Both - Implemented setting allow_browser

Author: Colin Yang

README.md

@@ -171,12 +171,12 @@ STATUS_EXPORT_XLSX_UNSUPPORTED | 导出数据(仅限xlsx) | 61 | 200 | 服务器
   * 参数
     * `settingId` - 必需 - 设置Id，详见设置列表
     * `value` - 必需 - 值，详见设置列表
-  * 返回值 - [ "status": 状态码, "result": 所有非默认设置，如`{ "all_category": "#student_#teacher_" }` ]
+  * 返回值 - [ "status": 状态码, "result": 提示文本 ]
   * 可能返回的非全局状态码 - STATUS_SETTING_NOT_RECOGNISED
 * settings - 获取所有设置
   * 请求头
     * `X-TPV-Manage-Token` - 必须
-  * 返回值 - [ "status": 状态码, "result": 所有非默认设置，如`{ "all_category": "#student_#teacher_" }` ]
+  * 返回值 - [ "status": 状态码, "result": 所有变更过的设置，如`{ "all_category": "#student_#teacher_" }` ]
 * update - 更新标签的值，标签必须存在
   * 请求头
     * `X-TPV-Manage-Token` - 必须
@@ -191,3 +191,4 @@ STATUS_EXPORT_XLSX_UNSUPPORTED | 导出数据(仅限xlsx) | 61 | 200 | 服务器
 设置Id | 设置名 | 接受的值
 -|-|-
 all_category | 标签浏览页·分类列表 | 使用井号#分隔的文本
+allow_browser | 允许来自浏览器的读写 | 不是`"false"`默认为`"true"`

backend/class/api/Getvalue.class.php

@@ -2,7 +2,21 @@
 
 class ApiGetvalue extends Api {
 
+  static function checkAllowBrowser() {
+    if (json_decode(DbProvider::getDb()->get(DbBase::$KEY_MANAGE_SETTINGS), true)['allow_browser'] === 'false'
+        && (isset($_SERVER['HTTP_ORIGIN'])
+         || isset($_SERVER['HTTP_REFERER'])
+         || isset($_SERVER['HTTP_USER_AGENT'])
+         || isset($_SERVER['HTTP_COOKIE'])
+         || $_SERVER['HTTP_ACCEPT'] != 'application/json')) {
+      http_response_code(403);
+      echo json_encode([ 'RESUFED VIA SETTING (allow_browser = false)', '', '' ]);
+      die();
+    }
+  }
+
   function handle() {
+    self::checkAllowBrowser();
     $key = (string) $_REQUEST['tag'];
     if (DbBase::keyReserved($key)) {
       http_response_code(403);

backend/class/api/Manage.class.php

@@ -341,12 +341,13 @@ function handle() {
       case 'setting_update': {
         $settingId = (string) $_REQUEST['settingId'];
         switch ($settingId) {
-          case 'all_category': {
+          case 'all_category':
+          case 'allow_browser': {
             self::updateSetting($settingId, $value);
             return [ 'result' => 'Succeed' ];
           }
           default: {
-            return [ 'status' => STATUS_API_FAILED, 'result' => 'The settingId can not be recognised.' ];
+            return [ 'status' => STATUS_SETTING_NOT_RECOGNISED, 'result' => 'The settingId can not be recognised.' ];
           }
         }
       }

backend/class/api/Storeavalue.class.php

@@ -3,6 +3,7 @@
 class ApiStoreavalue extends Api {
 
   function handle() {
+    ApiGetvalue::checkAllowBrowser();
     $key = (string) $_REQUEST['tag'];
     $value = (string) $_REQUEST['value'];
     if (DbBase::keyReserved($key)) {

frontend/tinywebdb-php-vue/src/components/Index.vue

@@ -75,7 +75,7 @@ export default {
         setTimeout(() => (this.get_succeed = false), 800)
       } catch (e) {
         if (e.response && e.response.status === 403) {
-          this.$root.showInfo('', '获取失败，该标签属于系统保留标签')
+          this.$root.showInfo('', '获取失败，该标签属于系统保留标签 或 根据设定，浏览器的访问不被允许')
         } else {
           console.error(e)
           this.$root.showInfo('', '获取失败，错误信息见console')
@@ -91,7 +91,7 @@ export default {
         setTimeout(() => (this.store_succeed = false), 800)
       } catch (e) {
         if (e.response && e.response.status === 403) {
-          this.$root.showInfo('', '保存失败，该标签属于系统保留标签')
+          this.$root.showInfo('', '保存失败，该标签属于系统保留标签 或 根据设定，浏览器的访问不被允许')
         } else {
           console.error(e)
           this.$root.showInfo('', '保存失败，错误信息见console')

