WO2022193494A1

WO2022193494A1 - Permission control method, server, terminal, storage medium, and computer program

Info

Publication number: WO2022193494A1
Application number: PCT/CN2021/105569
Authority: WO
Inventors: 王之龙; 郑猛猛; 杨子骁; 徐伟伟
Original assignee: 上海商汤智能科技有限公司
Priority date: 2021-03-15
Filing date: 2021-07-09
Publication date: 2022-09-22
Also published as: CN113051611A; KR20220130088A; CN113051611B

Abstract

Embodiments of the present application disclose a permission control method, a server, a terminal, a storage medium, and a computer program. The method comprises: the server receives a first file operation request from a terminal device, the first file operation request being used for requesting to perform a first operation on a file of a first path, the first file operation request carrying a first token, the first token comprising a second path and a first operation set, the first operation set comprising at least one operation, and the first path and the second path being both paths in a file management system operated by the server; when the first file operation request satisfies first conditions, the server performs the first operation on the file, the first conditions comprising: validity verification of the first token by the server is successful, the first operation is comprised in the first operation set, and the second path comprises the first path. A permission of a user can be verified more quickly.

Description

Authority control method and server, terminal, storage medium and computer program

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is based on the Chinese patent application with the application number of 202110274535.8 and the filing date of March 15, 2021, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby incorporated by reference into this application in its entirety. .

technical field

The present application relates to the field of authority control, and in particular, to an authority control method and a server, a terminal, a storage medium and a computer program.

Background technique

In the field of online documents, personal files (pictures, documents, audio, video, etc.) are stored in the network cloud, such as a server that provides file management services. Some private files stored by the server need to be controlled by access rights. When the server controls the access authority to the file, it can be understood that the server only allows the user to perform the first operation after verifying that the user has the authority to perform the first operation on the file accessed by the server. The first operation may include at least one of read-only, write, modify, delete, and the like. For example, after the user inputs the modification instruction for the online file accessed by the user, the server verifies whether the user has the right to modify the online file. If the server verifies that the user has the right to modify the online file, it will execute the corresponding operation according to the modification instruction; otherwise, it will refuse to execute the modification instruction.

At present, the server usually verifies whether the user has the right to perform an operation on the document it accesses by querying the user's permission information. However, it usually takes a long time to query the user's permission information, which leads to a long time to verify the user's permission and poor user experience. Therefore, there is a need to investigate ways to verify a user's permissions more quickly.

SUMMARY OF THE INVENTION

The embodiments of the present application disclose an authority control method, a server, a terminal, a storage medium and a computer program.

In a first aspect, an embodiment of the present application provides an online file permission control method. The method includes: a server receives a first file operation request from a terminal device; the first file operation request is used to request permission for a first path The file performs a first operation, the first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes at least one operation, the Both the first path and the second path are paths in the file management system run by the server; when the first file operation request satisfies the first condition, the server executes the first file operation request on the file. An operation; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes the first path.

The time taken by the server to determine whether the first file operation request satisfies the first condition is less than the time taken to verify whether the user (corresponding to the terminal device) has the right to perform the first operation on the file of the first path.

In this embodiment of the present application, the server performs the first operation on the file when the first file operation request satisfies the first condition; there is no need to query the permission information of the user (corresponding to the terminal device), and the user's permission can be verified more quickly , so as to respond to the first file operation request faster.

In a possible implementation manner, the first token further includes a validity period of the first token; the first condition further includes: the time when the server receives the first file operation request is within the within the validity period.

The validity period of the first token may be used to determine the validity of the first token. It should be understood that if the time when the server receives the first token (that is, the time when the first file operation request is received) is within the validity period of the first token, the first token is valid; otherwise, the first token is valid invalid.

In this implementation manner, the first condition further includes: the server can quickly and accurately determine that the token is valid when the time when the server receives the first file operation request is within the validity period. In addition, by setting the validity period of the token, the adverse effects caused by the leakage of the token can be reduced. In some embodiments, the server may set different validity periods according to different permissions (corresponding to the first operation set). For example, for some high-risk operations such as modification and deletion of files, the validity period of the token will be set as short as possible; for some permissions to view files, the validity period can be relaxed.

In a possible implementation manner, before the server performs the first operation on the file, the method further includes: the server performs a legality check and a validity check on the first token ; The validity check is to check whether the time when the server receives the first file operation request is within the validity period; in the case that the first token passes the validity check and validity check Next, the server verifies whether the first operation is included in the first operation set and whether the second path includes the first path.

In this implementation, the first token is checked for validity and validity, and if the first token passes the validity check and validity check, it is then checked whether the first operation includes In the first operation set and whether the second path includes the first path; it can be reduced to verify whether the first operation is included in the first operation set and whether the second path includes the first path.

In a possible implementation manner, before the server receives the first file operation request from the terminal device, the method further includes: the server generates the first token; the server sends the first token to the terminal device first token.

In this implementation manner, the server sends the first token to the terminal device, so that the terminal device can generate the required file operation request by using the first token.

In a possible implementation manner, the generating, by the server, the first token includes: generating, by the server, an initial token; encrypting the initial token based on the HMACSHA256 algorithm to obtain the first token; wherein, the The server can store the secret (Secret). The generation of the initial token by the server may be: the server uses JSON Web Token (JWT for short) to generate the initial token; wherein, JWT is a currently popular cross-domain authentication solution.

In the embodiment of the present application, the initial token is encrypted based on the HMACSHA256 algorithm to obtain the first token; the content of the first token cannot be deciphered externally, and the forgery of the first token is avoided, and the security is high.

In a possible implementation manner, before the server generates the first token, the method further includes: the server receives a token acquisition request from the terminal device, and the token acquisition request is used for Obtain the token required for the first operation on the file of the first path; the server obtains, according to the token obtaining request, the role permission information of the target account logged in by the terminal device; the target account The account used for logging in the file management system for the terminal device; and generating the first token by the server includes: the server generating the first token according to the role permission information.

In this implementation manner, the server generates the first token according to the role permission information; the first token matching the role permission information can be quickly generated.

In a possible implementation manner, before the server receives the token acquisition request from the terminal device, the method further includes: the server uses the target account to log in to the file management system through the terminal device receiving the token acquisition request from the terminal device by the server includes: receiving, by the server, an access operation by the terminal device to the file of the first path in the file management system.

The server may perform login authentication on the target account by verifying the target account and password used by the terminal device to log in to the file management system. The access operation may be an operation of selecting the file of the first path by the terminal device, for example, an operation of clicking the file of the first path.

In this implementation manner, when the server receives the terminal device's access operation to the file of the first path in the file management system, it can be regarded as receiving a token acquisition request from the terminal device, and a corresponding token can be generated in time.

In a possible implementation manner, the method further includes: the server receives a second file operation request from the terminal device; the second file operation request is used to request to perform a second operation on the file of the third path , the second file operation request carries a second token, the second token includes a fourth path and a second operation set, and the second operation set includes at least one operation; If the request does not meet the second condition, the server rejects the second file operation request; the second condition includes: the second token passes the validity check of the server, the second operation Included in the second set of operations and the fourth path includes the third path.

