一些数据权限漏洞修复

src/Masuit.MyBlogs.Core/Controllers/AdminController.cs

@@ -1,5 +1,4 @@
 using AutoMapper;
-using Masuit.MyBlogs.Core.Common;
 using Masuit.MyBlogs.Core.Configs;
 using Masuit.MyBlogs.Core.Extensions;
 using Masuit.MyBlogs.Core.Infrastructure.Services.Interface;

src/Masuit.MyBlogs.Core/Controllers/BaseController.cs

@@ -6,6 +6,7 @@ using Masuit.MyBlogs.Core.Extensions;
 using Masuit.MyBlogs.Core.Extensions.Firewall;
 using Masuit.MyBlogs.Core.Infrastructure.Services.Interface;
 using Masuit.MyBlogs.Core.Models.DTO;
+using Masuit.MyBlogs.Core.Models.Entity;
 using Masuit.MyBlogs.Core.Models.Enum;
 using Masuit.MyBlogs.Core.Models.ViewModel;
 using Masuit.Tools;
@@ -15,11 +16,14 @@ using Masuit.Tools.Strings;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Net.Http.Headers;
 using System;
+using System.Collections.Generic;
 using System.Linq;
 using System.Net;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
+using SameSiteMode = Microsoft.AspNetCore.Http.SameSiteMode;
 
 namespace Masuit.MyBlogs.Core.Controllers
 {
@@ -233,5 +237,67 @@ namespace Masuit.MyBlogs.Core.Controllers
                 SameSite = SameSiteMode.Lax
             });
         }
+
+        protected void CheckPermission(List<PostDto> posts)
+        {
+            var location = Request.Location() + "|" + Request.Headers[HeaderNames.UserAgent];
+            posts.RemoveAll(p =>
+            {
+                switch (p.LimitMode)
+                {
+                    case RegionLimitMode.AllowRegion:
+                        return !location.Contains(p.Regions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid && !Request.IsRobot();
+                    case RegionLimitMode.ForbidRegion:
+                        return location.Contains(p.Regions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid && !Request.IsRobot();
+                    case RegionLimitMode.AllowRegionExceptForbidRegion:
+                        if (location.Contains(p.ExceptRegions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid)
+                        {
+                            return true;
+                        }
+
+                        goto case RegionLimitMode.AllowRegion;
+                    case RegionLimitMode.ForbidRegionExceptAllowRegion:
+                        if (location.Contains(p.ExceptRegions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid)
+                        {
+                            return false;
+                        }
+
+                        goto case RegionLimitMode.ForbidRegion;
+                    default:
+                        return false;
+                }
+            });
+        }
+
+        protected void CheckPermission(List<Post> posts)
+        {
+            var location = Request.Location() + "|" + Request.Headers[HeaderNames.UserAgent];
+            posts.RemoveAll(p =>
+            {
+                switch (p.LimitMode)
+                {
+                    case RegionLimitMode.AllowRegion:
+                        return !location.Contains(p.Regions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid && !Request.IsRobot();
+                    case RegionLimitMode.ForbidRegion:
+                        return location.Contains(p.Regions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid && !Request.IsRobot();
+                    case RegionLimitMode.AllowRegionExceptForbidRegion:
+                        if (location.Contains(p.ExceptRegions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid)
+                        {
+                            return true;
+                        }
+
+                        goto case RegionLimitMode.AllowRegion;
+                    case RegionLimitMode.ForbidRegionExceptAllowRegion:
+                        if (location.Contains(p.ExceptRegions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid)
+                        {
+                            return false;
+                        }
+
+                        goto case RegionLimitMode.ForbidRegion;
+                    default:
+                        return false;
+                }
+            });
+        }
     }
 }

src/Masuit.MyBlogs.Core/Controllers/ErrorController.cs

@@ -43,7 +43,7 @@ namespace Masuit.MyBlogs.Core.Controllers
             return true switch
             {
                 _ when accept.StartsWith("image") => File("/Assets/images/404/4044.jpg", ContentType.Jpeg),
-                _ when accept.StartsWith("application/json") => Json(new
+                _ when accept.StartsWith("application/json") || Request.Method == HttpMethods.Post => Json(new
                 {
                     StatusCode = 404,
                     Success = false,
@@ -105,7 +105,7 @@ namespace Masuit.MyBlogs.Core.Controllers
                         return View("AccessDeny", tips);
                     case TempDenyException:
                         Response.StatusCode = 403;
-                        return accept.StartsWith("application/json") ? Json(new
+                        return accept.StartsWith("application/json") || Request.Method == HttpMethods.Post ? Json(new
                         {
                             StatusCode = 404,
                             Success = false,
@@ -118,7 +118,7 @@ namespace Masuit.MyBlogs.Core.Controllers
             }
 
