后端：权限逻辑更新

a9b57605 · hangjun83 · adce86e5 · a9b57605 · a9b57605 · a9b57605
Commit a9b57605 authored Apr 15, 2022 by hangjun83
4 changed files
--- a/server/app/Http/Controllers/Middleware/Authenticate.php
+++ b/server/app/Http/Controllers/Middleware/Authenticate.php
@@ -64,9 +64,11 @@ class Authenticate
        /**
         * 如果路由是登出或者是修改密码的时候，需要对token进行处理，否则jwt处理时会出错
         */ 
-        if(Str::endsWith(strtolower((string) $request->getPathInfo()), 'logout') ||
+        if(
+            Str::endsWith(strtolower((string) $request->getPathInfo()), 'logout') ||
            Str::endsWith(strtolower((string) $request->getPathInfo()), 'resetpassword')
-            ){
+            )
+        {

            $token = trim(str_ireplace('bearer', '', $request->header('authorization')));
            $decodeToken = $this->decodeToken($token);
@@ -107,25 +109,26 @@ class Authenticate

        $routeParams = $request->route()[1];

-        // 如果该路由不存在权限，或者在白名单中，直接不做权限验证
-        if(isset($routeParams['permission']) && in_array($routeParams['permission'],$this->whiteList)){
+        if(!isset($routeParams['permission'])){
            return true;
        }
-
-        if(in_array($routeParams['uri'],$this->whiteList)){
+        $routePermissions = explode(',',$routeParams['permission']);
+        // 如果该路由不存在权限，或者在白名单中，直接不做权限验证
+        if(empty($routePermissions) || count($routePermissions) == 0){
            return true;
        }

-
        // 获取用户的所有角色组对应的权限
        $roles = $user->roles;
        collect($roles)->map(function($role) use (&$userPermissions){
            $permissions = $role->permissions;
            collect($permissions)->map(function($permission) use (&$userPermissions){
-                $userPermissions[$permission['id']] = $permission->toArray();
+                $userPermissions[] = $permission->toArray()['action'];
            });
        });

+        $userPermissions = array_values(array_filter($userPermissions));
+
        $hasPermission = false;
        // 获取 dingo 对应的版本的路由列表
        $routeList = [];
@@ -134,11 +137,48 @@ class Authenticate
                return ;
            }

+            // 此逻辑是，可能页面搜索和列表使用的是同一个request请求，如果用搜索来做请求的话，必须把权限设置为搜索权限，否则权限将出现漏洞
+            // 支持泛权限 如果最后是*号结束，代表只要是前缀相同的都有访问资格
+            if(
+                !Str::endsWith(strtolower((string) $routeParams['permission']), '*'))
+            {
+                if(
+                    $request->has('buttonAction') &&
+                    $action = $request->input('buttonAction'))
+                {
+                    $uriPermission = explode(',',$routeParams['permission']);
+                    $permission = explode('.',current($uriPermission));
+                    $permission[count($permission) - 1] = $action;
+
+                    $requestPermission = implode('.',$permission);
+
+                    foreach($userPermissions as &$permission){
+                        if(in_array($permission,$uriPermission)){
+                            $permission = $requestPermission;
+                        }
+                    }
+                }
+            }
+
            $filterRoute = [];
-            foreach($routes as $key =>$route){
-                foreach($userPermissions as $key => $permission){
-                    if(isset($route['permission']) && $permission['action'] == $route['permission']){
-                        $filterRoute[] = $route['uri'];
+            foreach($routes as $route){
+                foreach($userPermissions as $permission){
+                    if(isset($route['permission']) &&
+                        Str::endsWith(strtolower((string) $route['permission']), '*'))
+                    {
+                        $uriPermission = explode('.',$route['permission']);
+                        unset($uriPermission[count($uriPermission) - 1]);
+
+                        if(
+                            Str::startsWith($permission,strtolower((string) implode('.',$uriPermission)))
+                        ){
+                            $filterRoute[] = $route['uri'];
+                        }
+
+                    }else{
+                        if(isset($route['permission']) && in_array($permission,explode(',',$route['permission']))){
+                            $filterRoute[] = $route['uri'];
+                        }
                    }
                }
            }

