diff --git a/auth/auth.go b/auth/auth.go index c12416d..d94b59c 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -14,6 +14,7 @@ import ( "time" "github.com/veypi/vbase/cfg" + "github.com/veypi/vbase/libs/cache" "github.com/veypi/vbase/models" "github.com/veypi/vigo" ) @@ -459,7 +460,11 @@ func (a *appAuth) GrantRole(ctx context.Context, userID, orgID, roleCode string) ExpireAt: nil, // 默认不过期 } - return cfg.DB().Create(&userRole).Error + if err := cfg.DB().Create(&userRole).Error; err != nil { + return err + } + incUserPermVersion(userID) + return nil } func (a *appAuth) RevokeRole(ctx context.Context, userID, orgID, roleCode string) error { @@ -483,8 +488,12 @@ func (a *appAuth) RevokeRole(ctx context.Context, userID, orgID, roleCode string } } - return cfg.DB().Where("user_id = ? AND org_id = ? AND role_id = ?", userID, orgID, role.ID). - Delete(&models.UserRole{}).Error + if err := cfg.DB().Where("user_id = ? AND org_id = ? AND role_id = ?", userID, orgID, role.ID). + Delete(&models.UserRole{}).Error; err != nil { + return err + } + incUserPermVersion(userID) + return nil } func (a *appAuth) GrantResourcePerm(ctx context.Context, userID, orgID, permissionID, resourceID string) error { @@ -517,16 +526,24 @@ func (a *appAuth) GrantResourcePerm(ctx context.Context, userID, orgID, permissi GrantedBy: "", // 默认空 } - return cfg.DB().Create(&userPerm).Error + if err := cfg.DB().Create(&userPerm).Error; err != nil { + return err + } + incUserPermVersion(userID) + return nil } func (a *appAuth) RevokeResourcePerm(ctx context.Context, userID, orgID, permissionID, resourceID string) error { if strings.Count(permissionID, ":") == 1 { permissionID = fmt.Sprintf("%s:%s", a.appKey, permissionID) } - return cfg.DB().Where("user_id = ? AND org_id = ? AND permission_id = ? AND resource_id = ?", + if err := cfg.DB().Where("user_id = ? AND org_id = ? AND permission_id = ? AND resource_id = ?", userID, orgID, permissionID, resourceID). - Delete(&models.UserPermission{}).Error + Delete(&models.UserPermission{}).Error; err != nil { + return err + } + incUserPermVersion(userID) + return nil } func (a *appAuth) RevokeAll(ctx context.Context, userID, orgID string) error { @@ -542,6 +559,7 @@ func (a *appAuth) RevokeAll(ctx context.Context, userID, orgID string) error { return err } + incUserPermVersion(userID) return nil } @@ -552,6 +570,34 @@ func (a *appAuth) CheckPermission(ctx context.Context, userID, orgID, permission permissionID = fmt.Sprintf("%s:%s", a.appKey, permissionID) } + // Check cache + var cacheKey string + if cache.IsEnabled() { + ver := getUserPermVersion(userID) + cacheKey = fmt.Sprintf("auth:check:%s:%s:%s:%s:%s", userID, ver, orgID, permissionID, resourceID) + if val, err := cache.Get(cacheKey); err == nil { + return val == "1", nil + } + } + + result, err := a.checkPermissionDB(ctx, userID, orgID, permissionID, resourceID) + if err != nil { + return false, err + } + + // Cache result + if cache.IsEnabled() { + val := "0" + if result { + val = "1" + } + cache.Set(cacheKey, val, 5*time.Minute) + } + + return result, nil +} + +func (a *appAuth) checkPermissionDB(ctx context.Context, userID, orgID, permissionID, resourceID string) (bool, error) { fmt.Printf("[DEBUG] CheckPermission: userID=%s, orgID=%s, permID=%s, resID=%s\n", userID, orgID, permissionID, resourceID) // 1. 检查用户是否有该权限的角色(包括当前组织角色和系统全局角色) @@ -737,3 +783,25 @@ func getOrgID(x *vigo.X) string { } return "" } + +// ========== Cache Helpers ========== + +func getUserPermVersion(userID string) string { + if !cache.IsEnabled() { + return "0" + } + key := fmt.Sprintf("auth:user_ver:%s", userID) + ver, err := cache.Client.Get(cache.Ctx, key).Result() + if err != nil { + return "0" + } + return ver +} + +func incUserPermVersion(userID string) { + if !cache.IsEnabled() { + return + } + key := fmt.Sprintf("auth:user_ver:%s", userID) + cache.Client.Incr(cache.Ctx, key) +}