             Response.StatusCode = 503;
-            return accept.StartsWith("application/json") ? Json(new
+            return accept.StartsWith("application/json") || Request.Method == HttpMethods.Post ? Json(new
             {
                 StatusCode = 503,
                 Success = false,

src/Masuit.MyBlogs.Core/Controllers/HomeController.cs

@@ -10,7 +10,6 @@ using Masuit.MyBlogs.Core.Models.Entity;
 using Masuit.MyBlogs.Core.Models.Enum;
 using Masuit.MyBlogs.Core.Models.ViewModel;
 using Masuit.Tools;
-using Masuit.Tools.Core.Net;
 using Masuit.Tools.Linq;
 using Masuit.Tools.Systems;
 using Microsoft.AspNetCore.Http;
@@ -59,7 +58,7 @@ namespace Masuit.MyBlogs.Core.Controllers
             var fastShares = await fastShareService.GetAllFromCacheAsync(s => s.Sort);
             var postsQuery = PostService.GetQuery(p => p.Status == Status.Published); //准备文章的查询
             var posts = await postsQuery.Where(p => !p.IsFixedTop).OrderBy(OrderBy.ModifyDate.GetDisplay() + " desc").ToCachedPagedListAsync<Post, PostDto>(1, 15, MapperConfig);
-            posts.Data.InsertRange(0, postsQuery.Where(p => p.IsFixedTop).OrderByDescending(p => p.ModifyDate).ProjectTo<PostDto>(MapperConfig).ToList());
+            posts.Data.InsertRange(0, postsQuery.Where(p => p.IsFixedTop).OrderByDescending(p => p.ModifyDate).ProjectTo<PostDto>(MapperConfig).Cacheable().ToList());
             CheckPermission(posts.Data);
             var viewModel = await GetIndexPageViewModel();
             viewModel.Banner = banners;
@@ -179,42 +178,6 @@ namespace Masuit.MyBlogs.Core.Controllers
             return Redirect(string.IsNullOrEmpty(referer) ? "/" : referer);
         }
 
-        private void CheckPermission(List<PostDto> posts)
-        {
-            var location = Request.Location() + "|" + Request.Headers[HeaderNames.UserAgent];
-            posts.RemoveAll(p =>
-            {
-                switch (p.LimitMode)
-                {
-                    case RegionLimitMode.AllowRegion:
-                        return !location.Contains(p.Regions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid && !Request.IsRobot();
-                    case RegionLimitMode.ForbidRegion:
-                        return location.Contains(p.Regions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid && !Request.IsRobot();
-                    case RegionLimitMode.AllowRegionExceptForbidRegion:
-                        if (location.Contains(p.ExceptRegions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid)
-                        {
-                            return true;
-                        }
-
-                        goto case RegionLimitMode.AllowRegion;
-                    case RegionLimitMode.ForbidRegionExceptAllowRegion:
-                        if (location.Contains(p.ExceptRegions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid)
-                        {
-                            return false;
-                        }
-
-                        goto case RegionLimitMode.ForbidRegion;
-                    default:
-                        return false;
-                }
-            });
-            foreach (var item in posts)
-            {
-                item.PostDate = item.PostDate.ToTimeZone(HttpContext.Session.Get<string>(SessionKey.TimeZone));
-                item.ModifyDate = item.ModifyDate.ToTimeZone(HttpContext.Session.Get<string>(SessionKey.TimeZone));
-            }
-        }
-
         /// <summary>
         /// 获取页面视图模型
         /// </summary>

src/Masuit.MyBlogs.Core/Controllers/PostController.cs

@@ -84,7 +84,7 @@ namespace Masuit.MyBlogs.Core.Controllers
             related.RemoveAll(p => p.Id == id);
             if (related.Count <= 1)
             {
-                related = (await PostService.GetPagesFromCacheAsync(1, 10, p => p.Id != id && p.CategoryId == post.CategoryId, p => p.TotalViewCount, false)).Data;
+                related = (await PostService.GetPagesFromCacheAsync(1, 10, p => p.Id != id && p.CategoryId == post.CategoryId && (p.LimitMode ?? 0) == RegionLimitMode.All, p => p.TotalViewCount, false)).Data;
             }
 
