修复函数未通过白名单注册也能被访问的问题
This commit is contained in:
parent
2dcad515c0
commit
06b1b443ca
@ -72,27 +72,31 @@ async def _process_whitelist_call(request: Request, full_module_path: str):
|
||||
# 确保 apps 目录在 sys.path 中(支持跨 app 导入)
|
||||
ensure_apps_on_sys_path()
|
||||
|
||||
# 解析路径并导入
|
||||
# 解析路径并导入模块
|
||||
modulename = ".".join(full_module_path.split('.')[:-1])
|
||||
methodname = full_module_path.split('.')[-1]
|
||||
module = import_module(modulename)
|
||||
func = getattr(module, methodname)
|
||||
|
||||
# 检查白名单(装饰器注册时使用 func.__module__)
|
||||
# 检查白名单(使用实际导入后的模块名,因为装饰器注册时使用 func.__module__)
|
||||
actual_whitelist_path = f"{module.__name__}.{methodname}"
|
||||
whitelist_info = get_whitelisted_function(actual_whitelist_path)
|
||||
|
||||
if whitelist_info:
|
||||
# 检查 HTTP 方法
|
||||
if request.method not in whitelist_info['methods']:
|
||||
raise HTTPException(status_code=405, detail=f"Method {request.method} not allowed")
|
||||
|
||||
# 检查权限
|
||||
if not whitelist_info['allow_guest']:
|
||||
if not await authenticate_request(request, whitelist_info['allow_guest']):
|
||||
raise HTTPException(status_code=401, detail="Authentication required")
|
||||
# 如果函数不在白名单中,返回404(就像路由不存在一样)
|
||||
if not whitelist_info:
|
||||
logger.debug(f"函数未在白名单中,返回404: {actual_whitelist_path}")
|
||||
raise HTTPException(status_code=404, detail="Not Found")
|
||||
|
||||
# 调用函数
|
||||
# 检查 HTTP 方法
|
||||
if request.method not in whitelist_info['methods']:
|
||||
raise HTTPException(status_code=405, detail=f"Method {request.method} not allowed")
|
||||
|
||||
# 检查权限
|
||||
if not whitelist_info['allow_guest']:
|
||||
if not await authenticate_request(request, whitelist_info['allow_guest']):
|
||||
raise HTTPException(status_code=401, detail="Authentication required")
|
||||
|
||||
# 调用函数(只有通过白名单验证的函数才能执行到这里)
|
||||
request_data = await _get_request_data(request)
|
||||
result = func(**request_data)
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user