In the embodiment of the present application, the server rejects the second file operation request when the second file operation request does not meet the second condition; it does not need to verify the authority of the user (corresponding to the terminal device), and the user can be verified more quickly , and respond faster to the second file operation request.

In a possible implementation manner, the second token further includes a validity period of the second token; the second condition further includes: the time when the server receives the second file operation request is within the within the validity period of the second token.

In this implementation manner, the second condition further includes: the time when the server receives the second file operation request is within the validity period of the second token, and can quickly and accurately determine that the token is valid. In addition, by setting the validity period of the token, the adverse effects caused by the leakage of the token can be reduced.

In a possible implementation manner, the files of the first path are partial files in the same directory, and the first operation set includes at least one of creating, modifying, locking, deleting, moving, and hiding. The files in the first path may be any files, not all files in the entire directory. That is, the path can match any directory or file of the user.

In this implementation, the file in the first path can be any file, which can support more business scenarios; the first operation set includes: at least one of creating, modifying, locking, deleting, moving, and hiding, which can achieve more access control. It should be understood that the path can be customized in the token, and the operation authority can be customized in the token, such as creating, modifying, locking, deleting, moving, and hiding.

In a second aspect, an embodiment of the present application provides another method for controlling permissions of an online file, including: a terminal device generating a first file operation request; the first file operation request is used to request to execute the first file operation operation, the first file operation request carries a first token, the first token includes a second path, a first operation set, the first operation set includes at least one operation, the first path and The second paths are all paths in the file management system run by the server, and the first token is used by the server to verify whether the terminal device has the ability to execute the first token on the files in the first path. an operation authority; the terminal device sends the first file operation request to the server.

In this embodiment of the present application, the terminal device sends a first file operation request carrying the first token to the server, so that the server can use the first token to quickly and accurately verify whether the terminal device (corresponding to the user) is capable of Permission to perform the first operation on a file with a path.

In a possible implementation manner, the first token further includes a validity period of the first token, and the validity period is used to verify the validity of the first token.

In this implementation manner, the first token further includes the validity period of the first token, so that the server can verify the validity of the first token.

In a possible implementation manner, before the terminal device generates the first file operation request, the method further includes: acquiring, by the terminal device, the first token cached by the browser or client application; The first file operation request includes: generating, by the terminal device, the first file operation request based on the first token.

In this implementation manner, the terminal device can quickly acquire the first token, so as to quickly generate the first file operation request.

In a possible implementation manner, before the terminal device generates the first file operation request, the method further includes: the terminal device sends a token acquisition request to the server, where the token acquisition request is used to and the terminal device receives the first token from the server and caches the first token.

In this implementation manner, the terminal device can quickly acquire the first token by sending a token acquisition request to the server.

In a possible implementation manner, before the terminal device sends a token acquisition request to the server, the method further includes: the terminal device uses a target account to log in to the file management system; The sending of the token acquisition request by the server includes: in response to the user's access operation on the file of the first path in the file management system, sending the token acquisition request to the server.

In this implementation manner, in response to the user's access operation to the file of the first path in the file management system, the token acquisition request may be sent in time.

In a possible implementation manner, the files of the first path are partial files in the same directory, and the first operation set includes at least one of creating, modifying, locking, deleting, moving, and hiding.

In this implementation, the file in the first path can be any file, which can support more business scenarios; the first operation set includes: at least one of creating, modifying, locking, deleting, moving, and hiding, which can achieve more access control.

In a third aspect, an embodiment of the present application provides a server, including: a transceiver unit configured to receive a first file operation request from a terminal device; the first file operation request is used to request to execute a first file operation request on a file of a first path An operation, the first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes at least one operation, the first path and the second path are both paths in the file management system run by the server; the processing unit is configured to execute the first file operation request on the file when the first file operation request satisfies the first condition operation; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes the first path .

In a possible implementation manner, the processing unit is further configured to perform validity check and validity check on the first token; the validity check is to check that the server receives the Whether the time of the first file operation request is within the validity period; if the first token passes the validity check and validity check, verify whether the first operation is included in the first operation set and whether the second path includes the first path.

In a possible implementation manner, the processing unit is further configured to generate the first token; the transceiver unit is further configured to send the first token to the terminal device.

In a possible implementation manner, the processing unit is configured to encrypt the initial token based on the HMACSHA256 algorithm to obtain the first token. The processing unit is configured to use JSON Web Token to generate the initial token.

In a possible implementation manner, the transceiver unit is further configured to receive a token acquisition request from the terminal device, where the token acquisition request is used to acquire the first path for the file in the first path. the token required for the operation; the processing unit is further configured to acquire, according to the token acquisition request, the role permission information of the target account logged in by the terminal device; the target account is for the terminal device to log in to the file an account used by the management system; the processing unit is configured to generate the first token according to the role permission information.

In a possible implementation manner, the processing unit is further configured to use the target account to log in to the file management system through the terminal device for login authentication; the transceiver unit is configured to receive the access operation of the file of the first path in the file management system.

In a possible implementation manner, the transceiver unit is further configured to receive a second file operation request from the terminal device; the second file operation request is used to request to perform a second operation on the file of the third path, The second file operation request carries a second token, the second token includes a fourth path and a second operation set, and the second operation set includes at least one operation; the processing unit is further configured to In the case that the second file operation request does not meet the second condition, the second file operation request is rejected; the second condition includes: the second token passes the validity check of the server, and all The second operation is included in the second operation set and the fourth path includes the third path.

In a possible implementation manner, the files of the first path are partial files in the same directory, and the first operation includes at least one of creating, modifying, locking, deleting, moving, and hiding.

Regarding the technical effects brought about by the third aspect or various optional implementation manners, reference may be made to the introduction to the technical effects of the first aspect or corresponding implementation manners.

In a fourth aspect, an embodiment of the present application provides a terminal device, including: a processing unit configured to generate a first file operation request; the first file operation request is used to request to perform a first operation on a file of a first path, The first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes at least one operation, the first path and the The second paths are all paths in the file management system run by the server, and the first token is used by the server to verify whether the terminal device has the capability to perform the first operation on the files in the first path. The right of the server; a transceiver unit, configured to send the first file operation request to the server.

In a possible implementation manner, the processing unit is further configured to acquire the first token cached by the browser or client application; the processing unit is configured to generate the first token based on the first token The first file operation request.

In a possible implementation manner, the transceiver unit is further configured to send a token acquisition request to the server, where the token acquisition request is used to acquire the information required for performing the first operation on the file of the first path. required token; receive the first token from the server, and cache the first token.

In a possible implementation manner, the processing unit is further configured to log in to the file management system using a target account; the transceiver unit is further configured to respond to the user's request for the first path in the file management system the access operation of the file, and send the token acquisition request to the server.