             CheckPermission(related);
@@ -107,36 +107,6 @@ namespace Masuit.MyBlogs.Core.Controllers
             return View(post);
         }
 
-        private void CheckPermission(List<Post> posts)
-        {
-            var location = Request.Location() + "|" + Request.Headers[HeaderNames.UserAgent];
-            posts.RemoveAll(p =>
-            {
-                switch (p.LimitMode)
-                {
-                    case RegionLimitMode.AllowRegion:
-                        return !location.Contains(p.Regions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid && !Request.IsRobot();
-                    case RegionLimitMode.ForbidRegion:
-                        return location.Contains(p.Regions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid && !Request.IsRobot();
-                    case RegionLimitMode.AllowRegionExceptForbidRegion:
-                        if (location.Contains(p.ExceptRegions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid)
-                        {
-                            return true;
-                        }
-
-                        goto case RegionLimitMode.AllowRegion;
-                    case RegionLimitMode.ForbidRegionExceptAllowRegion:
-                        if (location.Contains(p.ExceptRegions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid)
-                        {
-                            return false;
-                        }
-
-                        goto case RegionLimitMode.ForbidRegion;
-                    default:
-                        return false;
-                }
-            });
-        }
         private void CheckPermission(Post post)
         {
             var location = Request.Location() + "|" + Request.Headers[HeaderNames.UserAgent];
@@ -469,6 +439,7 @@ namespace Masuit.MyBlogs.Core.Controllers
         public async Task<ActionResult> PushMerge(int id)
         {
             var post = await PostService.GetByIdAsync(id) ?? throw new NotFoundException("文章未找到");
+            CheckPermission(post);
             return View(post);
         }
 
@@ -482,6 +453,7 @@ namespace Masuit.MyBlogs.Core.Controllers
         public async Task<ActionResult> RepushMerge(int id, int mid)
         {
             var post = await PostService.GetByIdAsync(id) ?? throw new NotFoundException("文章未找到");
+            CheckPermission(post);
             var merge = post.PostMergeRequests.FirstOrDefault(p => p.Id == mid && p.MergeState != MergeStatus.Merged) ?? throw new NotFoundException("待合并文章未找到");
             return View(merge);
         }

src/Masuit.MyBlogs.Core/Controllers/SearchController.cs

@@ -10,7 +10,6 @@ using Masuit.Tools;
 using Masuit.Tools.Core.Net;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.International.Converters.TraditionalChineseToSimplifiedConverter;
-using Microsoft.Net.Http.Headers;
 using System;
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
@@ -61,7 +60,7 @@ namespace Masuit.MyBlogs.Core.Controllers
                 }
 
                 var posts = postService.SearchPage(page, size, wd);
-                CheckPermission(posts);
+                CheckPermission(posts.Results);
                 if (posts.Results.Count > 1)
                 {
                     ViewBag.Ads = AdsService.GetByWeightedPrice(AdvertiseType.PostList, Request.Location());
@@ -76,42 +75,6 @@ namespace Masuit.MyBlogs.Core.Controllers
             return View(new SearchResult<PostDto>());
         }
 
