtn' in envs): tpls = [] for tpl in await self.db.tpl.list(userid=userid, fields=('id', 'siteurl', 'sitename', 'banner', 'note','fork', '_groups', 'har', 'tpl', 'variables','init_env'), limit=None, sql_session=sql_session): @@ -540,6 +537,8 @@ def progress(status, remaining, total): if ('recfile' in self.request.files): envs['recfile'] = self.request.files['recfile'][0]['body'] if envs['recfile'][:6] == b'SQLite': + if user['role'] != "admin": + raise Exception(u"管理员才能操作数据库") db_dir = os.path.dirname(config.sqlite3.path) db_restore = os.path.join(db_dir, 'database_restore.db') with open(db_restore, 'wb') as f: