From 3d0065bdcf2063281154e0bb1d69028a0c06a9bb Mon Sep 17 00:00:00 2001
From: Andy Hsu <i@nn.ci>
Date: Sat, 4 Feb 2023 11:44:17 +0800
Subject: [PATCH] feat!: allow disable user (close #3241)

From this commit, the guest user will be disabled by default
---
 internal/bootstrap/data/user.go |  1 +
 internal/model/user.go          |  1 +
 server/handles/user.go          |  4 ++++
 server/middlewares/auth.go      | 10 ++++++++++
 4 files changed, 16 insertions(+)

diff --git a/internal/bootstrap/data/user.go b/internal/bootstrap/data/user.go
index 04018ee0a96..2e0fc3e812e 100644
--- a/internal/bootstrap/data/user.go
+++ b/internal/bootstrap/data/user.go
@@ -48,6 +48,7 @@ func initUser() {
 				Role:       model.GUEST,
 				BasePath:   "/",
 				Permission: 0,
+				Disabled:   true,
 			}
 			if err := db.CreateUser(guest); err != nil {
 				panic(err)
diff --git a/internal/model/user.go b/internal/model/user.go
index 93457b94b67..17b9ad5b4a3 100644
--- a/internal/model/user.go
+++ b/internal/model/user.go
@@ -18,6 +18,7 @@ type User struct {
 	Password string `json:"password"`                                  // password
 	BasePath string `json:"base_path"`                                 // base path
 	Role     int    `json:"role"`                                      // user's role
+	Disabled bool   `json:"disabled"`
 	// Determine permissions by bit
 	//  0: can see hidden files
 	//  1: can access without password
diff --git a/server/handles/user.go b/server/handles/user.go
index 22d4e87f5e4..adb29cdb83f 100644
--- a/server/handles/user.go
+++ b/server/handles/user.go
@@ -67,6 +67,10 @@ func UpdateUser(c *gin.Context) {
 	if req.OtpSecret == "" {
 		req.OtpSecret = user.OtpSecret
 	}
+	if req.Disabled && req.IsAdmin() {
+		common.ErrorStrResp(c, "admin user can not be disabled", 400)
+		return
+	}
 	if err := op.UpdateUser(&req); err != nil {
 		common.ErrorResp(c, err, 500)
 	} else {
diff --git a/server/middlewares/auth.go b/server/middlewares/auth.go
index 7ad404258b3..53834874304 100644
--- a/server/middlewares/auth.go
+++ b/server/middlewares/auth.go
@@ -33,6 +33,11 @@ func Auth(c *gin.Context) {
 			c.Abort()
 			return
 		}
+		if guest.Disabled {
+			common.ErrorStrResp(c, "Guest user is disabled, login please", 401)
+			c.Abort()
+			return
+		}
 		c.Set("user", guest)
 		log.Debugf("use empty token: %+v", guest)
 		c.Next()
@@ -50,6 +55,11 @@ func Auth(c *gin.Context) {
 		c.Abort()
 		return
 	}
+	if user.Disabled {
+		common.ErrorStrResp(c, "Current user is disabled, replace please", 401)
+		c.Abort()
+		return
+	}
 	c.Set("user", user)
 	log.Debugf("use login token: %+v", user)
 	c.Next()