feat(admin): add box preview and password bypass for administrators

Introduce an `AdminViewBox` handler and route that allows administrators to view any box directly. If the box is password-protected, the handler bypasses the protection by setting an unlock cookie with an unlock token and logs the bypass event. Additionally, add CSS and JS foundations for a file context menu and preview actions in the file browser UI.
2026-05-25 17:05:59 +03:00
parent 26619bacbc
commit bba84d4194
6 changed files with 348 additions and 9 deletions
--- a/backend/libs/handlers/admin.go
+++ b/backend/libs/handlers/admin.go
@@ -140,6 +140,33 @@ func (a *App) AdminDeleteBox(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, "/admin/files", http.StatusSeeOther)
 }

+func (a *App) AdminViewBox(w http.ResponseWriter, r *http.Request) {
+	if !a.requireAdmin(w, r) {
+		return
+	}
+
+	box, err := a.uploadService.GetBox(r.PathValue("boxID"))
+	if err != nil {
+		http.NotFound(w, r)
+		return
+	}
+
+	if a.uploadService.IsProtected(box) {
+		http.SetCookie(w, &http.Cookie{
+			Name:     unlockCookieName(box.ID),
+			Value:    a.uploadService.UnlockToken(box),
+			Path:     "/d/" + box.ID,
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+			Secure:   r.TLS != nil,
+			Expires:  box.ExpiresAt,
+		})
+		a.logger.Info("admin bypassed box password", "source", "admin", "severity", "user_activity", "code", 2302, "box_id", box.ID)
+	}
+
+	http.Redirect(w, r, "/d/"+box.ID, http.StatusSeeOther)
+}
+
 func (a *App) renderAdminLogin(w http.ResponseWriter, status int, message string) {
 	a.renderer.Render(w, status, "admin_login.html", web.PageData{
 		Title:       "Admin login",