Regarding the technical effects brought about by the fourth aspect or various optional implementation manners, reference may be made to the introduction to the technical effects of the second aspect or corresponding implementation manners.

In a fifth aspect, an embodiment of the present application provides a server, where the server includes: a memory for storing a program; a processor for executing the program stored in the memory, and when the program is executed, the The processor is configured to execute the method as described above in the first aspect and any of the possible implementations.

In a sixth aspect, an embodiment of the present application provides a terminal device, the terminal device includes: a memory for storing a program; a processor for executing the program stored in the memory, when the program is executed, The processor is configured to execute the method as described above in the second aspect and any possible implementation manner.

In a seventh aspect, an embodiment of the present application provides a chip, the chip includes a processor and a data interface, the processor reads an instruction stored in a memory through the data interface, and executes the first aspect above and any of the possible method of implementation.

In an eighth aspect, an embodiment of the present application provides a chip, the chip includes a processor and a data interface, the processor reads an instruction stored in a memory through the data interface, and executes the second aspect and any of the possible method of implementation.

In a ninth aspect, an embodiment of the present application provides a computer-readable storage medium, where the computer storage medium stores a computer program, the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute the above-mentioned No. Aspects and methods of any possible implementation.

In a tenth aspect, an embodiment of the present application provides a computer-readable storage medium, where the computer storage medium stores a computer program, the computer program includes program instructions, and when executed by a processor, the program instructions cause the processor to execute the above-mentioned first step. Aspects and methods of any possible implementation.

In an eleventh aspect, an embodiment of the present application provides a computer program, including computer-readable code, when the computer-readable code is executed in a server, the processor in the server executes the program to implement the above-mentioned first aspect and a method for any possible implementation.

In a twelfth aspect, an embodiment of the present application provides a computer program, including computer-readable code, when the computer-readable code is run in a terminal device, a processor in the terminal device executes the program for implementing the above-mentioned first Aspects and methods of any possible implementation.

Embodiments of the present application provide an authority control method, a server, a terminal, a storage medium, and a computer program. The server receives a first file operation request from a terminal device; the first file operation request is used to request a file in a first path. Execute a first operation, the first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes at least one operation, and the first operation set includes at least one operation. Both the first path and the second path are paths in the file management system run by the server; when the first file operation request satisfies the first condition, the server executes the first file operation request on the file. operation; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes the first path In this way, there is no need to query the permission information of the user (corresponding to the terminal device), the permission of the user can be verified faster, and the first file operation request can be responded faster.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application or the background technology, the accompanying drawings required in the embodiments or the background technology of the present application will be described below.

FIG. 1 is a flowchart of a method for controlling the authority of an online file provided by an embodiment of the present application;

2 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application;

3 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application;

4 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application;

5 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application;

FIG. 6 is an interactive flowchart of an online file permission control method provided by an embodiment of the present application;

FIG. 7 is an interactive flowchart of another online file permission control method provided by an embodiment of the present application;

FIG. 8 is a schematic structural diagram of a server according to an embodiment of the present application;

FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application;

10 is a schematic structural diagram of a server provided by an embodiment of the present application;

FIG. 11 is a schematic structural diagram of another terminal device 110 provided by an embodiment of the present application;

FIG. 12 is a block diagram of a partial structure of a terminal device provided by an embodiment of the present application.

Detailed ways

The terms "first", "second", "third" and the like in the description embodiments and claims of the present application and the above drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. Furthermore, the terms "comprising" and "having", and any variations thereof, are intended to cover non-exclusive inclusion, eg, including a series of steps or elements. A method, system, product or device is not necessarily limited to those steps or units expressly listed, but may include other steps or units not expressly listed or inherent to the process, method, product or device.

In order to prevent the private files (ie online files) stored in the network cloud from being leaked and/or tampered with, it is usually necessary to control the access rights of the private files. As described in the background art, the currently generally adopted method of access authority control is as follows: whether the user has the authority to perform an operation on the document accessed by the user is verified by querying the authority information of the user. However, it usually takes a long time to query the user's permission information, which leads to a long time to verify the user's permission and poor user experience. The embodiment of the present application provides a permission control scheme for online files, and the user's permission is verified by means of a token, so that the user's permission can be verified more quickly.

The online file authority control method provided by the embodiment of the present application can be applied to the scene of editing an online file. The application of the online file authority control method provided by the embodiment of the present application in the scenario of editing an online file is briefly introduced below.

Scenario of editing online files: The terminal device edits (for example, modify, delete, move, lock, etc.) the online files in the file management system running on the server. For example, the user uses a terminal device to log in to the file management system run by the server; the user uses the terminal device to send a file operation request carrying a token to the server, and the file operation request is used to request to perform a certain online file in the file management system. Target operation; the server verifies whether the user has the permission to perform the target operation on the online file according to the token; the server performs the target operation on the online file after verifying that the user has the permission to perform the target operation on the file, otherwise, Deny the file operation request.

The above-mentioned terminal device may be an intelligent terminal such as a mobile phone, a personal computer, a tablet computer, a wearable device, a personal digital assistant, and an information processing center. The above server may be a server with data processing functions, such as a cloud server, a network server, an application server, and a management server. The above-mentioned server can receive the file operation request from the above-mentioned terminal device through the interactive interface, and then perform corresponding processing through the memory for storing data and the processor for executing data processing. The above-mentioned memory may be a general term, including a database for local storage and storage of historical data, and the above-mentioned database may be on a server or on other network servers.

In the above scenario, using the online file authority control method provided by the embodiment of the present application can verify the user's authority more quickly, and thus respond to the user's file operation request more quickly.

The following describes the accompanying drawings to introduce the online file authority control method provided by the embodiments of the present application.

FIG. 1 is a flowchart of an online file permission control method provided by an embodiment of the present application. As shown in FIG. 1 , the steps of the method provided in this embodiment of the present application may be performed by a hardware device such as a server, or performed by a processor running computer-executable code, and the method includes:

101. The server receives a first file operation request from a terminal device.

The above-mentioned first file operation request is used to request to perform the first operation on the file of the first path. The above-mentioned first file operation request carries the first token. The above-mentioned first token may be brought into the above-mentioned first file operation request by the terminal device in the form of a request header or a request parameter. The file in the first path may be understood as a file under the first path.

