From 990f1b09f3a7db25a559b9647fc3d036237e6d79 Mon Sep 17 00:00:00 2001
From: satori <huan0016@gmail.com>
Date: Tue, 8 Feb 2022 04:39:51 +0800
Subject: [PATCH] =?UTF-8?q?=E9=98=B2=E6=AD=A2=E5=BE=AA=E7=8E=AF=E6=8C=82?=
 =?UTF-8?q?=E8=BD=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 index.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/index.js b/index.js
index 9fd6d54..077e937 100644
--- a/index.js
+++ b/index.js
@@ -290,6 +290,9 @@ const object_create = async function (req, res) {
 function object_patch(req, res, next) {
   return db(req.params.name).findOne({ _id: req.params._id }, function (err, doc) {
     if (!doc) return res.status(404).send('目标对象不存在')
+    if (typeof (req.body.attach) !== "undefined") return res.status(403).send("无权限修改挂载目标")
+    if (typeof (req.body.aid) !== "undefined") return res.status(403).send("无权限修改挂载目标")
+
     // 如果是 user 做一些特殊处理
     if (req.params.name === 'user') {
       if (req.session.account.gid !== 1) {