-
Notifications
You must be signed in to change notification settings - Fork 0
/
permission.go
135 lines (131 loc) · 3.91 KB
/
permission.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
package Router2Mid
import (
"fmt"
BasePedometer "github.com/fotomxq/weeekj_core/v5/base/pedometer"
BaseSafe "github.com/fotomxq/weeekj_core/v5/base/safe"
CoreLog "github.com/fotomxq/weeekj_core/v5/core/log"
CoreSQLFrom "github.com/fotomxq/weeekj_core/v5/core/sql/from"
OrgCore "github.com/fotomxq/weeekj_core/v5/org/core"
Router2SystemConfig "github.com/fotomxq/weeekj_core/v5/router2/system_config"
"github.com/gin-gonic/gin"
)
// CheckPermission 检查权限
// 自动识别组织或用户
func CheckPermission(context any, permissionMarks []string) bool {
if len(permissionMarks) < 1 {
return true
}
var userID, orgID, orgBindID int64
var c *gin.Context
mode := ""
userC, ok := context.(*RouterURLUserC)
if ok {
c = userC.Context
mode = "user"
userID = userC.UserID
orgID = getUserOrgID(c)
} else {
orgC, ok := context.(*RouterURLOrgC)
if ok {
c = orgC.Context
mode = "org"
userID = orgC.UserID
orgID = orgC.OrgID
orgBindID = orgC.OrgBindID
} else {
roleC, ok := context.(*RouterURLRoleC)
if ok {
c = roleC.Context
mode = "role"
userID = roleC.UserID
} else {
//抛出异常,在非登录模式下检查权限
panic(fmt.Sprint("check permission failed"))
return false
}
}
}
switch mode {
case "user":
return checkPermissionUser(c, userID, orgID, permissionMarks)
case "org":
return checkPermissionOrg(c, userID, orgID, orgBindID, permissionMarks)
case "role":
return checkPermissionUser(c, userID, orgID, permissionMarks)
default:
//抛出异常,在非登录模式下检查权限
panic(fmt.Sprint("check permission failed"))
return false
}
}
func checkPermissionUser(c *gin.Context, userID, orgID int64, permissionMarks []string) bool {
//获取用户数据
permissions := getUserPermissions(userID)
//检查权限是否存在?
haveAll := true
for _, v := range permissionMarks {
isFind := false
for _, v2 := range permissions {
if v == v2 {
isFind = true
break
}
}
if !isFind {
//记录日志
BaseSafe.CreateLog(&BaseSafe.ArgsCreateLog{
System: "user.user_permission",
Level: 1,
IP: c.ClientIP(),
UserID: userID,
OrgID: orgID,
Des: fmt.Sprint("用户不具备权限[", v, "],但尝试访问API,URL:", c.Request.URL),
})
haveAll = false
//记录日志
if Router2SystemConfig.GlobConfig.Router.NeedTokenLog {
CoreLog.Warn("router mid check user permissions failed, user id: ", userID, ", user have: ", permissions, ", need: ", permissionMarks)
}
//反馈
break
}
}
if haveAll {
return true
}
//安全事件
if _, err := BasePedometer.NextData(CoreSQLFrom.FieldsFrom{System: "safe-user", ID: userID}); err != nil {
reportGin(c, true, 0, err, "add user by safe", false, "err_permission", 0, nil)
return false
}
//反馈
reportGin(c, false, 0, nil, "add user by safe", false, "err_permission", 0, nil)
//反馈
return false
}
func checkPermissionOrg(c *gin.Context, userID, orgID, orgBindID int64, permissionMarks []string) bool {
//检查个人的组织操作权限
if !checkPermissionUser(c, userID, orgID, []string{"org"}) {
//记录日志
if Router2SystemConfig.GlobConfig.Router.NeedTokenLog {
CoreLog.Warn("router mid check org bind permissions failed, user id: ", userID, ", no org base permission.")
}
//反馈
//方法内包含了路由设置,此处反馈即可
return false
}
//检查组织成员权限
haveOrgPermission := OrgCore.CheckPermissionByBindID(orgBindID, permissionMarks)
if !haveOrgPermission {
//反馈失败
reportGin(c, true, 0, nil, fmt.Sprint("need org permissions:", permissionMarks), false, "err_permission_org", 0, nil)
//记录日志
if Router2SystemConfig.GlobConfig.Router.NeedTokenLog {
CoreLog.Warn("router mid check org bind permissions failed, user id: ", userID, ", org bind id: ", orgBindID, ", org id: ", orgID, ", need: ", permissionMarks)
}
//反馈
return false
}
//反馈成功
return true
}