fix: prevent common user from specifying channel id (#12)

2025-10-14 14:30:26 +00:00 · 2023-04-26 14:49:27 +08:00
parent 1dd92a3f92
commit 4f8cbd643d
3 changed files with 26 additions and 1 deletions
--- a/middleware/auth.go
+++ b/middleware/auth.go
@@ -83,7 +83,18 @@ func TokenAuth() func(c *gin.Context) {
 		c.Set("token_id", token.Id)
 		c.Set("unlimited_times", token.UnlimitedTimes)
 		if len(parts) > 1 {
-			c.Set("channelId", parts[1])
+			if model.IsAdmin(token.UserId) {
+				c.Set("channelId", parts[1])
+			} else {
+				c.JSON(http.StatusOK, gin.H{
+					"error": gin.H{
+						"message": "普通用户不支持指定渠道",
+						"type":    "one_api_error",
+					},
+				})
+				c.Abort()
+				return
+			}
 		}
 		c.Next()
 	}