fix: 修复 Session 以及用户权限相关问题 [Patch f33d87] (#78)

* feat: Python 3 的评测支持

* feat: 弃用无状态 Token

* fix: 修复用户编辑相关问题

* fix: 失效时主动清除 Session

controllers/session.js

@@ -18,7 +18,7 @@ const login = async (ctx) => {
     ctx.throw(400, 'Wrong password')
   }
 
-  ctx.session.profile = only(user, 'uid nick privilege')
+  ctx.session.profile = only(user, 'uid nick privilege pwd')
   ctx.session.profile.verifyContest = []
   ctx.body = {
     profile: ctx.session.profile,

controllers/user.js

@@ -115,7 +115,9 @@ const update = async (ctx) => {
       user[field] = opt[field]
     }
   })
-  if (!isUndefined(opt.privilege)) {
+  if (!isUndefined(opt.privilege) && opt.privilege !== user.privilege) {
+    if (!isRoot(ctx.session.profile))
+      ctx.throw(400, 'You do not have permission to change the privilege!')
     user.privilege = Number.parseInt(opt.privilege)
   }
   if (opt.newPwd) {

services/node-0/judger.js

@@ -24,7 +24,7 @@ const logger = require('../../utils/logger')
 const config = require('../../config')
 const redis = require('../../config/redis')
 
-const extensions = [ '', 'c', 'cpp', 'java' ]
+const extensions = ['', 'c', 'cpp', 'java', 'py']
 
 // 转化代码
 // 因为判题端各数字表示的含义与 OJ 默认的不同，因此需要做一次转化

utils/middlewares.js

@@ -1,8 +1,19 @@
 const { RateLimit } = require('koa2-ratelimit')
 const { isAdmin, isRoot } = require('./helper')
+const User = require('../models/User')
 
 const login = async (ctx, next) => {
-  if (!ctx.session || ctx.session.profile == null) { ctx.throw(401, 'Login required') }
+  if (!ctx.session || ctx.session.profile == null) {
+    delete ctx.session.profile
+    ctx.throw(401, 'Login required')
+  }
+  const user = await User.findOne({ uid: ctx.session.profile.uid }).exec()
+  if (user == null || user.pwd !== ctx.session.profile.pwd) {
+    delete ctx.session.profile
+    ctx.throw(401, 'Login required')
+  }
+  if (user.privilege !== ctx.session.profile.privilege)
+    ctx.session.profile.privilege = user.privilege
   await next()
 }