| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135 |
- package user
- import (
- "context"
- "fmt"
- "time"
- "perms-system-server/internal/consts"
- authHelper "perms-system-server/internal/logic/auth"
- "perms-system-server/internal/middleware"
- "perms-system-server/internal/model/userperm"
- "perms-system-server/internal/response"
- "perms-system-server/internal/svc"
- "perms-system-server/internal/types"
- "github.com/zeromicro/go-zero/core/logx"
- "github.com/zeromicro/go-zero/core/stores/sqlx"
- )
- type SetUserPermsLogic struct {
- logx.Logger
- ctx context.Context
- svcCtx *svc.ServiceContext
- }
- func NewSetUserPermsLogic(ctx context.Context, svcCtx *svc.ServiceContext) *SetUserPermsLogic {
- return &SetUserPermsLogic{
- Logger: logx.WithContext(ctx),
- ctx: ctx,
- svcCtx: svcCtx,
- }
- }
- // SetUserPerms 设置用户个性化权限。对指定用户在当前产品下做权限全量覆盖,支持 ALLOW(附加)和 DENY(拒绝)两种效果,用于角色权限之外的细粒度调整。
- func (l *SetUserPermsLogic) SetUserPerms(req *types.SetPermsReq) error {
- if _, err := l.svcCtx.SysUserModel.FindOne(l.ctx, req.UserId); err != nil {
- return response.ErrNotFound("用户不存在")
- }
- productCode := middleware.GetProductCode(l.ctx)
- if err := authHelper.RequireProductAdminFor(l.ctx, productCode); err != nil {
- return err
- }
- product, err := l.svcCtx.SysProductModel.FindOneByCode(l.ctx, productCode)
- if err != nil {
- return response.ErrNotFound("产品不存在")
- }
- if product.Status != consts.StatusEnabled {
- return response.ErrBadRequest("产品已被禁用,无法设置权限")
- }
- if err := authHelper.CheckManageAccess(l.ctx, l.svcCtx, req.UserId, productCode); err != nil {
- return err
- }
- member, memberErr := l.svcCtx.SysProductMemberModel.FindOneByProductCodeUserId(l.ctx, productCode, req.UserId)
- if memberErr != nil {
- return response.ErrBadRequest("目标用户不是当前产品的成员")
- }
- if member.Status != consts.StatusEnabled {
- return response.ErrBadRequest("目标用户的成员资格已被禁用")
- }
- for _, p := range req.Perms {
- if p.Effect != consts.PermEffectAllow && p.Effect != consts.PermEffectDeny {
- return response.ErrBadRequest("effect值无效,仅支持 ALLOW 和 DENY")
- }
- }
- if len(req.Perms) > 0 {
- seen := make(map[int64]string, len(req.Perms))
- uniquePerms := make([]types.UserPermItem, 0, len(req.Perms))
- for _, p := range req.Perms {
- if prev, ok := seen[p.PermId]; ok {
- if prev != p.Effect {
- return response.ErrBadRequest("同一权限ID不能同时为 ALLOW 和 DENY")
- }
- continue
- }
- seen[p.PermId] = p.Effect
- uniquePerms = append(uniquePerms, p)
- }
- req.Perms = uniquePerms
- }
- if len(req.Perms) > 0 {
- permIds := make([]int64, 0, len(req.Perms))
- for _, p := range req.Perms {
- permIds = append(permIds, p.PermId)
- }
- perms, err := l.svcCtx.SysPermModel.FindByIds(l.ctx, permIds)
- if err != nil {
- return err
- }
- if len(perms) != len(req.Perms) {
- return response.ErrBadRequest("包含无效的权限ID")
- }
- for _, p := range perms {
- if p.ProductCode != productCode {
- return response.ErrBadRequest("不能设置其他产品的权限")
- }
- if p.Status != consts.StatusEnabled {
- return response.ErrBadRequest(fmt.Sprintf("权限 %s 已被禁用,无法设置", p.Code))
- }
- }
- }
- if err := l.svcCtx.SysUserPermModel.TransactCtx(l.ctx, func(ctx context.Context, session sqlx.Session) error {
- if err := l.svcCtx.SysUserPermModel.DeleteByUserIdForProductTx(ctx, session, req.UserId, productCode); err != nil {
- return err
- }
- if len(req.Perms) == 0 {
- return nil
- }
- now := time.Now().Unix()
- data := make([]*userperm.SysUserPerm, 0, len(req.Perms))
- for _, p := range req.Perms {
- data = append(data, &userperm.SysUserPerm{
- UserId: req.UserId,
- PermId: p.PermId,
- Effect: p.Effect,
- CreateTime: now,
- UpdateTime: now,
- })
- }
- return l.svcCtx.SysUserPermModel.BatchInsertWithTx(ctx, session, data)
- }); err != nil {
- return err
- }
- l.svcCtx.UserDetailsLoader.Del(l.ctx, req.UserId, productCode)
- return nil
- }
|