The above-mentioned first token includes a second path and a first operation set. The above-mentioned first set of operations includes at least one operation. The above-mentioned first path and the above-mentioned second path are both paths in the file management system running on the above-mentioned server. The above-mentioned first path may be a path corresponding to a directory in the file management system run by the server, or may be a path corresponding to any file in the file management system run by the server, for example, a path corresponding to a file. The second path may be a path corresponding to a directory in the file management system run by the server, or may be a path corresponding to any file in the file management system run by the server, such as a path corresponding to a file. For example, the first path may be the path of a file and the second path may be the path of a file/directory that includes the file. For another example, the first path and the second path are the same path. It should be understood that the files in the first path may be all files in a directory, or may be some files in a directory. That is to say, the online file authority control method provided by the embodiment of the present application can precisely control the access authority to any file or folder. At least one operation included in the first operation set can be understood as a file operation that the terminal device that provides the first token can perform on the file of the second path, such as read, create, modify, lock, delete, move, and hide. at least one of. The above-mentioned first operation may be any one of reading, creating, modifying, locking, deleting, moving, hiding, and the like. Compared with the traditional solution that can only perform simple read-write control, in the solution provided by the embodiment of the present application, the operation authority (that is, the access authority) can be customized through the token, such as read, create, modify, lock, delete, Move, hide, etc., to meet diverse needs.

102. In the case that the first file operation request satisfies the first condition, the server performs the first operation on the file of the first path.

The first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes the first path. The server can verify the validity of the first token, which can prevent others from accessing the online file through the forged token. The above-mentioned first token passes the validity check of the above-mentioned server, indicating that the above-mentioned first token is not a forged token. The first token includes the second path and the first operation set, indicating that the terminal device that provides the first token has the authority to perform the operations in the first operation set on the file in the second path. It should be understood that if the above-mentioned first operation is included in the above-mentioned first operation set and the above-mentioned second path includes the above-mentioned first path, that is, if the first operation exists in the first operation set, and the accessible file indicated by the second path If the range is greater than or equal to the accessible file range indicated by the first path, the terminal device must have the right to perform the first operation on the file in the first path. The permission to perform the first operation on the file in the first path can be understood as the permission corresponding to the first file operation request, and the permission to perform each operation in the first operation set on the file in the second path is the permission corresponding to the first token. In some embodiments, the server only needs to verify the validity of the first token and whether the authority corresponding to the first file operation request is consistent with the authority corresponding to the first token, and does not need to query the authority information of the terminal device. It can be seen that the server can directly and quickly confirm whether the terminal device has the authority to perform the first operation on the file of the first path according to the above-mentioned first token and the above-mentioned first file operation request. Permission verification is time-consuming, effectively improving file access efficiency.

In a possible implementation manner, the first token further includes a validity period of the first token; the first condition further includes: the time when the server receives the first file operation request is within the validity period.

The validity period of the first token can be used to determine the validity of the first token. It should be understood that if the time when the server receives the first token (that is, the time when the first file operation request is received) is within the validity period of the first token, the first token is valid; otherwise, the first token is valid invalid.

The method flow in FIG. 1 can be understood as token-based access authority control, which is decoupled from the login authentication method (ie, the method of logging in to the file management system). That is to say, the access authority control implemented by the method flow in FIG. 1 has nothing to do with the login authentication method. The login authentication methods of different terminal devices may be different, but the permission access control of files can be unified through tokens.

In one embodiment, the server may also perform the following steps:

103. The server receives the second file operation request from the terminal device.

The above-mentioned second file operation request is used to request to perform the second operation on the file of the third path. The second file operation request carries a second token, and the second token includes a fourth path and a second operation set. The above-mentioned second operation set includes at least one operation. The second file operation request is similar to the first file operation request.

104. If the second file operation request does not satisfy the second condition, the server rejects the second file operation request.

The second condition includes: the second token passes the validity check of the server, the second operation is included in the second operation set, and the fourth path includes the third path. The server rejecting the second file operation request may be: the server sends a response message to the terminal device, where the response message is used to instruct the server to reject the second file operation request. The server rejecting the second file operation request may also mean that the server does not respond to the second file operation request (including not performing the second operation on the file in the third path).

In a possible implementation manner, the second token further includes the validity period of the second token; the second condition further includes: the time when the server receives the second file operation request is within the validity period of the second token Inside.

In this embodiment of the present application, when the server receives a file operation (such as the first file operation request) and satisfies a preset condition (such as the first condition), the server performs an operation corresponding to the file operation request (such as the first operation) on the file, When the server receives a file operation (such as the second file operation request) that does not meet the preset condition (such as the second condition), it rejects the file operation request (the second file operation request); thus the server only needs to verify the file Permission control can be realized by the token carried in the operation, without querying the permission information of the user (corresponding to the terminal device), the user's permission can be verified faster, and the file operation request can be responded faster.

FIG. 2 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application. The method flow in FIG. 2 is a refinement and improvement of the method flow in FIG. 1 . As shown in FIG. 2 , the steps of the method provided by the embodiment of the present application may be performed by a hardware device such as a server, or performed by a processor running computer-executable code, and the method includes:

201. The server receives a first file operation request from a terminal device.

Here, the step 201 is the same as the step 101 .

202. The server performs validity check and validity check on the first token.

The validity check is to check whether the time when the server receives the first file operation request is within the validity period. In a possible implementation manner, the server may first perform validity check on the first token, and then perform validity check on the first token if the first token passes the validity check. In another possible implementation manner, the server may first perform validity verification on the first token, and then perform validity verification on the first token after the first token passes the validity verification. In another possible implementation manner, the server may simultaneously (or in parallel) perform validity verification on the first token and perform validity verification on the first token.

203. In the case that the first token passes the validity check and the validity check, the server verifies whether the first operation is included in the first operation set and whether the second path includes the first path.

Only when the first token passes the validity check and the validity check can it indicate that the first token is legal and valid. It should be understood that if the first token fails the validity check or the validity check, the server does not need to verify whether the first operation is included in the first operation set and whether the second path includes the first path, which can avoid useless Process flow.

204. In the case that the first file operation request satisfies the first condition, the server performs the first operation on the file of the first path.

Step 204 may be the same as step 102 and will not be described in detail here.

In this embodiment of the present application, the first token is checked for validity and validity, and after the first token passes the validity check and validity check, it is then checked whether the first operation is included in the first operation. Whether an operation set and the second path include the first path; it can reduce the verification of whether the first operation is included in the first operation set and whether the second path includes the first operation, and reduce some unnecessary operations, thereby saving verification time. Improve processing efficiency.

FIG. 3 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application. The method flow in FIG. 3 is a refinement and improvement of the method flow in FIG. 1 . As shown in FIG. 3 , the steps of the method provided by the embodiment of the present application may be performed by a hardware device such as a server, or performed by a processor running computer-executable code, and the method includes:

301. The server receives a token acquisition request from a terminal device.

The above token acquisition request is used to acquire the token required to perform the first operation on the file of the first path.

In a possible implementation manner, before executing step 301, the server can use the terminal device to log in to the file management system it is running for login authentication using the target account; step 301 can be replaced with: the server receives the terminal device's target account for the above-mentioned file management system. The first path of the file access operation. For example, the terminal device can use the target account to log in to the file management system run by the server, and the server receives an access operation (eg, an operation of clicking the icon of the file) from the terminal device to the file of the first path in the file management system.

302. The server obtains, according to the token obtaining request, the role permission information of the target account logged in by the terminal device.

