fix: pin go directive to 1.20, add user ownership check on GetPDFTask

- Downgrade go directive in go.mod from 1.23.0 back to 1.20 to match Docker builder image (golang:1.20-alpine); re-run go mod tidy with go1.20 (via gvm) to keep go.sum consistent - GetPDFTask now verifies callerUserID matches task.UserID to prevent cross-user data exposure of PDF page content Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-31 14:52:20 +08:00
parent 9d712c921a
commit ac078a16bc
4 changed files with 8 additions and 25 deletions
--- a/internal/service/pdf_recognition_service.go
+++ b/internal/service/pdf_recognition_service.go
@@ -88,7 +88,7 @@ func (s *PDFRecognitionService) CreatePDFTask(ctx context.Context, req *pdfmodel
 }

 // GetPDFTask 查询任务状态和结果
-func (s *PDFRecognitionService) GetPDFTask(ctx context.Context, taskNo string) (*pdfmodel.GetPDFTaskResponse, error) {
+func (s *PDFRecognitionService) GetPDFTask(ctx context.Context, taskNo string, callerUserID int64) (*pdfmodel.GetPDFTaskResponse, error) {
 	sess := dao.DB.WithContext(ctx)
 	task, err := dao.NewRecognitionTaskDao().GetByTaskNo(sess, taskNo)
 	if err != nil {
@@ -103,6 +103,11 @@ func (s *PDFRecognitionService) GetPDFTask(ctx context.Context, taskNo string) (
 		return nil, common.NewError(common.CodeNotFound, "任务不存在", nil)
 	}

+	// 归属校验：已登录用户只能查询自己的任务
+	if callerUserID != 0 && task.UserID != 0 && callerUserID != task.UserID {
+		return nil, common.NewError(common.CodeNotFound, "任务不存在", nil)
+	}
+
 	resp := &pdfmodel.GetPDFTaskResponse{
 		TaskNo: taskNo,
 		Status: int(task.Status),