fix: check owner in UpdateKey() API (#5297)

2026-03-22 12:50:03 +08:00
parent 29dccbe32f
commit 7148c9db85
4 changed files with 21 additions and 3 deletions
--- a/controllers/key.go
+++ b/controllers/key.go
@@ -156,12 +156,28 @@ func (c *ApiController) GetKey() {
 func (c *ApiController) UpdateKey() {
 	id := c.Ctx.Input.Query("id")

-	var key object.Key
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &key)
+	oldKey, err := object.GetKey(id)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
+	if oldKey == nil {
+		c.Data["json"] = wrapActionResponse(false)
+		c.ServeJSON()
+		return
+	}
+
+	var key object.Key
+	err = json.Unmarshal(c.Ctx.Input.RequestBody, &key)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if !c.IsGlobalAdmin() && oldKey.Owner != key.Owner {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}

 	c.Data["json"] = wrapActionResponse(object.UpdateKey(id, &key))
 	c.ServeJSON()
--- a/object/key.go
+++ b/object/key.go
@@ -28,7 +28,7 @@ type Key struct {
 	UpdatedTime string `xorm:"varchar(100)" json:"updatedTime"`
 	DisplayName string `xorm:"varchar(100)" json:"displayName"`

-	// Type indicates the scope this key belongs to: "Organization", "Application", or "User"
+	// Type indicates the scope this key belongs to: "Organization", "Application", "User", or "General"
 	Type         string `xorm:"varchar(100)" json:"type"`
 	Organization string `xorm:"varchar(100)" json:"organization"`
 	Application  string `xorm:"varchar(100)" json:"application"`
--- a/web/src/KeyEditPage.js
+++ b/web/src/KeyEditPage.js
@@ -167,6 +167,7 @@ class KeyEditPage extends React.Component {
              <Option value="Organization">{i18next.t("general:Organization")}</Option>
              <Option value="Application">{i18next.t("general:Application")}</Option>
              <Option value="User">{i18next.t("general:User")}</Option>
+              <Option value="General">{i18next.t("general:General")}</Option>
            </Select>
          </Col>
        </Row>
--- a/web/src/KeyListPage.js
+++ b/web/src/KeyListPage.js
@@ -141,6 +141,7 @@ class KeyListPage extends BaseListPage {
          {text: i18next.t("general:Organization"), value: "Organization"},
          {text: i18next.t("general:Application"), value: "Application"},
          {text: i18next.t("general:User"), value: "User"},
+          {text: i18next.t("general:General"), value: "General"},
        ],
      },
      {