frontend/tinywebdb-php-vue/src/components/manage/Setting.vue

@@ -3,17 +3,17 @@
     <template slot="header">设置</template>
 
     <div v-if="loaded === true">
-      <div style="font-weight:bold; margin-bottom:10px" disabled>标签浏览页·分类列表</div>
+      <div class="setting-header">标签浏览页·分类列表</div>
       <div>
         <b-form-group>
-          <b-input v-model="setting.all_category" />
+          <b-input v-model="all_category.value" />
           <template slot="description">
             使用井号#分隔每一项（重复项会被隐藏）<br>
             例如：默认显示全部，可选显示“student_”或者“teacher_”开头的标签，则应当这么填：
-            <b-link @click="setting.all_category = '#student_#teacher_'">#student_#teacher_（点击预览）</b-link>
+            <b-link @click="all_category.value = '#student_#teacher_'">#student_#teacher_（点击预览）</b-link>
             <br>
             例如：默认显示“student_”，可选显示全部和开头为“teacher_”的标签，则应当这么填：
-            <b-link @click="setting.all_category = 'student_##teacher_'">student_##teacher_（点击预览）</b-link>
+            <b-link @click="all_category.value = 'student_##teacher_'">student_##teacher_（点击预览）</b-link>
           </template>
         </b-form-group>
         <b-form-group label="预览">
@@ -23,15 +23,29 @@
               :select-size="Math.min(5, all_category_preview.length)" />
         </b-form-group>
         <SpinnerButton
-            :variant="typeof buttonVariant.all_category === 'string' ? buttonVariant.all_category : 'secondary'"
-          @click="updateCategory">
-          <span v-text="typeof buttonText.all_category === 'string' ? buttonText.all_category : '保存'"/>
+            :variant="typeof all_category.variant === 'string' ? all_category.variant : 'secondary'"
+            @click="onDone => save('all_category', onDone)">
+          <span v-text="typeof all_category.text === 'string' ? all_category.text : '保存'"/>
         </SpinnerButton>
       </div>
 
       <hr>
 
-      <div style="font-weight:bold; margin-bottom:10px" disabled>危险选项</div>
+      <div class="setting-header">数据安全</div>
+      <div>
+        <b-form-group description="说明：本功能对于数据防修改能力较弱，仅做简单的浏览器级别防御，请不要过度依赖">
+          <b-checkbox v-model="allow_browser.value">允许来自浏览器的读写</b-checkbox>
+        </b-form-group>
+        <SpinnerButton
+            :variant="typeof allow_browser.variant === 'string' ? allow_browser.variant : 'secondary'"
+            @click="onDone => save('allow_browser', onDone)">
+          <span v-text="typeof allow_browser.text === 'string' ? allow_browser.text : '保存'"/>
+        </SpinnerButton>
+      </div>
+
+      <hr>
+
+      <div class="setting-header">危险选项</div>
       <div>
         <b-form-group>
           <SpinnerButton @click="eraseData" variant="danger">清除数据库</SpinnerButton>
@@ -66,20 +80,21 @@ export default {
   data () {
     return {
       loaded: false,
-      setting: {
-        all_category: ''
-      },
-      buttonVariant: {
-        all_category: undefined
+      all_category: {
+        value: '',
+        variant: undefined,
+        text: undefined
       },
-      buttonText: {
-        all_category: undefined
+      allow_browser: {
+        value: true,
+        variant: undefined,
+        text: undefined
       }
     }
   },
   computed: {
     all_category_preview () {
-      return Array.from(new Set(this.setting.all_category.split('#')))
+      return Array.from(new Set(this.all_category.value.split('#')))
         .map(item => ({value: item, text: item.length === 0 ? '显示所有' : `前缀\`${item}\``}))
     }
   },
@@ -92,7 +107,8 @@ export default {
       let { status, result } = (await this.$parent.service.get('settings')).data
       switch (status) {
         case 0: {
-          if (result.hasOwnProperty('all_category')) this.setting.all_category = result.all_category
+          this.all_category.value = result.all_category || ''
+          this.allow_browser.value = result.allow_browser !== 'false'
           this.loaded = true
           break
         }
@@ -101,27 +117,29 @@ export default {
         }
       }
     },
-    async save (settingId, value) {
+    async save (settingId, onDone = () => {}) {
+      let value = (this[settingId] || {}).value
+      if (value === undefined || value === null) {
+        this.$root.showInfo('', '设置内容为undefined或null，请刷新页面后重试。如反复出现请联系作者排查问题')
+        return
+      }
       let { status } = (await this.$parent.service.post('setting_update', { settingId, value })).data
       switch (status) {
         case 0: {
-          return true
+          this[settingId].text = '保存成功'
+          this[settingId].variant = 'success'
+          onDone()
+          await this.$root.sleep(1000)
+          this[settingId].text = undefined
+          this[settingId].variant = undefined
+          break
         }
         default: {
           throw new Error(`保存设置'${settingId}'失败，错误码${status}`)
         }
       }
     },
 
-    async updateCategory (onDone) {
-      let result = await this.save('all_category', this.setting.all_category)
-      onDone()
-      this.buttonText.all_category = result ? '保存成功' : '保存失败'
-      this.buttonVariant.all_category = result ? 'success' : 'danger'
-      await this.$root.sleep(1000)
-      this.buttonText.all_category = undefined
-      this.buttonVariant.all_category = undefined
-    },
     eraseData (onDone) {
       this.$root.showConfirm('', '确认要清空数据库吗？该操作无法逆转！请提前做好数据备份', async () => {
         let { status } = (await this.$parent.service.post('erase_data')).data
@@ -176,5 +194,8 @@ export default {
 </script>
 
 <style>
-
+.setting-header {
+  font-weight: bold;
+  margin-bottom: 10px;
+}
 </style>