The above-mentioned target account is an account used by the above-mentioned terminal device to log in to the file management system running on the server. The role permission information of the target account may include the role of the target account and the permission corresponding to the role. The file management system running on the server supports a variety of accounts with different roles. Accounts with different roles have different permissions, that is, a role corresponds to a certain permission. For example, the file management system running on the server supports accounts with three different roles: administrator, ordinary user, and advanced user. The role of the target account is any of these three roles, and the permissions of the target account are those of the target account. The permissions corresponding to the role. In this example, the administrator has the most authority, and the ordinary user has the least authority. In practical applications, various roles supported by the file management system running on the server and permissions corresponding to various roles can be set according to actual requirements, so as to more conveniently manage the permissions of accounts with different roles.

303. The server generates a first token according to the role permission information.

In some embodiments, the server may run a file serving application, which (corresponding to a file management system) may provide file services. The file service maintains a separate key, which is used to encrypt the token. The file service may also provide a token generation interface, which may provide a path (eg, the first path), a set of operations (eg, the first set of operations), and an expiration time parameter (corresponding to the validity period), which can be provided by the caller (eg, the owner of the online file) to customize. The token generation interface can first use JSON Web Token to generate the initial token, and then encrypt the initial token based on the Hash-based Message Authentication Code Secure Hash Algorithm 256 (HMACSHA256) algorithm to obtain the above The first token, the content of the token signature cannot be cracked externally, which improves the security of token and file access. The above server may store a secret key (Secret). The file service can verify the token and the operation in the file operation request (for example, the above-mentioned first operation). The server can provide a business gateway service, and the business gateway service can handle authentication tasks, such as authenticating the account and password used by the user to log in to the file management system. The server can also have an independent user center, which is used to maintain the user's basic information and role permission information. After the user logs in to the file management system, the server can call the authentication interface of the user center to verify the user's role and permission information. The server can obtain the user's role permission information through the user center, and call the token generation interface of the file service to obtain the token. The server can be pre-configured with access rights of different role rights information, so calling the token generation interface of the file service can generate tokens that match the rights information of different roles.

304. The server sends the first token to the terminal device.

305. The server receives the first file operation request from the terminal device.

306. In the case that the first file operation request satisfies the first condition, the server performs the first operation on the file of the first path.

Step 306 may be the same as step 102 and will not be described in detail here. In some embodiments, before executing step 306, the server may execute

steps

202 and 203 in FIG. 2, and then determine whether the first file operation request satisfies the first condition.

In this embodiment of the present application, the server generates the first token, and sends the first token to the terminal device. In addition, the server also verifies the validity and legality of the first token. The generation and verification of the first token are uniformly managed and controlled by the server. The server encrypts the initial token generated by the token generation interface based on the HMACSHA256 algorithm to obtain the first token. Others cannot forge the token, which can improve security.

The authorization control solution for an online file provided by the embodiment of the present application requires the cooperation of a server and a terminal device to be implemented. The foregoing embodiments describe the method flow performed by the server in the online file permission control solution provided by the embodiments of the present application. The following describes the method flow performed by the terminal device in the online file authority control solution provided by the embodiments of the present application with reference to the accompanying drawings.

FIG. 4 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application. As shown in FIG. 4 , the steps of the method provided by this embodiment of the present application may be executed by hardware devices such as terminal devices, or executed by a processor running computer-executable codes, and the method includes:

401. The terminal device generates a first file operation request.

The above-mentioned first file operation request is used to request to perform the first operation on the file of the first path. The first file operation request carries a first token, and the first token includes a second path and a first operation set. The above-mentioned first set of operations includes at least one operation. The above-mentioned first path and the above-mentioned second path are both paths in the file management system running on the above-mentioned server. The above-mentioned first token is used by the above-mentioned server to verify whether the above-mentioned terminal device has the authority to perform the above-mentioned first operation on the file of the above-mentioned first path.

The implementation of step 401 may be as follows: the terminal device obtains the first token cached by the browser or the client application; and based on the above-mentioned first token, the above-mentioned first file operation request is generated.

402. The terminal device sends a first file operation request to the server.

FIG. 5 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application. The method flow in FIG. 5 is a refinement and improvement of the method flow in FIG. 4 . As shown in FIG. 5 , the steps of the method provided by this embodiment of the present application may be executed by hardware devices such as terminal devices, or executed by a processor running computer-executable codes, and the method includes:

501. The terminal device uses the target account to log in to the file management system run by the server.

502. In response to the user's access operation to the file of the first path in the file management system, the terminal device sends a token acquisition request to the server.

In one embodiment, after the terminal device uses the target account to log in to the file management system run by the server, the terminal device may display a page of the file management system, and the page may include one or more folders, each folder including at least A file; the user's operation of opening (eg, clicking) the file of the first path is the user's access operation to the file of the first path in the file management system.

Step 502 may be: in response to the user's access operation to the file of the first path in the file management system, the terminal device sends a token acquisition request to the server without caching the token corresponding to the file of the first path. A token corresponding to a file of a path may be a token that includes the path.

503. The terminal device receives the first token from the server, and caches the first token.

The terminal device caching the first token may be: a browser on the terminal device or a client application caches the first token.

504. The terminal device generates a first file operation request based on the first token.

A possible implementation of step 504 is as follows: in response to the user's access operation to the file of the first path in the file management system, the terminal device caches the first token corresponding to the file of the first path, based on the first token. A token that generates the first file operation request. In some embodiments, the terminal device may cache one or more tokens, and the paths corresponding to different tokens are different; before generating any file operation request, the terminal device may first obtain the token corresponding to the file operation request in the cache . For example, if the terminal device is to generate a file operation request for operating a file of the first path, the terminal device may obtain a token (eg, a first token) whose path is the first path.

505. The terminal device sends a first file operation request to the server.

In this embodiment of the present application, the terminal device can quickly obtain the first token, thereby quickly generating the first file operation request, so that the server can use the first token to quickly and accurately verify whether the terminal device (corresponding to the user) is Has the permission to perform the first operation on the file in the first path.

FIG. 6 is an interactive flowchart of an online file permission control method provided by an embodiment of the present application. The method interaction flow in Fig. 6 includes the method flow executed by the server and the method flow executed by the terminal device. As shown in FIG. 6 , the steps of the method provided by this embodiment of the present application may be executed by hardware devices such as terminal devices, or executed by a processor running computer-executable codes, and the interaction process of the method includes:

601. The terminal device detects an access operation by the user to the file of the first path in the file management system.

The file management system runs on the server.

602. The terminal device acquires the first token cached by the browser or the client application.

The first token includes a second path and a first operation set, and the first operation set includes at least one operation. The above-mentioned second path includes the above-mentioned first path. A possible implementation manner of step 602 is as follows: the terminal device obtains the token whose path is the first path from the multiple tokens cached by the browser or the client application, and obtains the first token.

603. The terminal device generates a first file operation request based on the first token.

The above-mentioned first file operation request is used to request to perform the first operation on the file of the first path. The above-mentioned first file operation request carries the first token.

