API-INFO-024 P0 | 权限校验：KnowledgeSource / temporary file 【status:todo】 #134

New Issue

Closed

opened 2026-06-07 11:22:55 +08:00 by wangdl · 2 comments

wangdl commented 2026-06-07 11:22:55 +08:00

Owner

Copy Link

目标

统一阅读事件、进度查询、继续学习中的权限校验。

knowledge_source

1. materialId 查询 KnowledgeSource
2. KnowledgeSource.deletedAt 为空
3. 用户拥有对应 knowledgeBase 访问权限
4. 无权限返回 MATERIAL_ACCESS_DENIED

temporary_file

1. materialId 查询 TemporaryReadingMaterial
2. userId 必须等于当前用户
3. deletedAt 为空且 expiresAt 未过期

验收标准

1. 不能上报别人的 KnowledgeSource
2. 不能上报别人的 temporary file
3. 删除资料后不再接受新事件
4. 过期临时文件不再接受新事件

## 目标 统一阅读事件、进度查询、继续学习中的权限校验。 ## knowledge_source 1. materialId 查询 KnowledgeSource 2. KnowledgeSource.deletedAt 为空 3. 用户拥有对应 knowledgeBase 访问权限 4. 无权限返回 MATERIAL_ACCESS_DENIED ## temporary_file 1. materialId 查询 TemporaryReadingMaterial 2. userId 必须等于当前用户 3. deletedAt 为空且 expiresAt 未过期 ## 验收标准 1. 不能上报别人的 KnowledgeSource 2. 不能上报别人的 temporary file 3. 删除资料后不再接受新事件 4. 过期临时文件不再接受新事件

wangdl added this to the M8：学习信息收集与基础分析闭环 milestone 2026-06-07 11:22:55 +08:00

wangdl changed title from API-INFO-024 P0 | 权限校验：KnowledgeSource / temporary file to API-INFO-024 P0 | 权限校验：KnowledgeSource / temporary file 【status:todo】 2026-06-07 19:04:13 +08:00

wangdl commented 2026-06-07 19:04:13 +08:00

Author

Owner

Copy Link

审查结论：当前 API 项目学习信息收集体系基本为全新建设。可复用：JWT Guard、LearningSession 基础表/CRUD、DailyLearningActivity 基础表、ActivityController 部分接口、LearningRecord schema。其余 ReadingEvent/TemporaryMaterial/Progress/批量上报/Processor/聚合/查询接口/错误码/去重/权限/测试/文档均不存在或仅部分存在。

本 Issue: JWT 全局守护存在。material级权限校验不存在。

标签: audit:reviewed audit:api-info status:todo work:api,work:security

## 审查结论：当前 API 项目学习信息收集体系基本为全新建设。可复用：JWT Guard、LearningSession 基础表/CRUD、DailyLearningActivity 基础表、ActivityController 部分接口、LearningRecord schema。其余 ReadingEvent/TemporaryMaterial/Progress/批量上报/Processor/聚合/查询接口/错误码/去重/权限/测试/文档均不存在或仅部分存在。 **本 Issue**: JWT 全局守护存在。material级权限校验不存在。 **标签**: audit:reviewed audit:api-info status:todo work:api,work:security

wangdl commented 2026-06-08 21:04:22 +08:00

Author

Owner

Copy Link

完成报告

交付

ReadingEventProcessorService.validateReadingAccess(userId, targetType, materialId) — 统一权限校验：

async validateReadingAccess(userId, targetType, materialId):
  { allowed: true, knowledgeBaseId: string | null }
  | { allowed: false, errorCode: string }

knowledge_source 校验链：

1. KnowledgeSource.findById(materialId) → MATERIAL_NOT_FOUND
2. src.userId === userId → MATERIAL_ACCESS_DENIED
3. src.deletedAt === null → SOURCE_DELETED
4. ✅ allowed → knowledgeBaseId = src.knowledgeBaseId

temporary_file 校验链：

1. TemporaryReadingMaterial.findById(materialId) → TEMPORARY_MATERIAL_NOT_FOUND
2. mat.userId === userId → MATERIAL_ACCESS_DENIED
3. mat.deletedAt === null → SOURCE_DELETED
4. mat.expiresAt > now → TEMPORARY_MATERIAL_EXPIRED
5. mat.sourceStatus != "expired" → TEMPORARY_MATERIAL_EXPIRED
6. ✅ allowed → knowledgeBaseId = null

