|
|
|
|
package role
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"github.com/veypi/vbase/cfg"
|
|
|
|
|
"github.com/veypi/vbase/models"
|
|
|
|
|
"github.com/veypi/vigo"
|
|
|
|
|
"gorm.io/gorm"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type GetPermissionsReq struct {
|
|
|
|
|
RoleID string `src:"path@id" desc:"Role ID"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getPermissions(x *vigo.X, req *GetPermissionsReq) ([]models.Permission, error) {
|
refactor: Remove multi-tenant org system and simplify auth
- Delete org API endpoints (add_member, create, del, get, list, member, patch, tree)
- Delete models/org.go and remove Org/OrgMember models
- Delete org-related test files (org_crud, org_load_middleware, org_permission, multi_tenant)
- Delete org test scripts (03_org_permission.sh, 04_org_load_middleware.sh)
- Simplify auth/auth.go by removing org context and role loading logic
- Remove org claims from JWT tokens and login/register responses
- Redesign Permission model with hierarchical level-based access control
- Add auth/design.md with new permission system specification
- Update user and role APIs to work without org context
4 months ago
|
|
|
var permissions []models.Permission
|
|
|
|
|
if err := cfg.DB().Where("role_id = ?", req.RoleID).Find(&permissions).Error; err != nil {
|
|
|
|
|
return nil, vigo.ErrDatabase.WithError(err)
|
|
|
|
|
}
|
|
|
|
|
return permissions, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type UpdatePermissionsReq struct {
|
|
|
|
|
RoleID string `src:"path@id" desc:"Role ID"`
|
|
|
|
|
Permissions []PermissionInput `json:"permissions" src:"json" desc:"Permissions to add"`
|
|
|
|
|
Remove []string `json:"remove" src:"json" desc:"Permission IDs to remove"`
|
|
|
|
|
Replace []string `json:"permission_ids" src:"json" desc:"Full replace (legacy)"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type PermissionInput struct {
|
|
|
|
|
Scope string `json:"scope"`
|
|
|
|
|
PermissionID string `json:"permission_id"`
|
|
|
|
|
Level int `json:"level"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func updatePermissions(x *vigo.X, req *UpdatePermissionsReq) error {
|
|
|
|
|
var role models.Role
|
|
|
|
|
if err := cfg.DB().First(&role, "id = ?", req.RoleID).Error; err != nil {
|
|
|
|
|
return vigo.ErrNotFound
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return cfg.DB().Transaction(func(tx *gorm.DB) error {
|
|
|
|
|
// Full replace (legacy mode)
|
|
|
|
|
if len(req.Replace) > 0 {
|
|
|
|
|
if role.IsSystem {
|
|
|
|
|
return vigo.NewError("cannot modify permissions of system role").WithCode(40300)
|
|
|
|
|
}
|
|
|
|
|
if err := tx.Where("role_id = ?", req.RoleID).Delete(&models.Permission{}).Error; err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
for _, pid := range req.Replace {
|
|
|
|
|
if err := tx.Create(&models.Permission{
|
|
|
|
|
Scope: "vb", RoleID: &req.RoleID, PermissionID: pid, Level: 7,
|
|
|
|
|
}).Error; err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Remove specific permissions
|
|
|
|
|
if len(req.Remove) > 0 {
|
|
|
|
|
if err := tx.Where("role_id = ? AND id IN ?", req.RoleID, req.Remove).
|
|
|
|
|
Delete(&models.Permission{}).Error; err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add new permissions
|
|
|
|
|
if len(req.Permissions) > 0 {
|
|
|
|
|
for _, p := range req.Permissions {
|
|
|
|
|
if p.Level == 0 {
|
|
|
|
|
p.Level = 7
|
|
|
|
|
}
|
|
|
|
|
if p.Scope == "" {
|
|
|
|
|
p.Scope = "vb"
|
|
|
|
|
}
|
|
|
|
|
if err := tx.Create(&models.Permission{
|
|
|
|
|
Scope: p.Scope, RoleID: &req.RoleID, PermissionID: p.PermissionID, Level: p.Level,
|
|
|
|
|
}).Error; err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
})
|
|
|
|
|
}
|
