docs(audit): 文件上传 www 权限 fixup 审计记录
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
@@ -0,0 +1,37 @@
|
||||
# 审计 — 文件管理上传后自动 www 权限
|
||||
|
||||
## 范围(文件清单)
|
||||
|
||||
| 文件 | 变更 |
|
||||
|------|------|
|
||||
| `server/utils/files_upload_permissions.py` | 解析 RSYNC_PUSH 配置,SSH chown/chmod |
|
||||
| `server/api/sync_v2.py` | `_sftp_upload_one` 上传后 fixup + 响应/审计 |
|
||||
| `frontend/src/composables/files/useFilesActions.ts` | 权限修正失败 warning |
|
||||
| `tests/test_files_upload_permissions.py` | 解析与 apply 单测 |
|
||||
|
||||
## Step 3 规则扫描
|
||||
|
||||
| H | 规则 | 结论 |
|
||||
|---|------|------|
|
||||
| H1 | 复用推送权限配置,不硬编码 | PASS — `RSYNC_PUSH_CHOWN/CHMOD` |
|
||||
| H2 | 上传成功不因 fixup 失败回滚 | PASS — 仅返回 `permission_fixup.error` |
|
||||
| H3 | 命令注入防护 | PASS — `_RSYNC_*_RE` + `shlex.quote` |
|
||||
| H4 | CUD 审计 | PASS — audit_detail 含 chown/chmod |
|
||||
|
||||
## Closure
|
||||
|
||||
| H | 判定 | 依据 |
|
||||
|---|------|------|
|
||||
| H1 | PASS | `upload_permission_plan()` |
|
||||
| H2 | PASS | sync_v2 不 raise on fixup fail |
|
||||
| H3 | PASS | sync_engine_v2 校验 + quote |
|
||||
| H4 | PASS | `_audit_sync("file_upload", ...)` |
|
||||
|
||||
## DoD
|
||||
|
||||
- [x] pytest `test_files_upload_permissions.py` 7 passed
|
||||
- [x] changelog `2026-06-11-files-upload-www-permissions.md`
|
||||
|
||||
## 验证
|
||||
|
||||
文件页上传 → 远端 `ls -la` 为 `www www`;sudo 白名单不足时界面 warning、文件仍保留。
|
||||
Reference in New Issue
Block a user