fix: pin go directive to 1.20, add user ownership check on GetPDFTask
- Downgrade go directive in go.mod from 1.23.0 back to 1.20 to match Docker builder image (golang:1.20-alpine); re-run go mod tidy with go1.20 (via gvm) to keep go.sum consistent - GetPDFTask now verifies callerUserID matches task.UserID to prevent cross-user data exposure of PDF page content Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -88,7 +88,7 @@ func (s *PDFRecognitionService) CreatePDFTask(ctx context.Context, req *pdfmodel
|
||||
}
|
||||
|
||||
// GetPDFTask 查询任务状态和结果
|
||||
func (s *PDFRecognitionService) GetPDFTask(ctx context.Context, taskNo string) (*pdfmodel.GetPDFTaskResponse, error) {
|
||||
func (s *PDFRecognitionService) GetPDFTask(ctx context.Context, taskNo string, callerUserID int64) (*pdfmodel.GetPDFTaskResponse, error) {
|
||||
sess := dao.DB.WithContext(ctx)
|
||||
task, err := dao.NewRecognitionTaskDao().GetByTaskNo(sess, taskNo)
|
||||
if err != nil {
|
||||
@@ -103,6 +103,11 @@ func (s *PDFRecognitionService) GetPDFTask(ctx context.Context, taskNo string) (
|
||||
return nil, common.NewError(common.CodeNotFound, "任务不存在", nil)
|
||||
}
|
||||
|
||||
// 归属校验:已登录用户只能查询自己的任务
|
||||
if callerUserID != 0 && task.UserID != 0 && callerUserID != task.UserID {
|
||||
return nil, common.NewError(common.CodeNotFound, "任务不存在", nil)
|
||||
}
|
||||
|
||||
resp := &pdfmodel.GetPDFTaskResponse{
|
||||
TaskNo: taskNo,
|
||||
Status: int(task.Status),
|
||||
|
||||
Reference in New Issue
Block a user