From 23cca5ad36b0dc4acc8b7418fd6bc2c8bc530a08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=9F=A9=E6=98=95=E7=9D=BF?= <22371298@buaa.edu.cn>
Date: Fri, 6 Jun 2025 15:43:08 +0800
Subject: [PATCH] =?UTF-8?q?[fix]:=20=E9=99=90=E5=88=B6=E9=80=9A=E8=BF=87id?=
 =?UTF-8?q?=E9=98=85=E8=AF=BB=E6=89=80=E6=9C=89=E6=96=87=E7=8C=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/api/v1/endpoints/article.py | 10 +++++----
 app/curd/article.py             | 37 ++++++++++++++++++++++++++++++---
 2 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/app/api/v1/endpoints/article.py b/app/api/v1/endpoints/article.py
index 39a7a1b..20d6ae6 100644
--- a/app/api/v1/endpoints/article.py
+++ b/app/api/v1/endpoints/article.py
@@ -95,13 +95,15 @@ async def annotate_self_article(article_id: int = Query(...), article: UploadFil
     return {"msg": "Article annotated successfully."}
 
 @router.get("/readArticle", response_class=FileResponse)
-async def read_article(article_id: int = Query(...), db: AsyncSession = Depends(get_db)):
-    article_name, url = await crud_read_article(article_id, db)
+async def read_article(article_id: int = Query(...), db: AsyncSession = Depends(get_db), user: dict = Depends(get_current_user)):
+    user_id = user.get("id")
+    article_name, url = await crud_read_article(user_id, article_id, db)
     return FileResponse(path=url, filename=f"{article_name}.pdf", media_type='application/pdf')
 
 @router.get("/readArticleByUrl", response_model="dict")
-async def read_article_by_url(article_id: int = Query(...), db: AsyncSession = Depends(get_db)):
-    url, update_time = await crud_read_article_by_url(article_id, db)
+async def read_article_by_url(article_id: int = Query(...), db: AsyncSession = Depends(get_db), user: dict = Depends(get_current_user)):
+    user_id = user.get("id")
+    url, update_time = await crud_read_article_by_url(user_id, article_id, db)
     return {"article_url": url, "update_time": update_time}
 
 @router.post("/importSelfFolder", response_model="dict")
diff --git a/app/curd/article.py b/app/curd/article.py
index 8bfaf9a..b5ebd87 100644
--- a/app/curd/article.py
+++ b/app/curd/article.py
@@ -1,8 +1,9 @@
+from fastapi import HTTPException
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, delete, insert, desc
 from sqlalchemy import func, cast, Date
 from datetime import datetime, timedelta
-from app.models.model import User, Group, Folder, Article, Note, Tag, user_group, self_recycle_bin
+from app.models.model import User, Group, Folder, Article, Note, Tag, user_group, self_recycle_bin, operate_permissions, delete_applications, group_logs
 
 async def crud_upload_to_self_folder(name: str, folder_id: int, url: str, db: AsyncSession):
     query = select(Folder.user_id).where(Folder.id == folder_id)
@@ -86,19 +87,49 @@ async def crud_annotate_self_article(article_id: int, db: AsyncSession):
     await db.refresh(article)
     return article.url
 
-async def crud_read_article(article_id: int, db: AsyncSession):
+async def crud_read_article(user_id: int, article_id: int, db: AsyncSession):
     query = select(Article).where(Article.id == article_id)
     result = await db.execute(query)
     article = result.scalar_one_or_none()
+    # 检查阅读权限
+    if article.user_id and article.user_id != user_id:
+        raise HTTPException(status_code=405, detail="You have no access to the article")
+    if article.group_id:
+        query = select(user_group).where(user_group.c.group_id == article.group_id, user_group.c.user_id == user_id)
+        result = await db.execute(query)
+        relation = result.first()
+        if not relation:
+            raise HTTPException(status_code=405, detail="You have no access to the article") 
+        query = select(operate_permissions).where(operate_permissions.c.user_id == user_id, operate_permissions.c.item_type == 2, operate_permissions.c.item_id == article_id)
+        result = await db.execute(query)
+        relation = result.first()
+        if not relation[4]:
+            raise HTTPException(status_code=405, detail="You have no access to the article")   
+    # 进行阅读
     article.clicks = article.clicks + 1
     await db.commit()
     await db.refresh(article)
     return article.name, article.url
 
-async def crud_read_article_by_url(article_id: int, db: AsyncSession):
+async def crud_read_article_by_url(user_id: int, article_id: int, db: AsyncSession):
     query = select(Article).where(Article.id == article_id)
     result = await db.execute(query)
     article = result.scalar_one_or_none()
+    # 检查阅读权限
+    if article.user_id and article.user_id != user_id:
+        raise HTTPException(status_code=405, detail="You have no access to the article")
+    if article.group_id:
+        query = select(user_group).where(user_group.c.group_id == article.group_id, user_group.c.user_id == user_id)
+        result = await db.execute(query)
+        relation = result.first()
+        if not relation:
+            raise HTTPException(status_code=405, detail="You have no access to the article") 
+        query = select(operate_permissions).where(operate_permissions.c.user_id == user_id, operate_permissions.c.item_type == 2, operate_permissions.c.item_id == article_id)
+        result = await db.execute(query)
+        relation = result.first()
+        if not relation[4]:
+            raise HTTPException(status_code=405, detail="You have no access to the article")   
+    # 进行阅读
     article.clicks = article.clicks + 1
     await db.commit()
     await db.refresh(article)