From a1faa638122e68c2e5bd77a4c7bbeb628358b5ec Mon Sep 17 00:00:00 2001
From: zmister <zmister@qq.com>
Date: Mon, 19 Jul 2021 15:26:35 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E6=96=87=E6=A1=A3=E6=B5=8F?=
 =?UTF-8?q?=E8=A7=88=E9=A1=B5=E6=9D=83=E9=99=90=E5=8F=AF=E8=A2=AB=E7=BB=95?=
 =?UTF-8?q?=E8=BF=87=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CHANGES.md       | 1 +
 app_doc/views.py | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index 804c13c..465b407 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -7,6 +7,7 @@
 - [修复]vditor编辑器粘贴多图片文本时图片只有一张图的问题;
 - [修复]找回密码邮件发送失败的问题；
 - [修复]后台管理用户管理用户无法搜索的问题；
+- [修复]文档访问权限可绕过的问题；
 - [优化]个人中心我协作的文集页面及功能；
 - [优化]后台邮件服务器配置逻辑和页面展示；
 
diff --git a/app_doc/views.py b/app_doc/views.py
index 863410c..c48e662 100644
--- a/app_doc/views.py
+++ b/app_doc/views.py
@@ -946,6 +946,8 @@ def doc(request,pro_id,doc_id):
     try:
         if pro_id != '' and doc_id != '':
             # 获取文集信息
+            doc = Doc.objects.get(id=int(doc_id),status__in=[0,1]) # 文档信息
+            pro_id = doc.top_doc
             project = Project.objects.get(id=int(pro_id))
             # 获取文集的文档目录
             toc_list,toc_cnt = get_pro_toc(pro_id)