perms-system-server/internal/logic/user/setUserPermsLogic.go

package user

import (
	"context"
	"fmt"
	"time"

	"perms-system-server/internal/consts"
	authHelper "perms-system-server/internal/logic/auth"
	"perms-system-server/internal/middleware"
	"perms-system-server/internal/model/userperm"
	"perms-system-server/internal/response"
	"perms-system-server/internal/svc"
	"perms-system-server/internal/types"

	"github.com/zeromicro/go-zero/core/logx"
	"github.com/zeromicro/go-zero/core/stores/sqlx"
)

type SetUserPermsLogic struct {
	logx.Logger
	ctx    context.Context
	svcCtx *svc.ServiceContext
}

func NewSetUserPermsLogic(ctx context.Context, svcCtx *svc.ServiceContext) *SetUserPermsLogic {
	return &SetUserPermsLogic{
		Logger: logx.WithContext(ctx),
		ctx:    ctx,
		svcCtx: svcCtx,
	}
}

// SetUserPerms 设置用户个性化权限。对指定用户在当前产品下做权限全量覆盖，支持 ALLOW（附加）和 DENY（拒绝）两种效果，用于角色权限之外的细粒度调整。
func (l *SetUserPermsLogic) SetUserPerms(req *types.SetPermsReq) error {
	targetUser, err := l.svcCtx.SysUserModel.FindOne(l.ctx, req.UserId)
	if err != nil {
		return response.ErrNotFound("用户不存在")
	}

	productCode := middleware.GetProductCode(l.ctx)

	if err := authHelper.RequireProductAdminFor(l.ctx, productCode); err != nil {
		return err
	}

	product, err := l.svcCtx.SysProductModel.FindOneByCode(l.ctx, productCode)
	if err != nil {
		return response.ErrNotFound("产品不存在")
	}
	if product.Status != consts.StatusEnabled {
		return response.ErrBadRequest("产品已被禁用，无法设置权限")
	}

	if err := authHelper.CheckManageAccess(l.ctx, l.svcCtx, req.UserId, productCode, authHelper.WithPrefetchedTarget(targetUser)); err != nil {
		return err
	}

	member, memberErr := l.svcCtx.SysProductMemberModel.FindOneByProductCodeUserId(l.ctx, productCode, req.UserId)
	if memberErr != nil {
		return response.ErrBadRequest("目标用户不是当前产品的成员")
	}
	if member.Status != consts.StatusEnabled {
		return response.ErrBadRequest("目标用户的成员资格已被禁用")
	}

	for _, p := range req.Perms {
		if p.Effect != consts.PermEffectAllow && p.Effect != consts.PermEffectDeny {
			return response.ErrBadRequest("effect值无效，仅支持 ALLOW 和 DENY")
		}
	}

	perms := req.Perms
	if len(perms) > 0 {
		seen := make(map[int64]string, len(perms))
		uniquePerms := make([]types.UserPermItem, 0, len(perms))
		for _, p := range perms {
			if prev, ok := seen[p.PermId]; ok {
				if prev != p.Effect {
					return response.ErrBadRequest("同一权限ID不能同时为 ALLOW 和 DENY")
				}
				continue
			}
			seen[p.PermId] = p.Effect
			uniquePerms = append(uniquePerms, p)
		}
		perms = uniquePerms
	}

	if len(perms) > 0 {
		permIds := make([]int64, 0, len(perms))
		for _, p := range perms {
			permIds = append(permIds, p.PermId)
		}
		dbPerms, err := l.svcCtx.SysPermModel.FindByIds(l.ctx, permIds)
		if err != nil {
			return err
		}
		if len(dbPerms) != len(perms) {
			return response.ErrBadRequest("包含无效的权限ID")
		}
		for _, p := range dbPerms {
			if p.ProductCode != productCode {
				return response.ErrBadRequest("不能设置其他产品的权限")
			}
			if p.Status != consts.StatusEnabled {
				return response.ErrBadRequest(fmt.Sprintf("权限 %s 已被禁用，无法设置", p.Code))
			}
		}
	}

	if err := l.svcCtx.SysUserPermModel.TransactCtx(l.ctx, func(ctx context.Context, session sqlx.Session) error {
		if err := l.svcCtx.SysUserPermModel.DeleteByUserIdForProductTx(ctx, session, req.UserId, productCode); err != nil {
			return err
		}
		if len(perms) == 0 {
			return nil
		}
		now := time.Now().Unix()
		data := make([]*userperm.SysUserPerm, 0, len(perms))
		for _, p := range perms {
			data = append(data, &userperm.SysUserPerm{
				UserId:     req.UserId,
				PermId:     p.PermId,
				Effect:     p.Effect,
				CreateTime: now,
				UpdateTime: now,
			})
		}
		return l.svcCtx.SysUserPermModel.BatchInsertWithTx(ctx, session, data)
	}); err != nil {
		return err
	}

	l.svcCtx.UserDetailsLoader.Del(l.ctx, req.UserId, productCode)
	return nil
}