Fix: file preview URL in share page should not be accessed directly

2026-01-28 10:51:57 +08:00 · 2020-03-17 15:57:38 +08:00
parent 79f898e0a9
commit 32c0232105
3 changed files with 65 additions and 1 deletions
--- a/routers/router.go
+++ b/routers/router.go
@@ -107,7 +107,7 @@ func InitMasterRouter() *gin.Engine {
 			// 验证码
 			site.GET("captcha", controllers.Captcha)
 			// 站点全局配置
-			site.GET("config", controllers.SiteConfig)
+			site.GET("config", middleware.CSRFInit(), controllers.SiteConfig)
 		}

 		// 用户相关路由
@@ -231,6 +231,7 @@ func InitMasterRouter() *gin.Engine {
 			)
 			// 预览分享文件
 			share.GET("preview/:id",
+				middleware.CSRFCheck(),
 				middleware.CheckShareUnlocked(),
 				middleware.ShareCanPreview(),
 				middleware.BeforeShareDownload(),