-        private void CheckPermission(SearchResult<PostDto> posts)
-        {
-            var location = Request.Location() + "|" + Request.Headers[HeaderNames.UserAgent];
-            posts.Results.RemoveAll(p =>
-            {
-                switch (p.LimitMode)
-                {
-                    case RegionLimitMode.AllowRegion:
-                        return !location.Contains(p.Regions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid && !Request.IsRobot();
-                    case RegionLimitMode.ForbidRegion:
-                        return location.Contains(p.Regions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid && !Request.IsRobot();
-                    case RegionLimitMode.AllowRegionExceptForbidRegion:
-                        if (location.Contains(p.ExceptRegions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid)
-                        {
-                            return true;
-                        }
-
-                        goto case RegionLimitMode.AllowRegion;
-                    case RegionLimitMode.ForbidRegionExceptAllowRegion:
-                        if (location.Contains(p.ExceptRegions.Split(',', StringSplitOptions.RemoveEmptyEntries)) && !CurrentUser.IsAdmin && !VisitorTokenValid)
-                        {
-                            return false;
-                        }
-
-                        goto case RegionLimitMode.ForbidRegion;
-                    default:
-                        return false;
-                }
-            });
-            foreach (var item in posts.Results)
-            {
-                item.PostDate = item.PostDate.ToTimeZone(HttpContext.Session.Get<string>(SessionKey.TimeZone));
-                item.ModifyDate = item.ModifyDate.ToTimeZone(HttpContext.Session.Get<string>(SessionKey.TimeZone));
-            }
-        }
-
         /// <summary>
         /// 关键词搜索记录
         /// </summary>

src/Masuit.MyBlogs.Core/Controllers/SeminarController.cs

@@ -50,6 +50,7 @@ namespace Masuit.MyBlogs.Core.Controllers
             ViewBag.SubTitle = s.SubTitle;
             ViewBag.Ads = AdsService.GetByWeightedPrice(AdvertiseType.PostList, Request.Location());
             ViewData["page"] = new Pagination(page, size, posts.TotalCount, orderBy);
+            CheckPermission(posts.Data);
             return View(posts);
         }
 

src/Masuit.MyBlogs.Core/Infrastructure/DataContext.cs

@@ -13,6 +13,11 @@ namespace Masuit.MyBlogs.Core.Infrastructure
         {
         }
 
+        protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
+        {
+            optionsBuilder.EnableDetailedErrors().UseLazyLoadingProxies().UseQueryTrackingBehavior(QueryTrackingBehavior.TrackAll);
+        }
+
         protected override void OnModelCreating(ModelBuilder modelBuilder)
         {
             base.OnModelCreating(modelBuilder);

src/Masuit.MyBlogs.Core/Masuit.MyBlogs.Core.csproj

@@ -42,9 +42,9 @@
         <PackageReference Include="IP2Region" Version="1.2.0" />
         <PackageReference Include="Karambolo.AspNetCore.Bundling.NUglify" Version="3.4.1" />
         <PackageReference Include="MaxMind.GeoIP2" Version="4.0.1" />
-        <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="5.0.8" />
-        <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="5.0.8" />
-        <PackageReference Include="Microsoft.EntityFrameworkCore.Proxies" Version="5.0.8" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="5.0.9" />
+        <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="5.0.9" />
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Proxies" Version="5.0.9" />
         <PackageReference Include="Microsoft.Extensions.Http.Polly" Version="5.0.1" />
         <PackageReference Include="Microsoft.Graph" Version="4.1.0" />
         <PackageReference Include="Microsoft.Graph.Auth" Version="1.0.0-preview.6" />

src/Masuit.MyBlogs.Core/PrepareStartup.cs

@@ -96,15 +96,18 @@ namespace Masuit.MyBlogs.Core
                 app.UseHttpsRedirection();
             }
 
+            var options = new RewriteOptions().AddRewrite(@"\w+/_blazor(.*)", "_blazor$1", true);
             switch (config["UseRewriter"])
             {
                 case "NonWww":
-                    app.UseRewriter(new RewriteOptions().AddRedirectToNonWww(301)); // URL重写
+                    options.AddRedirectToNonWww(301); // URL重写
                     break;
                 case "WWW":
-                    app.UseRewriter(new RewriteOptions().AddRedirectToWww(301)); // URL重写
+                    options.AddRedirectToWww(301); // URL重写
                     break;
             }
+
+            app.UseRewriter(options);
         }
 
         public static void SetupMiniProfile(this IServiceCollection services)

