탐색 도움말
로그인
weiym
/
perms-system-server
1
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
트리: 748738d66b
브랜치 태그
perms-system...
/
internal
/
logic
/
auth
/
access.go

access.go 4.7 KB
히스토리 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159 
  1. package auth
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"math"
    6. 

  6. 	"strings"
    7. 

  7. 

  8. 	"perms-system-server/internal/consts"
    9. 

  9. 	"perms-system-server/internal/loaders"
    10. 

  10. 	"perms-system-server/internal/middleware"
    11. 

  11. 	"perms-system-server/internal/response"
    12. 

  12. 	"perms-system-server/internal/svc"
    13. 

  13. )
    14. 

  14. 

  15. func memberTypePriority(memberType string) int {
    16. 

  16. 	switch memberType {
    17. 

  17. 	case consts.MemberTypeSuperAdmin:
    18. 

  18. 		return 0
    19. 

  19. 	case consts.MemberTypeAdmin:
    20. 

  20. 		return 1
    21. 

  21. 	case consts.MemberTypeDeveloper:
    22. 

  22. 		return 2
    23. 

  23. 	case consts.MemberTypeMember:
    24. 

  24. 		return 3
    25. 

  25. 	default:
    26. 

  26. 		return math.MaxInt32
    27. 

  27. 	}
    28. 

  28. }
    29. 

  29. 

  30. // CheckManageAccess 检查当前操作者是否有权管理目标用户。
    31. 

  31. // 规则:
    32. 

  32. //  1. SUPER_ADMIN 完全豁免
    33. 

  33. //  2. 操作自己豁免
    34. 

  34. //  3. 部门检查:目标用户须在操作者本部门或下级子部门(ADMIN 豁免)
    35. 

  35. //  4. 权限级别检查:操作者的级别必须严格高于目标用户
    36. 

  36. //     - 先比 memberType 优先级(SUPER_ADMIN > ADMIN > DEVELOPER > MEMBER)
    37. 

  37. //     - 同 memberType 时比 permsLevel(数值越小权限越高)
    38. 

  38. func CheckManageAccess(ctx context.Context, svcCtx *svc.ServiceContext, targetUserId int64, productCode string) error {
    39. 

  39. 	caller := middleware.GetUserDetails(ctx)
    40. 

  40. 	if caller == nil {
    41. 

  41. 		return response.ErrUnauthorized("未登录")
    42. 

  42. 	}
    43. 

  43. 

  44. 	if caller.IsSuperAdmin {
    45. 

  45. 		return nil
    46. 

  46. 	}
    47. 

  47. 	if caller.UserId == targetUserId {
    48. 

  48. 		return nil
    49. 

  49. 	}
    50. 

  50. 

  51. 	if err := checkDeptHierarchy(ctx, svcCtx, caller, targetUserId); err != nil {
    52. 

  52. 		return err
    53. 

  53. 	}
    54. 

  54. 

  55. 	return checkPermLevel(ctx, svcCtx, caller, targetUserId, productCode)
    56. 

  56. }
    57. 

  57. 

  58. // CheckMemberTypeAssignment 检查操作者是否有权分配指定的 memberType。
    59. 

  59. func CheckMemberTypeAssignment(ctx context.Context, assignedType string) error {
    60. 

  60. 	caller := middleware.GetUserDetails(ctx)
    61. 

  61. 	if caller == nil {
    62. 

  62. 		return response.ErrUnauthorized("未登录")
    63. 

  63. 	}
    64. 

  64. 	if caller.IsSuperAdmin {
    65. 

  65. 		return nil
    66. 

  66. 	}
    67. 

  67. 	if memberTypePriority(caller.MemberType) >= memberTypePriority(assignedType) {
    68. 

  68. 		return response.ErrForbidden("无权分配该成员类型,不能分配与自己同级或更高级别的类型")
    69. 

  69. 	}
    70. 

  70. 	return nil
    71. 

  71. }
    72. 

  72. 

  73. // RequireSuperAdmin 要求当前操作者必须是超级管理员。
    74. 

  74. func RequireSuperAdmin(ctx context.Context) error {
    75. 

  75. 	caller := middleware.GetUserDetails(ctx)
    76. 

  76. 	if caller == nil {
    77. 

  77. 		return response.ErrUnauthorized("未登录")
    78. 

  78. 	}
    79. 

  79. 	if !caller.IsSuperAdmin {
    80. 