--- a/server/database/seeds/local/MenusSeeder.php
+++ b/server/database/seeds/local/MenusSeeder.php
@@ -141,7 +141,7 @@ class MenusSeeder extends Seeder
                    'parent_id' => 0,
                    'menu_type' => 'page',
                    'menu_icon' => 'ios-document',
-                    'component' => 'doc/doc-manage/docManage',
+                    'component' => 'doc-manage/server',
                    'status' => 1,
                    'is_show' => 1,
                    'sys_default' => 1,

--- a/server/routes/api/auth.php
+++ b/server/routes/api/auth.php
@@ -19,11 +19,11 @@ $api->version('v1', function($api) {
        $api->post('/adminapi/user/add', ['permission' => 'user.add', 'uses'=>'AuthUserController@addUser']);
        $api->post('/adminapi/user/edit', ['permission' => 'user.edit', 'uses'=>'AuthUserController@editUser']);
        $api->get('/adminapi/user/info', ['uses'=>'AuthUserController@info']);
-        $api->post('/adminapi/auth/resetPassword', ['permission' => 'auth.reset_password', 'uses'=>'AuthUserController@resetPassword']);
-        $api->get('/adminapi/user/listByPage', ['permission' => 'user.list_by_page', 'uses'=>'AuthUserController@listByPage']);
-        $api->post('/adminapi/user/disable/{id}', ['permission' => 'user.disable', 'uses'=>'AuthUserController@changeUserStatus']);
-        $api->post('/adminapi/user/enable/{id}', ['permission' => 'user.enable', 'uses'=>'AuthUserController@changeUserStatus']);
-        $api->post('/adminapi/user/delByIds', ['permission' => 'user.del_by_ids', 'uses'=>'AuthUserController@delUserByIds']);
+        $api->post('/adminapi/auth/resetPassword', ['permission' => 'user.reset_password', 'uses'=>'AuthUserController@resetPassword']);
+        $api->get('/adminapi/user/listByPage', ['permission' => 'user.list.*', 'uses'=>'AuthUserController@listByPage']);
+        $api->post('/adminapi/user/disable/{id}', ['permission' => 'user.edit.status', 'uses'=>'AuthUserController@changeUserStatus']);
+        $api->post('/adminapi/user/enable/{id}', ['permission' => 'user.edit.status', 'uses'=>'AuthUserController@changeUserStatus']);
+        $api->post('/adminapi/user/delByIds', ['permission' => 'user.del.ids', 'uses'=>'AuthUserController@delUserByIds']);

    });


--- a/server/routes/api/permissions.php
+++ b/server/routes/api/permissions.php
@@ -16,7 +16,7 @@ $api->version('v1', function($api) {
    $api->group(['namespace'=>'App\Http\Controllers\V1','middleware' => ['api.auth','permissions'], 'providers' => 'jwt'], function($api) {

        //菜单相关
-        $api->get('/adminapi/permission/menu/userRoleMenuList', ['permission' => 'menu.permission.list', 'uses'=>'PermissionsController@getUserRoleMenuList']);
+        $api->get('/adminapi/permission/menu/userRoleMenuList', ['uses'=>'PermissionsController@getUserRoleMenuList']);
        $api->post('/adminapi/permission/menu/edit', ['permission' => 'menu.permission.edit', 'uses'=>'PermissionsController@editMenus']);
        $api->post('/adminapi/permission/menu/subAdd', ['permission' => 'menu.permission.add', 'uses'=>'PermissionsController@addSubMenus']);
        $api->post('/adminapi/permission/menu/del', ['permission' => 'menu.permission.del','uses'=>'PermissionsController@deleteMenus']);