fix(auth): enforce document and govdoc route grants
This commit is contained in:
wren
@@ -55,6 +55,13 @@ class DocumentController(BaseController):
|
||||
"""文档控制器。"""
|
||||
|
||||
_CROSS_REVIEW_DOCUMENT_READ_PERMISSION = "cross_review:document:read"
|
||||
_DOCUMENT_TYPE_PERMISSIONS = {
|
||||
"list": "doc_type:list:read",
|
||||
"detail": "doc_type:detail:read",
|
||||
"create": "doc_type:create:write",
|
||||
"update": "doc_type:update:write",
|
||||
"delete": "doc_type:delete:delete",
|
||||
}
|
||||
|
||||
@staticmethod
|
||||
def _tenant_context(payload: dict[str, Any]) -> dict[str, str | None]:
|
||||
@@ -296,8 +303,16 @@ class DocumentController(BaseController):
|
||||
async def ListDocumentTypes(
|
||||
ids: str | None = Query(None, description="逗号分隔的ID列表,不传则返回全部"),
|
||||
entry_module_id: int | None = Query(None, description="按入口模块ID过滤文档类型"),
|
||||
payload: dict[str, Any] = Depends(verify_access_token),
|
||||
):
|
||||
"""获取文档类型列表。"""
|
||||
deniedResponse = await self._deny_document_type_without_permission(
|
||||
int(payload["user_id"]),
|
||||
self._DOCUMENT_TYPE_PERMISSIONS["list"],
|
||||
"当前用户没有文档类型列表权限",
|
||||
)
|
||||
if deniedResponse:
|
||||
return deniedResponse
|
||||
idList: list[int] | None = None
|
||||
if ids:
|
||||
idList = [int(x.strip()) for x in ids.split(",") if x.strip().isdigit()]
|
||||
@@ -305,52 +320,109 @@ class DocumentController(BaseController):
|
||||
return Result.success(data=Data)
|
||||
|
||||
@self.router.get("/document-types/{TypeId}", response_model=Result[DocumentTypeItemVO])
|
||||
async def GetDocumentType(TypeId: int):
|
||||
async def GetDocumentType(TypeId: int, payload: dict[str, Any] = Depends(verify_access_token)):
|
||||
"""获取文档类型详情。"""
|
||||
deniedResponse = await self._deny_document_type_without_permission(
|
||||
int(payload["user_id"]),
|
||||
self._DOCUMENT_TYPE_PERMISSIONS["detail"],
|
||||
"当前用户没有文档类型详情权限",
|
||||
)
|
||||
if deniedResponse:
|
||||
return deniedResponse
|
||||
Data = await self.DocumentService.GetDocumentType(Id=TypeId)
|
||||
return Result.success(data=Data)
|
||||
|
||||
@self.router.post("/document-types", response_model=Result[DocumentTypeItemVO])
|
||||
async def CreateDocumentType(Body: DocumentTypeCreateDTO):
|
||||
async def CreateDocumentType(Body: DocumentTypeCreateDTO, payload: dict[str, Any] = Depends(verify_access_token)):
|
||||
"""创建文档类型。"""
|
||||
deniedResponse = await self._deny_document_type_without_permission(
|
||||
int(payload["user_id"]),
|
||||
self._DOCUMENT_TYPE_PERMISSIONS["create"],
|
||||
"当前用户没有创建文档类型权限",
|
||||
)
|
||||
if deniedResponse:
|
||||
return deniedResponse
|
||||
Data = await self.DocumentService.CreateDocumentType(Body=Body)
|
||||
return Result.success(data=Data, message="文档类型创建成功")
|
||||
|
||||
@self.router.put("/document-types/{TypeId}", response_model=Result[DocumentTypeItemVO])
|
||||
async def UpdateDocumentType(TypeId: int, Body: DocumentTypeUpdateDTO):
|
||||
async def UpdateDocumentType(TypeId: int, Body: DocumentTypeUpdateDTO, payload: dict[str, Any] = Depends(verify_access_token)):
|
||||
"""更新文档类型。"""
|
||||
deniedResponse = await self._deny_document_type_without_permission(
|
||||
int(payload["user_id"]),
|
||||
self._DOCUMENT_TYPE_PERMISSIONS["update"],
|
||||
"当前用户没有更新文档类型权限",
|
||||
)
|
||||
if deniedResponse:
|
||||
return deniedResponse
|
||||
Data = await self.DocumentService.UpdateDocumentType(Id=TypeId, Body=Body)
|
||||
return Result.success(data=Data, message="文档类型更新成功")
|
||||
|
||||
@self.router.delete("/document-types/{TypeId}", response_model=Result[None])
|
||||
async def DeleteDocumentType(TypeId: int):
|
||||
async def DeleteDocumentType(TypeId: int, payload: dict[str, Any] = Depends(verify_access_token)):
|
||||
"""删除文档类型(软删除)。"""
|
||||
