From 0e538e04d1127faa83620f90a17a0b3854bb9845 Mon Sep 17 00:00:00 2001 From: yxh Date: Tue, 30 Apr 2024 15:38:51 +0800 Subject: [PATCH] =?UTF-8?q?fix=20=E4=BC=98=E5=8C=96=E6=95=B0=E6=8D=AE?= =?UTF-8?q?=E6=9D=83=E9=99=90=E6=8E=A5=E5=85=A5=E6=96=B9=E6=B3=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../app/system/logic/middleware/middleware.go | 4 +- internal/app/system/logic/sysUser/sys_user.go | 103 ++++++++++++++++++ internal/app/system/service/sys_user.go | 11 +- 3 files changed, 112 insertions(+), 6 deletions(-) diff --git a/internal/app/system/logic/middleware/middleware.go b/internal/app/system/logic/middleware/middleware.go index 826f522..0f5fbc6 100644 --- a/internal/app/system/logic/middleware/middleware.go +++ b/internal/app/system/logic/middleware/middleware.go @@ -68,7 +68,7 @@ func (s *sMiddleware) Auth(r *ghttp.Request) { //获取登陆用户id adminId := service.Context().GetUserId(ctx) url := gstr.TrimLeft(r.Request.URL.Path, "/") - /*if r.Method != "GET" && adminId != 1 && url!="api/v1/system/login" { + /*if r.Method != "GET" && adminId != 1 && url != "api/v1/system/login" { libResponse.FailJson(true, r, "对不起!演示系统,不能删改数据!") }*/ //获取无需验证权限的用户id @@ -174,7 +174,7 @@ func (s *sMiddleware) checkAuth(ctx context.Context, adminId uint64, menuId uint roleIdsMap.Iterator(func(k interface{}, v interface{}) bool { b, err = enforcer.Enforce(gconv.String(v), gconv.String(menuId), "All") liberr.ErrIsNil(ctx, err) - return b + return !b }) if !b { liberr.ErrIsNil(ctx, errors.New("没有权限")) diff --git a/internal/app/system/logic/sysUser/sys_user.go b/internal/app/system/logic/sysUser/sys_user.go index 4184eaf..5dc880c 100644 --- a/internal/app/system/logic/sysUser/sys_user.go +++ b/internal/app/system/logic/sysUser/sys_user.go @@ -12,6 +12,7 @@ import ( "fmt" "github.com/gogf/gf/v2/container/garray" "github.com/gogf/gf/v2/encoding/gurl" + "github.com/gogf/gf/v2/net/ghttp" "reflect" "github.com/gogf/gf/v2/container/gset" @@ -892,6 +893,7 @@ func (s *sSysUser) GetUsers(ctx context.Context, ids []int) (users []*model.SysU } // GetDataWhere 获取数据权限判断条件 +// Deprecated : 此方法已废弃,请使用更简单的GetAuthWhere方法 func (s *sSysUser) GetDataWhere(ctx context.Context, userInfo *model.ContextUser, entityData interface{}, menuId uint) (where g.Map, err error) { whereJustMe := g.Map{} //本人数据权限 t := reflect.TypeOf(entityData) @@ -961,6 +963,107 @@ func (s *sSysUser) GetDataWhere(ctx context.Context, userInfo *model.ContextUser return } +func (s *sSysUser) GetAuthWhere(ctx context.Context, m *gdb.Model, userInfo *model.ContextUser, field ...string) *gdb.Model { + var ( + //当前请求api接口对应的菜单 + url = gstr.TrimLeft(ghttp.RequestFromCtx(ctx).Request.URL.Path, "/") + menuId uint + err error + nm *gdb.Model + ) + //获取菜单ID + menuId, err = service.SysAuthRule().GetIdByName(ctx, url) + if err != nil { + g.Log().Error(ctx, err) + return m + } + nm, err = s.GetAuthDataWhere(ctx, m, userInfo, menuId, field...) + if err != nil { + g.Log().Error(ctx, err) + return m + } + return nm +} + +// GetAuthDataWhere 获取数据权限判断条件 +func (s *sSysUser) GetAuthDataWhere(ctx context.Context, m *gdb.Model, userInfo *model.ContextUser, menuId uint, field ...string) (nm *gdb.Model, err error) { + whereJustMe := g.Map{} //本人数据权限 + createdUserField := "created_by" + //表别名 + tableAlias := "" + if len(field) > 0 && field[0] != "" { + tableAlias = field[0] + } + if len(field) > 1 && field[1] != "" { + createdUserField = field[1] + } + + if tableAlias != "" { + createdUserField = tableAlias + "." + createdUserField + } + err = g.Try(ctx, func(ctx context.Context) { + //若存在用户id的字段,则生成判断数据权限的条件 + //1、获取当前用户所属角色Ids + var ( + roleIds []uint + scope []*model.ScopeAuthData + deptIdArr = gset.New() + allScope = false + ) + roleIds, err = s.GetAdminRoleIds(ctx, userInfo.Id) + liberr.ErrIsNil(ctx, err) + scope, err = service.SysRole().GetRoleMenuScope(ctx, roleIds, menuId) + liberr.ErrIsNil(ctx, err) + if scope == nil { + //角色未设置数据权限,默认仅本人数据权限 + whereJustMe = g.Map{createdUserField: userInfo.Id} + } else { + //2获取角色对应数据权限 + for _, sv := range scope { + switch sv.DataScope { + case 1: //全部数据权限 + allScope = true + goto endLoop + case 2: //自定数据权限 + deptIdArr.Add(gconv.Interfaces(sv.DeptIds)...) + case 3: //本部门数据权限 + deptIdArr.Add(gconv.Int64(userInfo.DeptId)) + case 4: //本部门及以下数据权限 + deptIdArr.Add(gconv.Int64(userInfo.DeptId)) + //获取正常状态部门数据 + deptList := ([]*entity.SysDept)(nil) + deptList, err = service.SysDept().GetList(ctx, &system.DeptSearchReq{Status: "1"}) + liberr.ErrIsNil(ctx, err) + var dList g.List + for _, d := range deptList { + m := g.Map{ + "id": d.DeptId, + "pid": d.ParentId, + "label": d.DeptName, + } + dList = append(dList, m) + } + l := libUtils.FindSonByParentId(dList, userInfo.DeptId, "pid", "id") + for _, li := range l { + deptIdArr.Add(gconv.Int64(li["id"])) + } + case 5: //仅本人数据权限 + whereJustMe = g.Map{createdUserField: userInfo.Id} + } + } + } + endLoop: + if !allScope && deptIdArr.Size() > 0 { + nm = m.WhereIn(createdUserField, dao.SysUser.Ctx(ctx).Fields(dao.SysUser.Columns().Id). + WhereIn(dao.SysUser.Columns().DeptId, deptIdArr.Slice())) + } else if !allScope && len(whereJustMe) > 0 { + nm = m.Where(whereJustMe) + } + + }) + return +} + // HasAccessByDataWhere 判断用户是否有数据权限 func (s *sSysUser) HasAccessByDataWhere(ctx context.Context, where g.Map, uid interface{}) bool { err := g.Try(ctx, func(ctx context.Context) { diff --git a/internal/app/system/service/sys_user.go b/internal/app/system/service/sys_user.go index 772a40b..8b8dc72 100644 --- a/internal/app/system/service/sys_user.go +++ b/internal/app/system/service/sys_user.go @@ -27,10 +27,10 @@ type ( GetUserByPhone(ctx context.Context, phone string) (user *model.LoginUserRes, err error) GetUserById(ctx context.Context, id uint64) (user *model.LoginUserRes, err error) LoginLog(ctx context.Context, params *model.LoginLogParams) - UpdateLoginInfo(ctx context.Context, id uint64, ip string,openId ...string) (err error) + UpdateLoginInfo(ctx context.Context, id uint64, ip string, openId ...string) (err error) GetAdminRules(ctx context.Context, userId uint64) (menuList []*model.UserMenus, permissions []string, err error) GetAdminRole(ctx context.Context, userId uint64, allRoleList []*entity.SysRole) (roles []*entity.SysRole, err error) - GetAdminRoleIds(ctx context.Context, userId uint64,includeChildren ...bool) (roleIds []uint, err error) + GetAdminRoleIds(ctx context.Context, userId uint64, includeChildren ...bool) (roleIds []uint, err error) GetAllMenus(ctx context.Context) (menus []*model.UserMenus, err error) GetAdminMenusIdsByRoleIds(ctx context.Context, roleIds []uint) (menuIds *garray.Array, err error) GetAdminMenusByRoleIds(ctx context.Context, roleIds []uint) (menus []*model.UserMenus, err error) @@ -52,11 +52,14 @@ type ( ChangeUserStatus(ctx context.Context, req *system.UserStatusReq) (err error) Delete(ctx context.Context, ids []int) (err error) GetUsers(ctx context.Context, ids []int) (users []*model.SysUserSimpleRes, err error) - GetDataWhere(ctx context.Context, userInfo *model.ContextUser, entityData interface{},menuId uint) (where g.Map, err error) + // Deprecated : 此方法已废弃,请使用更简单的GetAuthWhere方法 + GetDataWhere(ctx context.Context, userInfo *model.ContextUser, entityData interface{}, menuId uint) (where g.Map, err error) HasAccessByDataWhere(ctx context.Context, where g.Map, uid interface{}) bool AccessRule(ctx context.Context, userId uint64, rule string) bool GetUserSelector(ctx context.Context, req *system.UserSelectorReq) (total interface{}, userList []*model.SysUserSimpleRes, err error) - GetUsersByRoleId(ctx context.Context,roleId uint)(users []*model.SysUserRoleDeptRes,err error) + GetUsersByRoleId(ctx context.Context, roleId uint) (users []*model.SysUserRoleDeptRes, err error) + GetAuthWhere(ctx context.Context, m *gdb.Model, userInfo *model.ContextUser, field ...string) *gdb.Model + GetAuthDataWhere(ctx context.Context, m *gdb.Model, userInfo *model.ContextUser, menuId uint, field ...string) (nm *gdb.Model, err error) } )