  80. 		return response.ErrForbidden("仅超级管理员可执行此操作")
    81. 

  81. 	}
    82. 

  82. 	return nil
    83. 

  83. }
    84. 

  84. 

  85. // RequireProductAdmin 要求当前操作者是超级管理员或当前产品的管理员(ADMIN)。
    86. 

  86. func RequireProductAdmin(ctx context.Context) error {
    87. 

  87. 	caller := middleware.GetUserDetails(ctx)
    88. 

  88. 	if caller == nil {
    89. 

  89. 		return response.ErrUnauthorized("未登录")
    90. 

  90. 	}
    91. 

  91. 	if caller.IsSuperAdmin {
    92. 

  92. 		return nil
    93. 

  93. 	}
    94. 

  94. 	if caller.MemberType == consts.MemberTypeAdmin {
    95. 

  95. 		return nil
    96. 

  96. 	}
    97. 

  97. 	return response.ErrForbidden("仅超级管理员或产品管理员可执行此操作")
    98. 

  98. }
    99. 

  99. 

  100. func checkDeptHierarchy(ctx context.Context, svcCtx *svc.ServiceContext, caller *loaders.UserDetails, targetUserId int64) error {
    101. 

  101. 	if caller.MemberType == consts.MemberTypeAdmin {
    102. 

  102. 		return nil
    103. 

  103. 	}
    104. 

  104. 

  105. 	if caller.DeptId == 0 {
    106. 

  106. 		return response.ErrForbidden("您未归属任何部门,无权管理其他用户")
    107. 

  107. 	}
    108. 

  108. 

  109. 	target, err := svcCtx.SysUserModel.FindOne(ctx, targetUserId)
    110. 

  110. 	if err != nil {
    111. 

  111. 		return response.ErrNotFound("目标用户不存在")
    112. 

  112. 	}
    113. 

  113. 	if target.DeptId == 0 {
    114. 

  114. 		return response.ErrForbidden("目标用户未归属部门,仅超管或产品管理员可管理")
    115. 

  115. 	}
    116. 

  116. 

  117. 	targetDept, err := svcCtx.SysDeptModel.FindOne(ctx, target.DeptId)
    118. 

  118. 	if err != nil {
    119. 

  119. 		return response.ErrForbidden("无权操作")
    120. 

  120. 	}
    121. 

  121. 

  122. 	if !strings.HasPrefix(targetDept.Path, caller.DeptPath) {
    123. 

  123. 		return response.ErrForbidden("无权管理其他部门的用户")
    124. 

  124. 	}
    125. 

  125. 	return nil
    126. 

  126. }
    127. 

  127. 

  128. func checkPermLevel(ctx context.Context, svcCtx *svc.ServiceContext, caller *loaders.UserDetails, targetUserId int64, productCode string) error {
    129. 

  129. 	if productCode == "" {
    130. 

  130. 		return response.ErrBadRequest("缺少产品上下文,无法进行权限级别判定")
    131. 

  131. 	}
    132. 

  132. 

  133. 	targetMemberType := ""
    134. 

  134. 	targetMember, err := svcCtx.SysProductMemberModel.FindOneByProductCodeUserId(ctx, productCode, targetUserId)
    135. 

  135. 	if err == nil {
    136. 

  136. 		targetMemberType = targetMember.MemberType
    137. 

  137. 	}
    138. 

  138. 

  139. 	callerPri := memberTypePriority(caller.MemberType)
    140. 

  140. 	targetPri := memberTypePriority(targetMemberType)
    141. 

  141. 

  142. 	if callerPri > targetPri {
    143. 

  143. 		return response.ErrForbidden("无权管理权限级别高于您的用户")
    144. 

  144. 	}
    145. 

  145. 	if callerPri < targetPri {
    146. 

  146. 		return nil
    147. 

  147. 	}
    148. 

  148. 

  149. 	// memberType 相同,比较 permsLevel
    150. 

  150. 	targetLevel, err := svcCtx.SysRoleModel.FindMinPermsLevelByUserIdAndProductCode(ctx, targetUserId, productCode)
    151. 

  151. 	if err != nil {
    152. 

  152. 		targetLevel = math.MaxInt64
    153. 

  153. 	}
    154. 

  154. 

  155. 	if caller.MinPermsLevel >= targetLevel {
    156. 

  156. 		return response.ErrForbidden("无权管理权限级别高于或等于您的用户")
    157. 

  157. 	}
    158. 

  158. 	return nil
    159. 

  159. }
    160.