From 28401d6053b25c78c38d4fbc3841bcffaf66de92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=BA=8E=E5=B0=8F=E4=B8=98?= <admin@yuxiaoqiu.cn>
Date: Fri, 19 Dec 2025 17:21:59 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E6=9B=B4=E6=96=B0=E7=9B=AE=E5=BD=95?=
 =?UTF-8?q?=E8=8E=B7=E5=8F=96=E9=80=BB=E8=BE=91=EF=BC=8C=E7=A1=AE=E4=BF=9D?=
 =?UTF-8?q?=E8=B7=AF=E5=BE=84=E4=BB=A5=E7=94=A8=E6=88=B7=E5=90=8D=E5=BC=80?=
 =?UTF-8?q?=E5=A4=B4=E5=B9=B6=E6=B7=BB=E5=8A=A0=E9=94=99=E8=AF=AF=E5=A4=84?=
 =?UTF-8?q?=E7=90=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 routers/controllers/directory.py | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/routers/controllers/directory.py b/routers/controllers/directory.py
index 2ce971c..f0e30a7 100644
--- a/routers/controllers/directory.py
+++ b/routers/controllers/directory.py
@@ -27,17 +27,28 @@ directory_router = APIRouter(
 async def router_directory_get(
         session: SessionDep,
         user: Annotated[User, Depends(AuthRequired)],
-        path: str = ""
+        path: str
 ) -> DirectoryResponse:
     """
     获取目录内容
 
+    路径必须以用户名开头，如 /api/directory/admin 或 /api/directory/admin/docs
+
     :param session: 数据库会话
     :param user: 当前登录用户
-    :param path: 目录路径
+    :param path: 目录路径（必须以用户名开头）
     :return: 目录内容
     """
-    folder = await Object.get_by_path(session, user.id, path or "/", user.username)
+    # 路径必须以用户名开头
+    path = path.strip("/")
+    if not path:
+        raise HTTPException(status_code=400, detail="路径不能为空，请使用 /{username} 格式")
+
+    path_parts = path.split("/")
+    if path_parts[0] != user.username:
+        raise HTTPException(status_code=403, detail="无权访问其他用户的目录")
+
+    folder = await Object.get_by_path(session, user.id, "/" + path, user.username)
 
     if not folder:
         raise HTTPException(status_code=404, detail="目录不存在")