mirror of https://github.com/veypi/OneAuth.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
163 lines
3.8 KiB
Go
163 lines
3.8 KiB
Go
//
|
|
// Copyright (C) 2024 veypi <i@veypi.com>
|
|
// 2025-03-04 16:08:06
|
|
// Distributed under terms of the MIT license.
|
|
//
|
|
|
|
package middleware
|
|
|
|
import (
|
|
"github.com/veypi/vbase/cfg"
|
|
"github.com/veypi/vbase/models"
|
|
)
|
|
|
|
// InitOrgPolicies 为组织初始化默认策略和角色
|
|
func InitOrgPolicies(orgID string) error {
|
|
// 创建默认策略
|
|
policies := getDefaultPolicies()
|
|
for _, policy := range policies {
|
|
var count int64
|
|
cfg.DB().Model(&models.Policy{}).Where("code = ?", policy.Code).Count(&count)
|
|
if count == 0 {
|
|
if err := cfg.DB().Create(&policy).Error; err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
// 创建默认角色
|
|
roles := getDefaultRoles()
|
|
for _, role := range roles {
|
|
role.OrgID = orgID
|
|
var count int64
|
|
cfg.DB().Model(&models.Role{}).Where("code = ? AND org_id = ?", role.Code, orgID).Count(&count)
|
|
if count == 0 {
|
|
if err := cfg.DB().Create(&role).Error; err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// getDefaultPolicies 获取默认策略列表
|
|
func getDefaultPolicies() []models.Policy {
|
|
return []models.Policy{
|
|
{
|
|
Code: "user:read",
|
|
Name: "读取用户信息",
|
|
Resource: "user",
|
|
Action: "read",
|
|
Effect: models.PolicyEffectAllow,
|
|
Scope: models.PolicyScopeOrg,
|
|
},
|
|
{
|
|
Code: "user:update",
|
|
Name: "更新用户信息",
|
|
Resource: "user",
|
|
Action: "update",
|
|
Effect: models.PolicyEffectAllow,
|
|
Condition: "owner",
|
|
Scope: models.PolicyScopeOrg,
|
|
},
|
|
{
|
|
Code: "role:manage",
|
|
Name: "管理角色",
|
|
Resource: "role",
|
|
Action: "*",
|
|
Effect: models.PolicyEffectAllow,
|
|
Condition: "admin",
|
|
Scope: models.PolicyScopeOrg,
|
|
},
|
|
{
|
|
Code: "policy:manage",
|
|
Name: "管理策略",
|
|
Resource: "policy",
|
|
Action: "*",
|
|
Effect: models.PolicyEffectAllow,
|
|
Condition: "admin",
|
|
Scope: models.PolicyScopeOrg,
|
|
},
|
|
{
|
|
Code: "org:read",
|
|
Name: "读取组织信息",
|
|
Resource: "org",
|
|
Action: "read",
|
|
Effect: models.PolicyEffectAllow,
|
|
Scope: models.PolicyScopeOrg,
|
|
},
|
|
{
|
|
Code: "org:update",
|
|
Name: "更新组织信息",
|
|
Resource: "org",
|
|
Action: "update",
|
|
Effect: models.PolicyEffectAllow,
|
|
Condition: "admin",
|
|
Scope: models.PolicyScopeOrg,
|
|
},
|
|
{
|
|
Code: "org:delete",
|
|
Name: "删除组织",
|
|
Resource: "org",
|
|
Action: "delete",
|
|
Effect: models.PolicyEffectAllow,
|
|
Condition: "owner",
|
|
Scope: models.PolicyScopeOrg,
|
|
},
|
|
{
|
|
Code: "member:manage",
|
|
Name: "管理成员",
|
|
Resource: "org_member",
|
|
Action: "*",
|
|
Effect: models.PolicyEffectAllow,
|
|
Condition: "admin",
|
|
Scope: models.PolicyScopeOrg,
|
|
},
|
|
{
|
|
Code: "resource:read",
|
|
Name: "读取资源",
|
|
Resource: "resource",
|
|
Action: "read",
|
|
Effect: models.PolicyEffectAllow,
|
|
Scope: models.PolicyScopeOrg,
|
|
},
|
|
{
|
|
Code: "resource:write",
|
|
Name: "写入资源",
|
|
Resource: "resource",
|
|
Action: "create,update,delete",
|
|
Effect: models.PolicyEffectAllow,
|
|
Condition: "owner",
|
|
Scope: models.PolicyScopeOrg,
|
|
},
|
|
}
|
|
}
|
|
|
|
// getDefaultRoles 获取默认角色列表
|
|
func getDefaultRoles() []models.Role {
|
|
return []models.Role{
|
|
{
|
|
Name: "管理员",
|
|
Code: models.RoleCodeAdmin,
|
|
Description: "组织管理员,可以管理成员、角色和策略",
|
|
Scope: models.PolicyScopeOrg,
|
|
IsSystem: true,
|
|
},
|
|
{
|
|
Name: "开发者",
|
|
Code: models.RoleCodeDeveloper,
|
|
Description: "开发者,可以创建和管理资源",
|
|
Scope: models.PolicyScopeOrg,
|
|
IsSystem: true,
|
|
},
|
|
{
|
|
Name: "只读用户",
|
|
Code: models.RoleCodeViewer,
|
|
Description: "只读访问权限",
|
|
Scope: models.PolicyScopeOrg,
|
|
IsSystem: true,
|
|
},
|
|
}
|
|
}
|