604. The terminal device sends a first file operation request to the server.

605. In the case that the first file operation request satisfies the first condition, the server performs the first operation on the file.

In the embodiment of the present application, the server performs the first operation on the file when the first file operation request satisfies the first condition; it does not need to verify the authority of the user (corresponding to the terminal device), and the authority of the user can be verified more quickly , so as to respond to the first file operation request faster.

It should be understood that the premise that the terminal device can execute the method flow in FIG. 6 is that the terminal device has cached the first token. The following describes the interaction flow of the authority control method implemented by the terminal device without caching the corresponding token with reference to the accompanying drawings.

FIG. 7 is an interactive flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application. The method interaction flow in FIG. 7 includes the step of obtaining and buffering the first token by the terminal device. As shown in Figure 7, the interaction flow of the method includes:

701. The terminal device detects an access operation of the user to the file of the first path in the file management system.

Before step 701, the terminal device can use the target account to log in to the file management system run by the server.

702. The terminal device sends a token acquisition request to the server in the case that the token including the first path is not cached.

The above token acquisition request is used to acquire the token required to perform the above first operation on the file in the above first path. The token acquisition request may carry information indicating the first path or the first path.

The case where the terminal device does not cache the token including the first path may be that the terminal device does not query the token including the first path from the plurality of tokens cached by the browser or the client application.

703. The server obtains, according to the token obtaining request, the role permission information of the target account logged in by the terminal device.

The above-mentioned target account is an account used by the above-mentioned terminal device to log in to the file management system running on the server.

704. The server generates a first token according to the role permission information.

The role permission information may be referred to as access permission information (corresponding to the first set of operations). In some embodiments, user A can configure role permission information for user B in the following ways: 1) User A logs in to the file management system run by the server; 2) User A creates a file in the file management system. 3) User A configures role permission information for user B in the file management system (corresponding to the operations that user B can perform on the file).

705. The server sends the first token to the terminal device.

706. The terminal device caches the first token, and generates a first file operation request based on the first token.

It should be understood that after the terminal device caches the first token, when the terminal device requests the server to perform any operation on the file of the first path, the first token can be brought into the file operation request in the form of a request header or request parameter. That is, when the terminal device subsequently requests to perform any operation on the file of the first path, it can obtain the first token from the cache and generate a corresponding file operation request without obtaining the first token from the server again. Only after the first token becomes invalid, the terminal device needs to obtain the first token from the server again and cache it.

707. The terminal device sends a first file operation request to the server.

708. In the case that the first file operation request satisfies the first condition, the server performs the first operation on the file of the first path.

In the embodiment of the present application, in the case where the required token is not cached, the terminal device may first obtain and cache the required token, so as to verify the user's authority more quickly in the future.

FIG. 8 is a schematic structural diagram of a server according to an embodiment of the present application. As shown in Figure 8, the server includes:

The transceiver unit 801 is configured to receive a first file operation request from a terminal device; the above-mentioned first file operation request is used to request to perform a first operation on a file of a first path, and the above-mentioned first file operation request carries a first token, The first token includes a second path and a first operation set, the first operation set includes at least one operation, and the first path and the second path are both paths in the file management system running on the server;

The processing unit 802 is configured to perform the above-mentioned first operation on the above-mentioned file when the above-mentioned first file operation request satisfies a first condition; the above-mentioned first condition includes: the above-mentioned first token passes the validity check of the above-mentioned server, The first operation is included in the first operation set and the second path includes the first path.

In a possible implementation manner, the processing unit 802 is further configured to perform validity check and validity check on the above-mentioned first token; the above-mentioned validity check is to verify that the above-mentioned server receives the above-mentioned first file operation request Whether the above-mentioned time is within the above-mentioned validity period; if the above-mentioned first token passes the validity check and validity check, verify whether the above-mentioned first operation is included in the above-mentioned first operation set and whether the above-mentioned second path includes the above-mentioned first operation. a path.

In a possible implementation manner, the processing unit 802 is further configured to generate the above-mentioned first token; the above-mentioned transceiver unit is further configured to send the above-mentioned first token to the above-mentioned terminal device.

In a possible implementation manner, the processing unit 802 is configured to encrypt the above-mentioned initial token based on the HMACSHA256 algorithm to obtain the above-mentioned first token. The processing unit 802 is configured to use JSON Web Token to generate the above-mentioned initial token.

In a possible implementation manner, the transceiver unit 801 is further configured to receive a token acquisition request from the above-mentioned terminal device, where the above-mentioned token acquisition request is used to acquire a token required to perform the above-mentioned first operation on the file of the above-mentioned first path The processing unit 802 is further configured to obtain the role permission information of the target account logged in by the terminal device according to the token acquisition request; the target account is the account used by the terminal device to log in to the file management system; the processing unit 802 is configured to configure To generate the above-mentioned first token according to the above-mentioned role permission information.

In a possible implementation manner, the processing unit 802 is further configured to use the above-mentioned target account to log in to the above-mentioned file management system through the above-mentioned terminal device for login authentication; The access operation of the file of the first path.

In a possible implementation manner, the transceiver unit 801 is further configured to receive a second file operation request from the above-mentioned terminal device; the above-mentioned second file operation request is used to request to perform a second operation on the file of the third path, and the above-mentioned second file operation request The file operation request carries a second token, and the second token includes a fourth path and a second operation set, and the second operation set includes at least one operation; the processing unit 802 is further configured to perform the operation in the second file operation request. If the second condition is not met, the second file operation request is rejected; the second condition includes: the second token passes the validity check of the server, the second operation is included in the second operation set, and the above The fourth path includes the third path described above.

FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application. As shown in Figure 9, the terminal equipment includes:

The processing unit 901 is configured to generate a first file operation request; the above-mentioned first file operation request is used to request to perform a first operation on a file of a first path, and the above-mentioned first file operation request carries a first token, and the above-mentioned first command The card includes a second path and a first operation set, the first operation set includes at least one operation, the first path and the second path are both paths in the file management system run by the server, and the first token is used for Verifying on the server whether the terminal device has the authority to perform the first operation on the file in the first path;

The transceiver unit 902 is configured to send the above-mentioned first file operation request to the above-mentioned server.

In a possible implementation manner, the above-mentioned first token further includes a validity period of the above-mentioned first token, and the above-mentioned validity period is used to verify the validity of the above-mentioned first token.

In a possible implementation manner, the processing unit 901 is further configured to obtain the above-mentioned first token cached by the browser or the client application; the processing unit 901 is configured to generate the above-mentioned first file operation request based on the above-mentioned first token .

In a possible implementation manner, the transceiver unit 902 is further configured to send a token acquisition request to the above-mentioned server, where the above-mentioned token acquisition request is used to acquire the token required to perform the above-mentioned first operation on the file of the above-mentioned first path; The above-mentioned first token from the above-mentioned server is received, and the above-mentioned first token is cached.

