fix 优化数据权限接入方法

2024-04-30 15:38:51 +08:00 · 2024-04-30 15:38:51 +08:00 · 0e538e04d1
commit 0e538e04d1
parent c3afbaa4d3
3 changed files with 112 additions and 6 deletions
--- a/internal/app/system/logic/middleware/middleware.go
+++ b/internal/app/system/logic/middleware/middleware.go
@ -174,7 +174,7 @@ func (s *sMiddleware) checkAuth(ctx context.Context, adminId uint64, menuId uint
 		roleIdsMap.Iterator(func(k interface{}, v interface{}) bool {
 			b, err = enforcer.Enforce(gconv.String(v), gconv.String(menuId), "All")
 			liberr.ErrIsNil(ctx, err)
-			return b
+			return !b
 		})
 		if !b {
 			liberr.ErrIsNil(ctx, errors.New("没有权限"))
--- a/internal/app/system/logic/sysUser/sys_user.go
+++ b/internal/app/system/logic/sysUser/sys_user.go
@ -12,6 +12,7 @@ import (
 	"fmt"
 	"github.com/gogf/gf/v2/container/garray"
 	"github.com/gogf/gf/v2/encoding/gurl"
+	"github.com/gogf/gf/v2/net/ghttp"
 	"reflect"

 	"github.com/gogf/gf/v2/container/gset"
@ -892,6 +893,7 @@ func (s *sSysUser) GetUsers(ctx context.Context, ids []int) (users []*model.SysU
 }

 // GetDataWhere 获取数据权限判断条件
+// Deprecated : 此方法已废弃，请使用更简单的GetAuthWhere方法
 func (s *sSysUser) GetDataWhere(ctx context.Context, userInfo *model.ContextUser, entityData interface{}, menuId uint) (where g.Map, err error) {
 	whereJustMe := g.Map{} //本人数据权限
 	t := reflect.TypeOf(entityData)
@ -961,6 +963,107 @@ func (s *sSysUser) GetDataWhere(ctx context.Context, userInfo *model.ContextUser
 	return
 }

