[BUG] 即使没有删除权限，也可通过覆盖空文件删除本地硬盘的文件

[Ahhh9h]

Please confirm the following

• I have read and agree to AGPL-3.0 Section 15 .
  The program is provided "as is" without any warranties; you bear all risks of using it.

• I have read and agree to AGPL-3.0 Section 16 .
  The copyright holders and distributors are not liable for any damages resulting from the use or inability to use the program.

• I confirm my description is clear, polite, helps developers quickly locate the issue, and complies with community rules.

• I have read the OpenList documentation.

• I confirm there are no duplicate issues or discussions.

• I confirm this is an OpenList issue, not caused by other reasons (such as network, dependencies, or operation).

• I believe this issue must be handled by OpenList and not by a third party.

• I confirm this issue is not fixed in the latest version.

OpenList Version (required)

v4.1.8

Storage Driver Used (required)

本地硬盘

Bug Description (required)

任何有上传权限但没有删除权限的用户都可以通过覆盖一个空的同名文件来实现越权删除(或替换)本地硬盘上的数据。
不知道云盘上此方法是否可行。

建议:将上传中的"覆盖"与删除权限合并成一个权限，一同授予。

Logs (required)

None.

Configuration File Content (required)

{
"force": false,
"site_url": "",
"cdn": "",
"token_expires_in": 42,
"database": {
"type": "sqlite3",
"host": "",
"port": 0,
"user": "",
"password": "",
"name": "",
"db_file": "data/data.db",
"table_prefix": "x_",
"ssl_mode": "",
"dsn": ""
},
"meilisearch": {
"host": "http://localhost:7700",
"api_key": "",
"index": "openlist"
},
"scheme": {
"address": "0.0.0.0",
"http_port": -1,
"https_port": 6600,
"force_https": true,
"unix_file": "",
"unix_file_perm": "",
"enable_h2c": false,
"enable_h3": false
},
"temp_dir": "data/temp",
"bleve_dir": "data/bleve",
"dist_dir": "",
"log": {
"enable": true,
"name": "data/log/log.log",
"max_size": 50,
"max_backups": 30,
"max_age": 28,
"compress": false,
"filter": {
"enable": false,
"filters": [
{
"cidr": "",
"path": "/ping",
"method": ""
},
{
"cidr": "",
"path": "",
"method": "HEAD"
},
{
"cidr": "",
"path": "/dav/",
"method": "PROPFIND"
}
]
}
},
"delayed_start": 0,
"max_buffer_limitMB": -1,
"mmap_thresholdMB": 4,
"max_connections": 0,
"max_concurrency": 64,
"tls_insecure_skip_verify": true,
"tasks": {
"download": {
"workers": 5,
"max_retry": 1,
"task_persistant": false
},
"transfer": {
"workers": 5,
"max_retry": 2,
"task_persistant": false
},
"upload": {
"workers": 5,
"max_retry": 0,
"task_persistant": false
},
"copy": {
"workers": 5,
"max_retry": 2,
"task_persistant": false
},
"move": {
"workers": 5,
"max_retry": 2,
"task_persistant": false
},
"decompress": {
"workers": 5,
"max_retry": 2,
"task_persistant": false
},
"decompress_upload": {
"workers": 5,
"max_retry": 2,
"task_persistant": false
},
"allow_retry_canceled": false
},
"cors": {
"allow_origins": [
""
],
"allow_methods": [
""
],
"allow_headers": [
"*"
]
},
"s3": {
"enable": false,
"port": 5246,
"ssl": false
},
"ftp": {
"enable": false,
"listen": ":5221",
"find_pasv_port_attempts": 50,
"active_transfer_port_non_20": false,
"idle_timeout": 900,
"connection_timeout": 30,
"disable_active_mode": false,
"default_transfer_binary": false,
"enable_active_conn_ip_check": true,
"enable_pasv_conn_ip_check": true
},
"sftp": {
"enable": false,
"listen": ":5222"
},
"last_launched_version": "v4.1.8",
"proxy_address": ""
}

Reproduction Link (optional)

No response

[github-actions]

感谢您联系OpenList。我们会尽快回复您。
Thanks for contacting OpenList. We will reply to you as soon as possible.

[jyxjjj]

这是一个预期行为。

[jyxjjj]

大概设想是，上传时仅允许新建文件，编辑文件，删除文件。这仨是三个选项

[PIKACHUIM]

这个问题在现有的权限系统下无解

[ljcbaby]

覆盖空文件是 写权限 不是删除权限