In a possible implementation manner, the processing unit 901 is further configured to log in to the above-mentioned file management system using the target account; the transceiver unit 902 is further configured to respond to a user's access operation to the file of the above-mentioned first path in the above-mentioned file management system , and send the above token acquisition request to the above server.

In a possible implementation manner, the files in the first path are partial files in the same directory, and the first operation includes at least one of creating, modifying, locking, deleting, moving, and hiding.

It should be understood that the above division of each unit of the server and the terminal device is only a division of logical functions, and may be fully or partially integrated into a physical entity in actual implementation, or may be physically separated. For example, each of the above units can be separately established processing elements, or can be integrated into the same chip for implementation. In addition, they can also be stored in the storage element of the controller in the form of program codes, which are called and executed by a certain processing element of the processor. Perform the functions of each of the above units. In addition, each unit can be integrated together, or can be implemented independently. The processing element here may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above-mentioned method or each of the above-mentioned units may be completed by an integrated logic circuit of hardware in the processor element or an instruction in the form of software. The processing element can be a general-purpose processor, such as a central processing unit (Central Processing Unit, CPU), or can be one or more integrated circuits configured to implement the above method, such as one or more specific integrated circuits (Application Specific Integrated Circuits) Integrated Circuit, ASIC), or, one or more microprocessors (Digital Signal Processor, DSP), or, or, one or more Field Programmable Gate Array (Field Programmable Gate Array, FPGA), etc.

10 is a schematic structural diagram of a server provided by an embodiment of the present application. The server 1000 may vary greatly due to different configurations or performance, and may include one or more central processing units 1022 (for example, one or more processing device) and memory 1032, one or more storage media 1030 (eg, one or more mass storage devices) that store applications 1042 or data 1044. Among them, the memory 1032 and the storage medium 1030 may be short-term storage or persistent storage. The program stored in the storage medium 1030 may include one or more modules (not shown in the figure), and each module may include a series of instruction operations on the server. In some embodiments, the central processing unit 1022 may be configured to communicate with the storage medium 1030 to execute a series of instruction operations in the storage medium 1030 on the server 1000 .

Server 1000 may also include one or more power supplies 1026, one or more wired or wireless network interfaces 1050, one or more input and output interfaces 1058, and/or, one or more operating systems 1041, such as Windows Server™, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.

The steps performed by the server in the above embodiment may be based on the server structure shown in FIG. 10 . For example, the central processing unit 1022 may implement the function of the processing unit 802 in FIG. 8 , and the input/output interface 1058 may implement the function of the transceiver unit 801 .

FIG. 11 is a schematic structural diagram of another terminal device 110 provided by an embodiment of the present application. As shown in FIG. 11 , the terminal device shown in FIG. 11 includes a logic circuit 1101 and an interface 1102 . The logic circuit 1101 may implement the functions of the processing unit 901 in FIG. 9 . The interface 1102 can implement the functions of the transceiver unit 902 in FIG. 9 . Wherein, the logic circuit 1101 may be a chip, a processing circuit, an integrated circuit, or a System on Chip (SoC) chip, etc., and the interface 1102 may be a communication interface, an input/output interface, and the like. In this embodiment of the present application, the logic circuit and the interface may also be coupled to each other. The connection manner of the logic circuit and the interface is not limited in this embodiment of the present application.

FIG. 12 is a block diagram of a partial structure of a terminal device provided by an embodiment of the present application. As shown in FIG. 12 , the terminal device 1200 may include a processor 1201 , a memory 1202 , an input device 1203 , an output device 1204 and a bus 1205 . Wherein, the processor 1201 , the memory 1202 , the input device 1203 , and the output device 1204 can implement communication connection with each other through the bus 1205 . The bus 1205 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 12, but it does not mean that there is only one bus or one type of bus.

The processor 1201 can use a general-purpose central processing unit, a microprocessor, a graphics processing unit (Graphics Processing Unit, GPU), an application-specific integrated circuit, or one or more integrated circuits, for executing relevant programs to implement the implementation of the present application Examples of technical solutions provided. The processor 1201 may implement the functions of the processing unit 901 in FIG. 9 .

The memory 1202 may be a read only memory (Read Only Memory, ROM), a static storage device, a dynamic storage device, or a random access memory (Random Access Memory, RAM). Memory 1202 may store operating systems, as well as other application programs. The modules and functions required to be performed by the components included in the terminal device provided by the embodiments of the present application are implemented through software or firmware, or the program codes used to implement the above-mentioned methods provided by the method embodiments of the present application are stored in the memory 1202, and are stored in the memory 1202. The processor 1201 reads the code in the memory 1202 to execute the operations required to be executed by the modules and components included in the terminal device, or execute the above-mentioned methods provided in the embodiments of the present application.

Input device 1203 for inputting data and user instructions. For example, the input device may receive a token from the server. For example, the input device may input the user's access operation for the file of the first path.

Output device 1204 for outputting data and images. For example, the output device outputs file operation requests. As another example, the output device 1204 displays a page of the file management system. The output device 1204 may implement the functions of the transceiving unit 902 in FIG. 9 .

The bus 1205 may include a pathway for transferring information between various components of the terminal device (eg, the processor 1201, the memory 1202, the input device 1203, the output device 1204).

It should be noted that although the terminal device 1200 shown in FIG. 12 only shows the processor 1201, the memory 1202, the input device 1203, the output device 1204 and the bus 1205, in the actual implementation process, those skilled in the art should understand that the terminal Device 1200 also includes other components necessary for proper operation. Meanwhile, according to actual needs, those skilled in the art should understand that the terminal device 1200 may further include hardware devices that implement other additional functions. In addition, those skilled in the art should understand that the terminal device 1200 may also only include the necessary devices for implementing the embodiments of the present application, and does not necessarily include all the devices shown in FIG. 12 .

Embodiments of the present application further provide a computer-readable storage medium, where computer codes are stored in the computer-readable storage medium, and when the computer codes are executed on the computer, the computer is made to execute the methods of the foregoing embodiments.

The embodiments of the present application also provide a computer program, the computer program includes computer-readable codes, when the computer-readable codes are executed on a computer, the methods in the above embodiments are executed.

The above is only the embodiment of the present application, but the protection scope of the present application is not limited to this. Covered within the scope of protection of this application. Therefore, the protection scope of the present application shall be subject to the protection scope of the above claims.

Industrial Applicability

Embodiments of the present application provide an authority control method, a server, a terminal, a storage medium, and a computer program. The method includes: the server receives a first file operation request from a terminal device; the first file operation request is used to request A file of a path executes a first operation, the first file operation request carries a first token, the first token includes a second path and a first operation set, and the first operation set includes at least one operation , the first path and the second path are both paths in the file management system run by the server; when the first file operation request satisfies the first condition, the server executes the file operation on the file The first operation; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes all Describe the first path. According to the permission control method provided by the embodiment of the present application, there is no need to query the permission information of the user (corresponding to the terminal device), the permission of the user can be verified faster, and the first file operation request can be responded faster.