+func (s *sSysUser) GetAuthWhere(ctx context.Context, m *gdb.Model, userInfo *model.ContextUser, field ...string) *gdb.Model {
+	var (
+		//当前请求api接口对应的菜单
+		url    = gstr.TrimLeft(ghttp.RequestFromCtx(ctx).Request.URL.Path, "/")
+		menuId uint
+		err    error
+		nm     *gdb.Model
+	)
+	//获取菜单ID
+	menuId, err = service.SysAuthRule().GetIdByName(ctx, url)
+	if err != nil {
+		g.Log().Error(ctx, err)
+		return m
+	}
+	nm, err = s.GetAuthDataWhere(ctx, m, userInfo, menuId, field...)
+	if err != nil {
+		g.Log().Error(ctx, err)
+		return m
+	}
+	return nm
+}
+
+// GetAuthDataWhere 获取数据权限判断条件
+func (s *sSysUser) GetAuthDataWhere(ctx context.Context, m *gdb.Model, userInfo *model.ContextUser, menuId uint, field ...string) (nm *gdb.Model, err error) {
+	whereJustMe := g.Map{} //本人数据权限
+	createdUserField := "created_by"
+	//表别名
+	tableAlias := ""
+	if len(field) > 0 && field[0] != "" {
+		tableAlias = field[0]
+	}
+	if len(field) > 1 && field[1] != "" {
+		createdUserField = field[1]
+	}
+
+	if tableAlias != "" {
+		createdUserField = tableAlias + "." + createdUserField
+	}
+	err = g.Try(ctx, func(ctx context.Context) {
+		//若存在用户id的字段，则生成判断数据权限的条件
+		//1、获取当前用户所属角色Ids
+		var (
+			roleIds   []uint
+			scope     []*model.ScopeAuthData
+			deptIdArr = gset.New()
+			allScope  = false
+		)
+		roleIds, err = s.GetAdminRoleIds(ctx, userInfo.Id)
+		liberr.ErrIsNil(ctx, err)
+		scope, err = service.SysRole().GetRoleMenuScope(ctx, roleIds, menuId)
+		liberr.ErrIsNil(ctx, err)
+		if scope == nil {
+			//角色未设置数据权限，默认仅本人数据权限
+			whereJustMe = g.Map{createdUserField: userInfo.Id}
+		} else {
+			//2获取角色对应数据权限
+			for _, sv := range scope {
+				switch sv.DataScope {
+				case 1: //全部数据权限
+					allScope = true
+					goto endLoop
+				case 2: //自定数据权限
+					deptIdArr.Add(gconv.Interfaces(sv.DeptIds)...)
+				case 3: //本部门数据权限
+					deptIdArr.Add(gconv.Int64(userInfo.DeptId))
+				case 4: //本部门及以下数据权限
+					deptIdArr.Add(gconv.Int64(userInfo.DeptId))
+					//获取正常状态部门数据
+					deptList := ([]*entity.SysDept)(nil)
+					deptList, err = service.SysDept().GetList(ctx, &system.DeptSearchReq{Status: "1"})
+					liberr.ErrIsNil(ctx, err)
+					var dList g.List
+					for _, d := range deptList {
+						m := g.Map{
+							"id":    d.DeptId,
+							"pid":   d.ParentId,
+							"label": d.DeptName,
+						}
+						dList = append(dList, m)
+					}
+					l := libUtils.FindSonByParentId(dList, userInfo.DeptId, "pid", "id")
+					for _, li := range l {
+						deptIdArr.Add(gconv.Int64(li["id"]))
+					}
+				case 5: //仅本人数据权限
+					whereJustMe = g.Map{createdUserField: userInfo.Id}
+				}
+			}
+		}
+	endLoop:
+		if !allScope && deptIdArr.Size() > 0 {
+			nm = m.WhereIn(createdUserField, dao.SysUser.Ctx(ctx).Fields(dao.SysUser.Columns().Id).
+				WhereIn(dao.SysUser.Columns().DeptId, deptIdArr.Slice()))
+		} else if !allScope && len(whereJustMe) > 0 {
+			nm = m.Where(whereJustMe)
+		}
+
+	})
+	return
+}
+
 // HasAccessByDataWhere 判断用户是否有数据权限
 func (s *sSysUser) HasAccessByDataWhere(ctx context.Context, where g.Map, uid interface{}) bool {
 	err := g.Try(ctx, func(ctx context.Context) {
--- a/internal/app/system/service/sys_user.go
+++ b/internal/app/system/service/sys_user.go
@ -52,11 +52,14 @@ type (
 		ChangeUserStatus(ctx context.Context, req *system.UserStatusReq) (err error)
 		Delete(ctx context.Context, ids []int) (err error)
 		GetUsers(ctx context.Context, ids []int) (users []*model.SysUserSimpleRes, err error)
+		// Deprecated : 此方法已废弃，请使用更简单的GetAuthWhere方法
 		GetDataWhere(ctx context.Context, userInfo *model.ContextUser, entityData interface{}, menuId uint) (where g.Map, err error)
 		HasAccessByDataWhere(ctx context.Context, where g.Map, uid interface{}) bool
 		AccessRule(ctx context.Context, userId uint64, rule string) bool
 		GetUserSelector(ctx context.Context, req *system.UserSelectorReq) (total interface{}, userList []*model.SysUserSimpleRes, err error)
 		GetUsersByRoleId(ctx context.Context, roleId uint) (users []*model.SysUserRoleDeptRes, err error)
+		GetAuthWhere(ctx context.Context, m *gdb.Model, userInfo *model.ContextUser, field ...string)  *gdb.Model
+		GetAuthDataWhere(ctx context.Context, m *gdb.Model, userInfo *model.ContextUser, menuId uint, field ...string) (nm *gdb.Model, err error)
 	}
 )