package user import ( "context" "fmt" "time" "perms-system-server/internal/consts" authHelper "perms-system-server/internal/logic/auth" "perms-system-server/internal/middleware" "perms-system-server/internal/model/userperm" "perms-system-server/internal/response" "perms-system-server/internal/svc" "perms-system-server/internal/types" "github.com/zeromicro/go-zero/core/logx" "github.com/zeromicro/go-zero/core/stores/sqlx" ) type SetUserPermsLogic struct { logx.Logger ctx context.Context svcCtx *svc.ServiceContext } func NewSetUserPermsLogic(ctx context.Context, svcCtx *svc.ServiceContext) *SetUserPermsLogic { return &SetUserPermsLogic{ Logger: logx.WithContext(ctx), ctx: ctx, svcCtx: svcCtx, } } // SetUserPerms 设置用户个性化权限。对指定用户在当前产品下做权限全量覆盖,支持 ALLOW(附加)和 DENY(拒绝)两种效果,用于角色权限之外的细粒度调整。 func (l *SetUserPermsLogic) SetUserPerms(req *types.SetPermsReq) error { if _, err := l.svcCtx.SysUserModel.FindOne(l.ctx, req.UserId); err != nil { return response.ErrNotFound("用户不存在") } productCode := middleware.GetProductCode(l.ctx) product, err := l.svcCtx.SysProductModel.FindOneByCode(l.ctx, productCode) if err != nil { return response.ErrNotFound("产品不存在") } if product.Status != consts.StatusEnabled { return response.ErrBadRequest("产品已被禁用,无法设置权限") } if err := authHelper.CheckManageAccess(l.ctx, l.svcCtx, req.UserId, productCode); err != nil { return err } member, memberErr := l.svcCtx.SysProductMemberModel.FindOneByProductCodeUserId(l.ctx, productCode, req.UserId) if memberErr != nil { return response.ErrBadRequest("目标用户不是当前产品的成员") } if member.Status != consts.StatusEnabled { return response.ErrBadRequest("目标用户的成员资格已被禁用") } for _, p := range req.Perms { if p.Effect != consts.PermEffectAllow && p.Effect != consts.PermEffectDeny { return response.ErrBadRequest("effect值无效,仅支持 ALLOW 和 DENY") } } if len(req.Perms) > 0 { seen := make(map[int64]string, len(req.Perms)) uniquePerms := make([]types.UserPermItem, 0, len(req.Perms)) for _, p := range req.Perms { if prev, ok := seen[p.PermId]; ok { if prev != p.Effect { return response.ErrBadRequest("同一权限ID不能同时为 ALLOW 和 DENY") } continue } seen[p.PermId] = p.Effect uniquePerms = append(uniquePerms, p) } req.Perms = uniquePerms } if len(req.Perms) > 0 { permIds := make([]int64, 0, len(req.Perms)) for _, p := range req.Perms { permIds = append(permIds, p.PermId) } perms, err := l.svcCtx.SysPermModel.FindByIds(l.ctx, permIds) if err != nil { return err } if len(perms) != len(req.Perms) { return response.ErrBadRequest("包含无效的权限ID") } for _, p := range perms { if p.ProductCode != productCode { return response.ErrBadRequest("不能设置其他产品的权限") } if p.Status != consts.StatusEnabled { return response.ErrBadRequest(fmt.Sprintf("权限 %s 已被禁用,无法设置", p.Code)) } } } if err := l.svcCtx.SysUserPermModel.TransactCtx(l.ctx, func(ctx context.Context, session sqlx.Session) error { if err := l.svcCtx.SysUserPermModel.DeleteByUserIdForProductTx(ctx, session, req.UserId, productCode); err != nil { return err } if len(req.Perms) == 0 { return nil } now := time.Now().Unix() data := make([]*userperm.SysUserPerm, 0, len(req.Perms)) for _, p := range req.Perms { data = append(data, &userperm.SysUserPerm{ UserId: req.UserId, PermId: p.PermId, Effect: p.Effect, CreateTime: now, UpdateTime: now, }) } return l.svcCtx.SysUserPermModel.BatchInsertWithTx(ctx, session, data) }); err != nil { return err } l.svcCtx.UserDetailsLoader.Del(l.ctx, req.UserId, productCode) return nil }