manta/gofaster/backend/internal/shared/middleware/permission_middleware.go

package middleware

import (
	"net/http"

	"gofaster/internal/auth/repository"
	"gofaster/internal/auth/service"

	"github.com/gin-gonic/gin"
	"gorm.io/gorm"
)

// PermissionMiddleware 权限检查中间件
func PermissionMiddleware(db *gorm.DB, resource, action string) gin.HandlerFunc {
	return func(c *gin.Context) {
		// 从上下文中获取用户ID
		userIDInterface, exists := c.Get("user_id")
		if !exists {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "用户未认证"})
			return
		}

		userID, ok := userIDInterface.(uint)
		if !ok {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "无效的用户ID"})
			return
		}

		// 初始化权限服务
		permissionRepo := repository.NewPermissionRepository(db)
		roleRepo := repository.NewRoleRepository(db)
		permissionService := service.NewPermissionService(permissionRepo, roleRepo)

		// 检查用户是否有访问该资源的权限
		hasPermission, err := permissionService.CheckUserResourcePermission(c.Request.Context(), userID, resource, action)
		if err != nil {
			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "权限检查失败"})
			return
		}

		if !hasPermission {
			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "权限不足"})
			return
		}

		c.Next()
	}
}

// ResourcePermissionMiddleware 资源权限检查中间件（从URL参数获取资源信息）
func ResourcePermissionMiddleware(db *gorm.DB) gin.HandlerFunc {
	return func(c *gin.Context) {
		// 从上下文中获取用户ID
		userIDInterface, exists := c.Get("user_id")
		if !exists {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "用户未认证"})
			return
		}

		userID, ok := userIDInterface.(uint)
		if !ok {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "无效的用户ID"})
			return
		}

		// 从请求中获取资源信息
		resource := c.Param("resource")
		if resource == "" {
			// 尝试从路径中提取资源信息
			path := c.Request.URL.Path
			// 简单的路径解析，可以根据需要调整
			if len(path) > 0 {
				resource = path
			}
		}

		// 获取HTTP方法作为操作
		action := c.Request.Method

		// 初始化权限服务
		permissionRepo := repository.NewPermissionRepository(db)
		roleRepo := repository.NewRoleRepository(db)
		permissionService := service.NewPermissionService(permissionRepo, roleRepo)

		// 检查用户是否有访问该资源的权限
		hasPermission, err := permissionService.CheckUserResourcePermission(c.Request.Context(), userID, resource, action)
		if err != nil {
			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "权限检查失败"})
			return
		}

		if !hasPermission {
			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "权限不足"})
			return
		}

		c.Next()
	}
}

// RoleMiddleware 角色检查中间件
func RoleMiddleware(db *gorm.DB, requiredRoles ...string) gin.HandlerFunc {
	return func(c *gin.Context) {
		// 从上下文中获取用户ID
		userIDInterface, exists := c.Get("user_id")
		if !exists {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "用户未认证"})
			return
		}

		userID, ok := userIDInterface.(uint)
		if !ok {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "无效的用户ID"})
			return
		}

		// 初始化角色服务
		roleRepo := repository.NewRoleRepository(db)
		roleService := service.NewRoleService(roleRepo)

		// 获取用户的角色
		userRoles, err := roleService.GetUserRoles(c.Request.Context(), userID)
		if err != nil {
			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "获取用户角色失败"})
			return
		}

		// 检查用户是否有所需角色
		hasRequiredRole := false
		for _, userRole := range userRoles {
			for _, requiredRole := range requiredRoles {
				if userRole.Code == requiredRole {
					hasRequiredRole = true
					break
				}
			}
			if hasRequiredRole {
				break
			}
		}

		if !hasRequiredRole {
			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "角色权限不足"})
			return
		}

		c.Next()
	}
}

// AdminMiddleware 管理员权限中间件
func AdminMiddleware(db *gorm.DB) gin.HandlerFunc {
	return RoleMiddleware(db, "SUPER_ADMIN", "ADMIN")
}

// SuperAdminMiddleware 超级管理员权限中间件
func SuperAdminMiddleware(db *gorm.DB) gin.HandlerFunc {
	return RoleMiddleware(db, "SUPER_ADMIN")
}