src/Masuit.MyBlogs.Core/Startup.cs

@@ -87,9 +87,9 @@ namespace Masuit.MyBlogs.Core
         {
             RedisHelper.Initialization(new CSRedisClient(AppConfig.Redis));
             services.AddEFSecondLevelCache(options => options.UseCustomCacheProvider<MyEFCacheManagerCoreProvider>(CacheExpirationMode.Absolute, TimeSpan.FromMinutes(5)).DisableLogging(true));
-            services.AddDbContextPool<DataContext>((serviceProvider, opt) =>
+            services.AddDbContext<DataContext>((serviceProvider, opt) =>
             {
-                opt.UseMySql(AppConfig.ConnString, ServerVersion.AutoDetect(AppConfig.ConnString), builder => builder.EnableRetryOnFailure(3)).EnableDetailedErrors().UseLazyLoadingProxies().UseQueryTrackingBehavior(QueryTrackingBehavior.TrackAll).AddInterceptors(serviceProvider.GetRequiredService<SecondLevelCacheInterceptor>());
+                opt.UseMySql(AppConfig.ConnString, ServerVersion.AutoDetect(AppConfig.ConnString), builder => builder.EnableRetryOnFailure(3)).AddInterceptors(serviceProvider.GetRequiredService<SecondLevelCacheInterceptor>());
             }); //配置数据库
             services.ConfigureOptions();
             services.AddHttpsRedirection(options =>

src/Masuit.MyBlogs.Core/Views/Dashboard/Index.cshtml

@@ -23,7 +23,7 @@
     <link href="https://cdn.staticfile.org/limonte-sweetalert2/6.6.9/sweetalert2.min.css" rel="stylesheet" async defer>
     <link href="https://cdn.staticfile.org/notie/4.3.1/notie.min.css" rel="stylesheet">
     <link href="https://cdn.staticfile.org/node-waves/0.7.6/waves.min.css" rel="stylesheet">
-    <link href="https://cdn.bootcdn.net/ajax/libs/ng-table/1.0.0/ng-table.css" rel="stylesheet" async defer>
+    <link href="https://cdn.staticfile.org/ng-table/1.0.0/ng-table.css" rel="stylesheet" async defer>
     <link href="~/Assets/layui/css/layui.min.css" rel="stylesheet" />
     <environment names="Development">
         <link href="~/fonts/icomoon.min.css" rel="stylesheet" />
@@ -55,7 +55,7 @@
     <script src="https://cdn.staticfile.org/angular-ui-tree/2.22.6/angular-ui-tree.min.js"></script>
     <script src="https://cdn.staticfile.org/jquery.form/4.2.2/jquery.form.min.js"></script>
     <script src="https://cdn.staticfile.org/node-waves/0.7.6/waves.min.js"></script>
-    <script src="https://cdn.bootcdn.net/ajax/libs/ng-table/1.0.0/ng-table.js"></script>
+    <script src="https://cdn.staticfile.org/ng-table/1.0.0/ng-table.js"></script>
     <script src="~/Scripts/layer/layer.js"></script>
     <script src="~/Scripts/ng-file-upload.min.js"></script>
     <script src="~/Scripts/tm.pagination.js"></script>

src/Masuit.MyBlogs.Core/Views/Misc/Donate.cshtml

@@ -35,7 +35,7 @@
 </style>
 <script src="https://cdn.staticfile.org/angular.js/1.7.7/angular.min.js"></script>
 <script src="~/Scripts/tm.pagination.js"></script>
-<script src="https://cdn.bootcdn.net/ajax/libs/ng-table/1.0.0/ng-table.js"></script>
+<script src="https://cdn.staticfile.org/ng-table/1.0.0/ng-table.js"></script>
 <ol class="cd-breadcrumb triangle">
     <li><a asp-controller="Home" asp-action="Index">首页</a></li>
     <li class="current"><em>@ViewBag.Title</em></li>

src/Masuit.MyBlogs.Core/Views/Misc/Donate_Admin.cshtml

@@ -37,7 +37,7 @@
 <script src="https://cdn.staticfile.org/lodash.js/3.10.1/lodash.min.js"></script>
 <script src="https://cdn.staticfile.org/angular.js/1.7.7/angular.min.js"></script>
 <script src="~/Scripts/tm.pagination.js"></script>
-<script src="https://cdn.bootcdn.net/ajax/libs/ng-table/1.0.0/ng-table.js"></script>
+<script src="https://cdn.staticfile.org/ng-table/1.0.0/ng-table.js"></script>
 <script src="~/Assets/jedate/jedate.js"></script>
 <ol class="cd-breadcrumb triangle">
     <li><a asp-controller="Home" asp-action="Index">首页</a></li>