diff --git a/src/handlers/imagetar.go b/src/handlers/imagetar.go index f263965..bcb841e 100644 --- a/src/handlers/imagetar.go +++ b/src/handlers/imagetar.go @@ -717,6 +717,10 @@ func handleDirectImageDownload(c *gin.Context) { c.JSON(http.StatusBadRequest, gin.H{"error": "镜像引用格式错误: " + err.Error()}) return } + if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed { + c.JSON(http.StatusForbidden, gin.H{"error": reason}) + return + } if c.Query("mode") == "prepare" { userID := getUserID(c) @@ -765,6 +769,10 @@ func handleDirectImageDownload(c *gin.Context) { c.JSON(http.StatusBadRequest, gin.H{"error": "下载令牌与镜像不匹配"}) return } + if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(req.Image); !allowed { + c.JSON(http.StatusForbidden, gin.H{"error": reason}) + return + } options := &StreamOptions{ Platform: req.Platform, @@ -844,12 +852,24 @@ func handleSimpleBatchDownload(c *gin.Context) { c.JSON(http.StatusBadRequest, gin.H{"error": "镜像列表不能为空"}) return } + for _, imageRef := range req.Images { + if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed { + c.JSON(http.StatusForbidden, gin.H{"error": reason}) + return + } + } for i, imageRef := range req.Images { if !strings.Contains(imageRef, ":") && !strings.Contains(imageRef, "@") { req.Images[i] = imageRef + ":latest" } } + for _, imageRef := range req.Images { + if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed { + c.JSON(http.StatusForbidden, gin.H{"error": reason}) + return + } + } cfg := config.GetConfig() if len(req.Images) > cfg.Download.MaxImages { @@ -910,6 +930,10 @@ func handleImageInfo(c *gin.Context) { c.JSON(http.StatusBadRequest, gin.H{"error": "镜像引用格式错误: " + err.Error()}) return } + if allowed, reason := utils.GlobalAccessController.CheckDockerAccess(imageRef); !allowed { + c.JSON(http.StatusForbidden, gin.H{"error": reason}) + return + } ctx := c.Request.Context() contextOptions := append(globalImageStreamer.remoteOptions, remote.WithContext(ctx))