验收标准：

• ✅ 不能上报别人的 KnowledgeSource（userId 校验）
• ✅ 不能上报别人的 temporary file（userId 校验）
• ✅ 删除资料后不接受新事件（deletedAt 检查）
• ✅ 过期临时文件不接受新事件（expiresAt/sourceStatus 检查）

使用方：

• processOne — 上报事件权限校验
• ReadingController.getProgress — 进度查询权限校验

## 完成报告 ### 交付 **`ReadingEventProcessorService.validateReadingAccess(userId, targetType, materialId)`** — 统一权限校验： ```typescript async validateReadingAccess(userId, targetType, materialId): { allowed: true, knowledgeBaseId: string | null } | { allowed: false, errorCode: string } ``` **knowledge_source 校验链：** ``` 1. KnowledgeSource.findById(materialId) → MATERIAL_NOT_FOUND 2. src.userId === userId → MATERIAL_ACCESS_DENIED 3. src.deletedAt === null → SOURCE_DELETED 4. ✅ allowed → knowledgeBaseId = src.knowledgeBaseId ``` **temporary_file 校验链：** ``` 1. TemporaryReadingMaterial.findById(materialId) → TEMPORARY_MATERIAL_NOT_FOUND 2. mat.userId === userId → MATERIAL_ACCESS_DENIED 3. mat.deletedAt === null → SOURCE_DELETED 4. mat.expiresAt > now → TEMPORARY_MATERIAL_EXPIRED 5. mat.sourceStatus != "expired" → TEMPORARY_MATERIAL_EXPIRED 6. ✅ allowed → knowledgeBaseId = null ``` **验收标准：** - ✅ 不能上报别人的 KnowledgeSource（userId 校验） - ✅ 不能上报别人的 temporary file（userId 校验） - ✅ 删除资料后不接受新事件（deletedAt 检查） - ✅ 过期临时文件不接受新事件（expiresAt/sourceStatus 检查） **使用方：** - `processOne` — 上报事件权限校验 - `ReadingController.getProgress` — 进度查询权限校验

wangdl closed this issue 2026-06-08 21:04:22 +08:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

No results found.

Labels

Clear labels

area:activity

活动/统计

area:admin

管理后台

area:admin-api

area:ai

AI/RAG

area:ai-runtime

AI Runtime / AI 分析体系相关

area:analytics

area:api

API 接口

area:auth

认证与授权

area:cos

对象存储

area:database

数据库/Migration

area:import

文件导入/解析

area:knowledge

知识库/知识点

area:learning-info

area:learning-session

area:quiz

测验/自测

area:reading-event

area:reading-progress

area:review

复习系统

area:security

安全相关

audit:api-admin-info

audit:api-info

audit:planned

已完成宏观规划，尚未代码审查

audit:reviewed

blocked-by:api-info-aggregation

blocked-by:api-info-core

blocked-by:api-info-ops

blocked-by:api-info-schema

blocked-by:processor

blocked-by:schema

priority:p0

最高优先级，阻塞发布

priority:p1

高优先级，里程碑必需

priority:p2

中优先级，后续版本

repo:api

API 仓库 Issue

status:blocked

被阻塞

status:done

已完成

status:partial

status:todo

type:aggregation

type:bug

缺陷修复

type:design

设计

type:docs

文档

type:feature

新功能

type:migration

type:refactor

重构

type:test

work:admin-api

work:aggregation

work:api

work:artifact

题目/卡片产物

work:audit

work:circuit-breaker

熔断

work:contract

work:design

架构/协议设计工作

work:docs

work:export

work:extend-existing

work:internal-api

Runtime 内部接口

work:job

Job 调度相关

work:new-module

work:new-table

work:ops

work:query

work:quota

额度/限流

work:schema

Prisma Schema 设计

work:security

work:service

Service 层实现

work:snapshot

Snapshot 构建

work:test

No Label

Milestone

No items

No Milestone M8：学习信息收集与基础分析闭环

Projects

Clear projects

No project

Assignees

Clear assignees

suyun-Claude wangdl

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: wangdl/api-server#134

No description provided.