update

cmd/dashboard/controller/controller.go

@@ -59,7 +59,7 @@ func routers(r *gin.Engine, frontendDist fs.FS) {
 
 	optionalAuth := api.Group("", optionalAuthMiddleware(authMiddleware))
 	optionalAuth.GET("/ws/server", commonHandler(serverStream))
-	optionalAuth.GET("/server-group", listHandler(listServerGroup))
+	optionalAuth.GET("/server-group", commonHandler(listServerGroup))
 
 	optionalAuth.GET("/service", commonHandler(showService))
 	optionalAuth.GET("/service/:id", commonHandler(listServiceHistory))
@@ -83,7 +83,7 @@ func routers(r *gin.Engine, frontendDist fs.FS) {
 	auth.POST("/user", commonHandler(createUser))
 	auth.POST("/batch-delete/user", commonHandler(batchDeleteUser))
 
-	auth.GET("/service/list", commonHandler(listService))
+	auth.GET("/service/list", listHandler(listService))
 	auth.POST("/service", commonHandler(createService))
 	auth.PATCH("/service/:id", commonHandler(updateService))
 	auth.POST("/batch-delete/service", commonHandler(batchDeleteService))
@@ -97,17 +97,17 @@ func routers(r *gin.Engine, frontendDist fs.FS) {
 	auth.PATCH("/notification-group/:id", commonHandler(updateNotificationGroup))
 	auth.POST("/batch-delete/notification-group", commonHandler(batchDeleteNotificationGroup))
 
-	auth.GET("/server", commonHandler(listServer))
+	auth.GET("/server", listHandler(listServer))
 	auth.PATCH("/server/:id", commonHandler(updateServer))
 	auth.POST("/batch-delete/server", commonHandler(batchDeleteServer))
 	auth.POST("/force-update/server", commonHandler(forceUpdateServer))
 
-	auth.GET("/notification", commonHandler(listNotification))
+	auth.GET("/notification", listHandler(listNotification))
 	auth.POST("/notification", commonHandler(createNotification))
 	auth.PATCH("/notification/:id", commonHandler(updateNotification))
 	auth.POST("/batch-delete/notification", commonHandler(batchDeleteNotification))
 
-	auth.GET("/alert-rule", commonHandler(listAlertRule))
+	auth.GET("/alert-rule", listHandler(listAlertRule))
 	auth.POST("/alert-rule", commonHandler(createAlertRule))
 	auth.PATCH("/alert-rule/:id", commonHandler(updateAlertRule))
 	auth.POST("/batch-delete/alert-rule", commonHandler(batchDeleteAlertRule))
@@ -231,6 +231,11 @@ func filter[S ~[]E, E model.CommonInterface](ctx *gin.Context, s S) S {
 	})
 }
 
+func getUid(c *gin.Context) uint64 {
+	user, _ := c.MustGet(model.CtxKeyAuthorizedUser).(*model.User)
+	return user.ID
+}
+
 func fallbackToFrontend(frontendDist fs.FS) func(*gin.Context) {
 	checkLocalFileOrFs := func(c *gin.Context, fs fs.FS, path string) bool {
 		if _, err := os.Stat(path); err == nil {

cmd/dashboard/controller/notification_group.go

@@ -20,7 +20,7 @@ import (
 // @Produce json
 // @Success 200 {object} model.CommonResponse[[]model.NotificationGroupResponseItem]
 // @Router /notification-group [get]
-func listNotificationGroup(c *gin.Context) ([]model.NotificationGroupResponseItem, error) {
+func listNotificationGroup(c *gin.Context) ([]*model.NotificationGroupResponseItem, error) {
 	var ng []model.NotificationGroup
 	if err := singleton.DB.Find(&ng).Error; err != nil {
 		return nil, err
@@ -39,9 +39,9 @@ func listNotificationGroup(c *gin.Context) ([]model.NotificationGroupResponseIte
 		groupNotifications[n.NotificationGroupID] = append(groupNotifications[n.NotificationGroupID], n.NotificationID)
 	}
 
-	ngRes := make([]model.NotificationGroupResponseItem, 0, len(ng))
+	ngRes := make([]*model.NotificationGroupResponseItem, 0, len(ng))
 	for _, n := range ng {
-		ngRes = append(ngRes, model.NotificationGroupResponseItem{
+		ngRes = append(ngRes, &model.NotificationGroupResponseItem{
 			Group:         n,
 			Notifications: groupNotifications[n.ID],
 		})

cmd/dashboard/controller/server.go

@@ -61,6 +61,10 @@ func updateServer(c *gin.Context) (any, error) {
 		return nil, singleton.Localizer.ErrorT("server id %d does not exist", id)
 	}
 
+	if !s.HasPermission(c) {
+		return nil, singleton.Localizer.ErrorT("unauthorized")
+	}
+
 	s.Name = sf.Name
 	s.DisplayIndex = sf.DisplayIndex
 	s.Note = sf.Note
@@ -99,11 +103,23 @@ func updateServer(c *gin.Context) (any, error) {
 // @Success 200 {object} model.CommonResponse[any]
 // @Router /batch-delete/server [post]
 func batchDeleteServer(c *gin.Context) (any, error) {
-	var servers []uint64
+	var serversRaw []uint64
-	if err := c.ShouldBindJSON(&servers); err != nil {
+	if err := c.ShouldBindJSON(&serversRaw); err != nil {
 		return nil, err
 	}
 
+	var servers []uint64
+	singleton.ServerLock.RLock()
+	for _, sid := range serversRaw {
+		if s, ok := singleton.ServerList[sid]; ok {
+			if !s.HasPermission(c) {
+				return nil, singleton.Localizer.ErrorT("permission denied")
+			}
+			servers = append(servers, s.ID)
+		}
+	}
+	singleton.ServerLock.RUnlock()
+
 	err := singleton.DB.Transaction(func(tx *gorm.DB) error {
 		if err := tx.Unscoped().Delete(&model.Server{}, "id in (?)", servers).Error; err != nil {
 			return err

cmd/dashboard/controller/service.go

@@ -190,7 +190,10 @@ func createService(c *gin.Context) (uint64, error) {
 		return 0, err
 	}
 
+	uid := getUid(c)
+
 	var m model.Service
+	m.UserID = uid
 	m.Name = mf.Name
 	m.Target = strings.TrimSpace(mf.Target)
 	m.Type = mf.Type

model/common.go

@@ -23,6 +23,10 @@ type Common struct {
 	UserID uint64 `json:"user_id,omitempty"`
 }
 
+func (c *Common) GetID() uint64 {
+	return c.ID
+}
+
 func (c *Common) HasPermission(ctx *gin.Context) bool {
 	auth, ok := ctx.Get(CtxKeyAuthorizedUser)
 	if !ok {
@@ -38,6 +42,7 @@ func (c *Common) HasPermission(ctx *gin.Context) bool {
 }
 
 type CommonInterface interface {
+	GetID() uint64
 	HasPermission(*gin.Context) bool
 }
 

model/server_group_api.go

@@ -1,7 +1,5 @@
 package model
 
-import "github.com/gin-gonic/gin"
-
 type ServerGroupForm struct {
 	Name    string   `json:"name" minLength:"1"`
 	Servers []uint64 `json:"servers"`
@@ -11,7 +9,3 @@ type ServerGroupResponseItem struct {
 	Group   ServerGroup `json:"group"`
 	Servers []uint64    `json:"servers"`
 }
-
-func (sg *ServerGroupResponseItem) HasPermission(c *gin.Context) bool {
-	return sg.Group.HasPermission(c)
-}