Claims

An online file access control method, comprising:

The server receives a first file operation request from a terminal device; the first file operation request is used to request to perform a first operation on a file in the first path, the first file operation request carries a first token, and the first file operation request carries a first token. A token includes a second path and a first operation set, the first operation set includes at least one operation, and both the first path and the second path are paths in the file management system running on the server;

In the case that the first file operation request satisfies a first condition, the server performs the first operation on the file; the first condition includes: the validity of the first token passing through the server verifying that the first operation is included in the first set of operations and the second path includes the first path.
The method according to claim 1, wherein the first token further comprises a validity period of the first token; the first condition further comprises: the time when the server receives the first file operation request within the stated validity period.
The method of claim 2, wherein before the server performs the first operation on the file, the method further comprises:

The server performs validity check and validity check on the first token; the validity check is to check whether the time when the server receives the first file operation request is within the validity period ;

In the case that the first token passes the validity check and validity check, the server verifies whether the first operation is included in the first operation set and whether the second path includes the first operation a path.
The method according to any one of claims 1 to 3, wherein before the server receives the first file operation request from the terminal device, the method further comprises:

the server generates the first token;

The server sends the first token to the terminal device.
The method of claim 4, wherein,

Before the server generates the first token, the method further includes:

receiving, by the server, a token acquisition request from the terminal device, where the token acquisition request is used to acquire a token required for performing the first operation on the file of the first path;

The server acquires, according to the token acquisition request, the role permission information of the target account logged in by the terminal device; the target account is the account used by the terminal device to log in to the file management system;

The server generating the first token includes:

The server generates the first token according to the role permission information.
The method of claim 5, wherein,

Before the server receives the token acquisition request from the terminal device, the method further includes:

The server uses the terminal device to log in the log-in authentication of the file management system using the target account;

The server receiving the token acquisition request from the terminal device includes:

The server receives an access operation by the terminal device for the file of the first path in the file management system.
An online file access control method, comprising:

The terminal device generates a first file operation request; the first file operation request is used to request to perform a first operation on the file of the first path, the first file operation request carries a first token, and the first token It includes a second path and a first operation set, where the first operation set includes at least one operation, the first path and the second path are both paths in the file management system running on the server, and the first operation set includes at least one operation. A token is used by the server to verify whether the terminal device has the authority to perform the first operation on the file of the first path;

The terminal device sends the first file operation request to the server.
The method of claim 7, wherein the first token further comprises a validity period of the first token, the validity period being used to verify the validity of the first token.
The method according to claim 7 or 8, wherein,

Before the terminal device generates the first file operation request, the method further includes:

obtaining, by the terminal device, the first token cached by the browser or the client application;

The generation of the first file operation request by the terminal device includes:

The terminal device generates the first file operation request based on the first token.
The method according to any one of claims 7 to 9, wherein, before the terminal device generates the first file operation request, the method further comprises:

The terminal device sends a token acquisition request to the server, where the token acquisition request is used to acquire a token required for performing the first operation on the file of the first path;

The terminal device receives the first token from the server and caches the first token.
The method of claim 10, wherein,

Before the terminal device sends a token acquisition request to the server, the method further includes:

The terminal device uses the target account to log in to the file management system;

Sending a token acquisition request by the terminal device to the server includes:

The token acquisition request is sent to the server in response to a user's access operation to the file of the first path in the file management system.
A server, which includes:

A transceiver unit, configured to receive a first file operation request from a terminal device; the first file operation request is used to request to perform a first operation on a file of a first path, and the first file operation request carries a first token , the first token includes a second path and a first operation set, the first operation set includes at least one operation, and both the first path and the second path are the file management system run by the server path in;

a processing unit, configured to perform the first operation on the file when the first file operation request satisfies a first condition; the first condition includes: the first token passes through the server's The validity check, the first operation is included in the first operation set, and the second path includes the first path.
The server according to claim 12, wherein the first token further comprises a validity period of the first token; the first condition further comprises: the time when the server receives the first file operation request within the stated validity period.
The server according to claim 13, wherein the processing unit is further configured to perform a validity check and a validity check on the first token; the validity check is to check that the server receives Whether the time to the first file operation request is within the validity period; if the first token passes the validity check and validity check, verify whether the first operation is included in the first token. A set of operations and whether the second path includes the first path.
The server according to any one of claims 12 to 14, wherein,

the processing unit, further configured to generate the first token;

The transceiver unit is further configured to send the first token to the terminal device.
The server of claim 15, wherein,

The transceiver unit is further configured to receive a token acquisition request from the terminal device, where the token acquisition request is used to acquire a token required for performing the first operation on the file of the first path;

The processing unit is further configured to acquire, according to the token acquisition request, the role permission information of the target account logged in by the terminal device; the target account is the account used by the terminal device to log in to the file management system;

The processing unit is configured to generate the first token according to the role permission information.
The server of claim 16, wherein,

The processing unit is further configured to log in to the file management system through the terminal device using the target account for login authentication;

The transceiver unit is configured to receive an access operation by the terminal device for the file of the first path in the file management system.
A terminal device, including:

a processing unit, configured to generate a first file operation request; the first file operation request is used to request to perform a first operation on a file of a first path, the first file operation request carries a first token, the first file operation request a token includes a second path and a first operation set, the first operation set includes at least one operation, the first path and the second path are both paths in the file management system running on the server, The first token is used by the server to verify whether the terminal device has the authority to perform the first operation on the file of the first path;

A transceiver unit, configured to send the first file operation request to the server.
The terminal device according to claim 18, wherein the first token further comprises a validity period of the first token, and the validity period is used to verify the validity of the first token.
The terminal device according to claim 18 or 19, wherein,

The processing unit is further configured to obtain the first token cached by the browser or the client application;

The processing unit is configured to generate the first file operation request based on the first token.
The terminal device according to any one of claims 18 to 20, wherein the transceiver unit is further configured to send a token acquisition request to the server, where the token acquisition request is used to acquire information about the first path The token required to perform the first operation on the file is received; the first token is received from the server, and the first token is cached.
The terminal device of claim 21, wherein,

The processing unit is further configured to log in to the file management system using the target account;

The transceiver unit is further configured to send the token acquisition request to the server in response to a user's access operation to the file of the first path in the file management system.
A server, comprising: a memory for storing a program; a processor for executing the program stored in the memory, and when the program is executed, the processor for executing the program as claimed in claims 1 to 6 The method of any of the above.
A terminal device, comprising: a memory for storing a program; a processor for executing the program stored in the memory, when the program is executed, the processor is used for executing the program according to claim 7 to The method of any one of 11.
A computer-readable storage medium, wherein a computer program is stored in the computer-readable storage medium, and the computer program includes program instructions that, when executed by a processor, cause the processor to execute the claims The method of any one of 1 to 11.
A computer program comprising computer readable code, when the computer readable code is run in a server, a processor in the server executes a method for implementing the method of any one of claims 1 to 11.