|
|
|
|
package middleware
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/http"
|
|
|
|
|
|
|
|
|
|
"gofaster/internal/auth/model"
|
|
|
|
|
"gofaster/internal/auth/repository"
|
|
|
|
|
|
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
|
"gorm.io/gorm"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// PermissionMiddleware 权限中间件
|
|
|
|
|
func PermissionMiddleware(db *gorm.DB, jwtSecret string) gin.HandlerFunc {
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
// 获取用户信息
|
|
|
|
|
userID := GetUserID(c)
|
|
|
|
|
if userID == 0 {
|
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "用户未认证"})
|
|
|
|
|
c.Abort()
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 获取当前请求的路由信息
|
|
|
|
|
path := c.Request.URL.Path
|
|
|
|
|
method := c.Request.Method
|
|
|
|
|
|
|
|
|
|
// 检查路由映射
|
|
|
|
|
routeMappingRepo := repository.NewRouteMappingRepository(db)
|
|
|
|
|
routeMapping, err := routeMappingRepo.FindByBackendRoute(path, method)
|
|
|
|
|
if err != nil {
|
|
|
|
|
// 如果找不到路由映射,允许通过(可能是公开接口)
|
|
|
|
|
c.Next()
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 检查用户是否有权限访问该路由
|
|
|
|
|
if err := checkUserPermission(db, userID, routeMapping); err != nil {
|
|
|
|
|
c.JSON(http.StatusForbidden, gin.H{"error": fmt.Sprintf("权限不足: %s", err.Error())})
|
|
|
|
|
c.Abort()
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.Next()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// checkUserPermission 检查用户权限
|
|
|
|
|
func checkUserPermission(db *gorm.DB, userID uint, routeMapping *model.RouteMapping) error {
|
|
|
|
|
// 这里实现三级权限检查逻辑
|
|
|
|
|
// 1. 菜单级别权限
|
|
|
|
|
// 2. 权限组级别权限
|
|
|
|
|
// 3. 路由级别权限
|
|
|
|
|
|
|
|
|
|
// 暂时返回nil,允许所有已认证用户访问
|
|
|
|
|
// TODO: 实现完整的权限检查逻辑
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// OptionalPermissionMiddleware 可选的权限中间件(不强制要求权限)
|
|
|
|
|
func OptionalPermissionMiddleware(db *gorm.DB, jwtSecret string) gin.HandlerFunc {
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
// 获取用户信息
|
|
|
|
|
userID := GetUserID(c)
|
|
|
|
|
if userID == 0 {
|
|
|
|
|
// 没有用户信息,继续处理请求
|
|
|
|
|
c.Next()
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 获取当前请求的路由信息
|
|
|
|
|
path := c.Request.URL.Path
|
|
|
|
|
method := c.Request.Method
|
|
|
|
|
|
|
|
|
|
// 检查路由映射
|
|
|
|
|
routeMappingRepo := repository.NewRouteMappingRepository(db)
|
|
|
|
|
routeMapping, err := routeMappingRepo.FindByBackendRoute(path, method)
|
|
|
|
|
if err != nil {
|
|
|
|
|
// 如果找不到路由映射,继续处理请求
|
|
|
|
|
c.Next()
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 检查用户是否有权限访问该路由
|
|
|
|
|
if err := checkUserPermission(db, userID, routeMapping); err != nil {
|
|
|
|
|
// 权限不足,但因为是可选权限,所以继续处理请求
|
|
|
|
|
c.Set("permission_warning", fmt.Sprintf("权限不足: %s", err.Error()))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.Next()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetRouteAuthGroup 获取路由的权限分组
|
|
|
|
|
func GetRouteAuthGroup(c *gin.Context, db *gorm.DB) string {
|
|
|
|
|
path := c.Request.URL.Path
|
|
|
|
|
method := c.Request.Method
|
|
|
|
|
|
|
|
|
|
routeMappingRepo := repository.NewRouteMappingRepository(db)
|
|
|
|
|
routeMapping, err := routeMappingRepo.FindByBackendRoute(path, method)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "Unknown"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return routeMapping.AuthGroup
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// HasPermission 检查用户是否有指定权限
|
|
|
|
|
func HasPermission(c *gin.Context, db *gorm.DB, requiredAuthGroup string) bool {
|
|
|
|
|
userID := GetUserID(c)
|
|
|
|
|
if userID == 0 {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 获取当前路由的权限分组
|
|
|
|
|
currentAuthGroup := GetRouteAuthGroup(c, db)
|
|
|
|
|
|
|
|
|
|
// 简单的权限检查逻辑
|
|
|
|
|
// Read权限可以访问Read和Edit
|
|
|
|
|
// Edit权限只能访问Edit
|
|
|
|
|
if requiredAuthGroup == "Read" {
|
|
|
|
|
return currentAuthGroup == "Read" || currentAuthGroup == "Edit"
|
|
|
|
|
} else if requiredAuthGroup == "Edit" {
|
|
|
|
|
return currentAuthGroup == "Edit"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
}
|
