From f778f92da5702e4b3547d8d9c65d52e3bff2bf29 Mon Sep 17 00:00:00 2001 From: saaa99999999 Date: Sun, 24 May 2026 21:48:45 +0800 Subject: [PATCH] fix: fix tag export/import routes bypassing JWT auth (CWE-306) Tag export and import routes used r.POST() instead of apiv1.POST(), placing them outside the JWT-protected /api/v1 group. Fix by using apiv1.POST() to enforce authentication on these endpoints. --- routers/router.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routers/router.go b/routers/router.go index 23cc8f25..f2cf839b 100755 --- a/routers/router.go +++ b/routers/router.go @@ -43,9 +43,9 @@ func InitRouter() *gin.Engine { //删除指定标签 apiv1.DELETE("/tags/:id", v1.DeleteTag) //导出标签 - r.POST("/tags/export", v1.ExportTag) + apiv1.POST("/tags/export", v1.ExportTag) //导入标签 - r.POST("/tags/import", v1.ImportTag) + apiv1.POST("/tags/import", v1.ImportTag) //获取文章列表 apiv1.GET("/articles", v1.GetArticles)