优化权限控制

leeqvip · Feb 24, 2019 · fbbaaf1 · fbbaaf1
1 parent 986a14b
commit fbbaaf1
Show file tree

Hide file tree

Showing 5 changed files with 97 additions and 59 deletions.
diff --git a/helper.php b/helper.php
@@ -2,69 +2,87 @@
 
 use tadmin\model\Config;
 
-function script_path()
-{
-    if ('cli' == PHP_SAPI) {
-        $scriptName = realpath($_SERVER['argv'][0]);
-    } else {
-        $scriptName = $_SERVER['SCRIPT_FILENAME'];
-    }
+if (!function_exists('script_path')) {
+    function script_path()
+    {
+        if ('cli' == PHP_SAPI) {
+            $scriptName = realpath($_SERVER['argv'][0]);
+        } else {
+            $scriptName = $_SERVER['SCRIPT_FILENAME'];
+        }
 
-    return realpath(dirname($scriptName)).'/';
+        return realpath(dirname($scriptName)).'/';
+    }
 }
 
-function app_path($path = '')
-{
-    return env('app_path').ltrim($path, '/');
+if (!function_exists('app_path')) {
+    function app_path($path = '')
+    {
+        return env('app_path').ltrim($path, '/');
+    }
 }
 
-function public_path($path = '')
-{
-    return script_path().ltrim($path, '/');
-    // return app_path('../public/').ltrim($path, '/');
+if (!function_exists('public_path')) {
+    function public_path($path = '')
+    {
+        return script_path().ltrim($path, '/');
+        // return app_path('../public/').ltrim($path, '/');
+    }
 }
 
-function admin_path($path = '')
-{
-    return __DIR__.'/'.ltrim($path, '/');
+if (!function_exists('admin_path')) {
+    function admin_path($path = '')
+    {
+        return __DIR__.'/'.ltrim($path, '/');
+    }
 }
 
-function admin_config_path($path = '')
-{
-    return admin_path('config/').ltrim($path, '/');
+if (!function_exists('admin_config_path')) {
+    function admin_config_path($path = '')
+    {
+        return admin_path('config/').ltrim($path, '/');
+    }
 }
 
-function admin_route_path($path = '')
-{
-    return admin_path('route/').ltrim($path, '/');
+if (!function_exists('admin_route_path')) {
+    function admin_route_path($path = '')
+    {
+        return admin_path('route/').ltrim($path, '/');
+    }
 }
 
-function admin_view_path($path = '')
-{
-    return admin_path('resource/view/').ltrim($path, '/');
+if (!function_exists('admin_view_path')) {
+    function admin_view_path($path = '')
+    {
+        return admin_path('resource/view/').ltrim($path, '/');
+    }
 }
 
-function site_config($key)
-{
-    return Config::get($key);
+if (!function_exists('site_config')) {
+    function site_config($key)
+    {
+        return Config::get($key);
+    }
 }
 
-function array_deep_merge(array $a, array $b)
-{
-    foreach ($a as $key => $val) {
-        if (isset($b[$key])) {
-            if (gettype($a[$key]) != gettype($b[$key])) {
-                continue;
-            }
-            if (is_array($a[$key])) {
-                $a[$key] = array_deep_merge($a[$key], $b[$key]);
-            } else {
-                $a[$key] = $b[$key];
+if (!function_exists('array_deep_merge')) {
+    function array_deep_merge(array $a, array $b)
+    {
+        foreach ($a as $key => $val) {
+            if (isset($b[$key])) {
+                if (gettype($a[$key]) != gettype($b[$key])) {
+                    continue;
+                }
+                if (is_array($a[$key])) {
+                    $a[$key] = array_deep_merge($a[$key], $b[$key]);
+                } else {
+                    $a[$key] = $b[$key];
+                }
             }
         }
-    }
 
-    return $a;
+        return $a;
+    }
 }
 
 \think\Console::addDefaultCommands([

diff --git a/src/controller/Transfer.php b/src/controller/Transfer.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace tadmin\controller;
+
+use tadmin\support\controller\Controller;
+
+class Transfer extends Controller
+{
+    public function message($value = null)
+    {
+        $this->error($value);
+    }
+}
diff --git a/src/controller/auth/Adminer.php b/src/controller/auth/Adminer.php
@@ -121,7 +121,7 @@ protected function updateAdminer(Request $request)
     protected function validateAdminAccount(array $data)
     {
         $validate = Validate::make([
-            'admin_account' => 'require|alphaDash|max:16|unique:adminer',
+            'admin_account' => 'require|alphaDash|max:16|unique:adminers',
         ], [
             'admin_account.require' => '登录账号必须',
             'admin_account.alphaDash' => '登录账号只能是字母、数字和下划线_及破折号-',

diff --git a/src/middleware/PermissionCheck.php b/src/middleware/PermissionCheck.php
@@ -2,6 +2,7 @@
 
 namespace tadmin\middleware;
 
+use tadmin\controller\Transfer;
 use tadmin\service\auth\facade\Auth;
 use Casbin;
 
@@ -21,8 +22,9 @@ public function handle($request, \Closure $next)
             return $next($request);
         }
 
-        if (true !== Casbin::enforce($this->request->method(true), $this->parseCurrentPath())) {
-            throw new \Exception('权限不足');
+        if (true !== Casbin::enforce('adminer.'.$adminer->id, $this->request->method(true), $this->parseCurrentPath())) {
+            return controller(Transfer::class, '')->message('权限不足');
+            // throw new \Exception('权限不足');
         }
 
         return $next($request);

diff --git a/src/service/casbin/Adapter.php b/src/service/casbin/Adapter.php
@@ -3,41 +3,46 @@
 namespace tadmin\service\casbin;
 
 use Casbin\Persist\Adapter as AdapterContract;
-use tadmin\model\Role;
 use Casbin\Exceptions\CasbinException;
 use Casbin\Persist\AdapterHelper;
+use tadmin\model\AdminerRole;
+use tadmin\model\Role;
+use tadmin\service\auth\facade\Auth;
 
 class Adapter implements AdapterContract
 {
     use AdapterHelper;
 
-    protected $roleId;
-
-    protected $role;
-
-    public function __construct()
-    {
-        // $this->role = $role;
-    }
-
     public function savePolicyLine($ptype, array $rule)
     {
     }
 
     public function loadPolicy($model)
     {
-        $roles = Role::when(null !== $this->roleId, function ($query) {
-            $query->where('id', $this->roleId);
+        $adminer = Auth::user();
+        // 加载所有（当前登录用户）的角色及其权限
+        $roles = Role::when($adminer, function ($query) use ($adminer) {
+            $query->whereIn('id', $adminer->roles->column('id'));
         })
         ->with('permissions')
         ->select();
 
         foreach ($roles as $role) {
             foreach ($role->permissions as $permission) {
-                $line = 'p, '.$permission->http_method.', '.$permission->http_path;
+                $line = 'p, role.'.$role->id.', '.$permission->http_method.', '.$permission->http_path;
                 $this->loadPolicyLine(trim($line), $model);
             }
         }
+
+        // 加载（当前登录）用户和角色的关系
+        $adminersOfRoles = AdminerRole::when($adminer, function ($query) use ($adminer) {
+            $query->where('adminer_id', $adminer->id);
+        })
+        ->select();
+        foreach ($adminersOfRoles as $aor) {
+            $line = 'g, adminer.'.$aor->adminer_id.', role.'.$aor->role_id;
+            $this->loadPolicyLine(trim($line), $model);
+        }
     }
 
     public function savePolicy($model)