From 9dc866315f688f5b8a7b3a85b2c842262506f2b2 Mon Sep 17 00:00:00 2001
From: veypi <i@veypi.com>
Date: Mon, 16 Feb 2026 04:49:38 +0800
Subject: [PATCH] fix(api/settings): add admin permission check for settings
 update

Add permission check in settings update API to ensure only admin users
can modify system settings. This fixes a security vulnerability where
any authenticated user could modify critical configurations.

- Check 'setting:update' permission before allowing updates
- Return 403 Forbidden for non-admin users
---
 api/settings/update.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/api/settings/update.go b/api/settings/update.go
index c040399..ac86cf8 100644
--- a/api/settings/update.go
+++ b/api/settings/update.go
@@ -7,6 +7,7 @@
 package settings
 
 import (
+	"github.com/veypi/vbase/auth"
 	"github.com/veypi/vbase/models"
 	"github.com/veypi/vigo"
 )
@@ -27,7 +28,7 @@ type UpdateResponse struct {
 	Updated int `json:"updated"`
 }
 
-// update 批量更新设置
+// update 批量更新设置（仅管理员可用）
 func update(x *vigo.X, req *UpdateRequest) (*UpdateResponse, error) {
 	// 获取当前用户ID
 	userID := ""
@@ -35,6 +36,15 @@ func update(x *vigo.X, req *UpdateRequest) (*UpdateResponse, error) {
 		userID = u.(string)
 	}
 
+	// 检查用户是否为管理员（检查 setting:update 权限）
+	isAdmin, err := auth.VBaseAuth.CheckPermission(x.Context(), userID, "", "setting:update", "")
+	if err != nil {
+		return nil, vigo.ErrInternalServer.WithError(err)
+	}
+	if !isAdmin {
+		return nil, vigo.ErrForbidden.WithString("only admin can update settings")
+	}
+
 	updated := 0
 	for _, item := range req.Settings {
 		if err := models.SetSetting(item.Key, item.Value, userID); err != nil {