deniedResponse = await self._deny_document_type_without_permission(
|
||||
int(payload["user_id"]),
|
||||
self._DOCUMENT_TYPE_PERMISSIONS["delete"],
|
||||
"当前用户没有删除文档类型权限",
|
||||
)
|
||||
if deniedResponse:
|
||||
return deniedResponse
|
||||
await self.DocumentService.DeleteDocumentType(Id=TypeId)
|
||||
return Result.success(message="文档类型已删除")
|
||||
|
||||
@self.router.get("/v3/document-type-roots", response_model=Result[list[DocumentTypeRootItemVO]])
|
||||
async def ListDocumentTypeRoots(
|
||||
entry_module_id: int | None = Query(None, description="按入口模块过滤一级大类"),
|
||||
payload: dict[str, Any] = Depends(verify_access_token),
|
||||
):
|
||||
"""获取一级文档类型(业务大类)列表。"""
|
||||
deniedResponse = await self._deny_document_type_without_permission(
|
||||
int(payload["user_id"]),
|
||||
self._DOCUMENT_TYPE_PERMISSIONS["list"],
|
||||
"当前用户没有业务大类列表权限",
|
||||
)
|
||||
if deniedResponse:
|
||||
return deniedResponse
|
||||
Data = await self.DocumentService.ListDocumentTypeRoots(EntryModuleId=entry_module_id)
|
||||
return Result.success(data=Data)
|
||||
|
||||
@self.router.get("/v3/document-type-roots/{RootId}", response_model=Result[DocumentTypeRootItemVO])
|
||||
async def GetDocumentTypeRoot(RootId: int):
|
||||
async def GetDocumentTypeRoot(RootId: int, payload: dict[str, Any] = Depends(verify_access_token)):
|
||||
"""获取一级文档类型(业务大类)详情。"""
|
||||
deniedResponse = await self._deny_document_type_without_permission(
|
||||
int(payload["user_id"]),
|
||||
self._DOCUMENT_TYPE_PERMISSIONS["detail"],
|
||||
"当前用户没有业务大类详情权限",
|
||||
)
|
||||
if deniedResponse:
|
||||
return deniedResponse
|
||||
Data = await self.DocumentService.GetDocumentTypeRoot(Id=RootId)
|
||||
return Result.success(data=Data)
|
||||
|
||||
@self.router.post("/v3/document-type-roots", response_model=Result[DocumentTypeRootItemVO])
|
||||
async def CreateDocumentTypeRoot(Body: DocumentTypeRootCreateDTO):
|
||||
async def CreateDocumentTypeRoot(Body: DocumentTypeRootCreateDTO, payload: dict[str, Any] = Depends(verify_access_token)):
|
||||
"""创建一级文档类型(业务大类)。"""
|
||||
deniedResponse = await self._deny_document_type_without_permission(
|
||||
int(payload["user_id"]),
|
||||
self._DOCUMENT_TYPE_PERMISSIONS["create"],
|
||||
"当前用户没有创建业务大类权限",
|
||||
)
|
||||
if deniedResponse:
|
||||
return deniedResponse
|
||||
Data = await self.DocumentService.CreateDocumentTypeRoot(Body=Body)
|
||||
return Result.success(data=Data, message="一级文档类型创建成功")
|
||||
|
||||
@self.router.put("/v3/document-type-roots/{RootId}", response_model=Result[DocumentTypeRootItemVO])
|
||||
async def UpdateDocumentTypeRoot(RootId: int, Body: DocumentTypeRootUpdateDTO):
|
||||
async def UpdateDocumentTypeRoot(RootId: int, Body: DocumentTypeRootUpdateDTO, payload: dict[str, Any] = Depends(verify_access_token)):
|
||||
"""更新一级文档类型(业务大类)。"""
|
||||
deniedResponse = await self._deny_document_type_without_permission(
|
||||
int(payload["user_id"]),
|
||||
self._DOCUMENT_TYPE_PERMISSIONS["update"],
|
||||
"当前用户没有更新业务大类权限",
|
||||
)
|
||||
if deniedResponse:
|
||||
return deniedResponse
|
||||
Data = await self.DocumentService.UpdateDocumentTypeRoot(Id=RootId, Body=Body)
|
||||
return Result.success(data=Data, message="一级文档类型更新成功")
|
||||
|
||||
@@ -431,3 +503,11 @@ class DocumentController(BaseController):
|
||||
status_code=403,
|
||||
content={"code": 403, "msg": "当前用户没有查看交叉评查结果权限", "data": None},
|
||||
)
|
||||
|
||||
async def _deny_document_type_without_permission(self, UserId: int, PermissionKey: str, Message: str) -> JSONResponse | None:
|
||||
if await self.PermissionService.CheckPermission(UserId, PermissionKey):
|
||||
return None
|
||||
return JSONResponse(
|
||||
status_code=403,
|
||||
content={"code": 403, "msg": Message, "data": None},
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user