wren
819 lines
42 KiB
Python
819 lines
42 KiB
Python
"""RBAC 管理服务实现。"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from datetime import datetime
|
|
from typing import Any
|
|
|
|
from sqlalchemy import text
|
|
|
|
from fastapi_common.fastapi_common_sqlalchemy.database import GetAsyncSession
|
|
from fastapi_common.fastapi_common_web.domain.responses import StatusCodeEnum
|
|
from fastapi_common.fastapi_common_web.exception.LeauditException import LeauditException
|
|
|
|
from fastapi_modules.fastapi_leaudit.domian.Dto.rbacAdminDto import (
|
|
RoleCreateDTO,
|
|
RolePermissionsBatchDTO,
|
|
RoleRoutesUpdateDTO,
|
|
RoleUpdateDTO,
|
|
)
|
|
from fastapi_modules.fastapi_leaudit.domian.vo.rbacAdminVo import (
|
|
RoleListVO,
|
|
RolePermissionsVO,
|
|
RoleRoutesVO,
|
|
RoleRouteUpdateResultVO,
|
|
RoleVO,
|
|
RoutePermissionsVO,
|
|
RoutePermissionVO,
|
|
RouteVO,
|
|
UserListVO,
|
|
UserRoleVO,
|
|
UserRolesVO,
|
|
UserVO,
|
|
)
|
|
from fastapi_modules.fastapi_leaudit.services.rbacAdminService import IRbacAdminService
|
|
|
|
|
|
class RbacAdminServiceImpl(IRbacAdminService):
|
|
"""RBAC 管理服务实现。"""
|
|
|
|
_MANAGEABLE_ROUTE_BLUEPRINTS: list[dict[str, Any]] = [
|
|
{
|
|
"route_path": "/home",
|
|
"route_name": "home",
|
|
"component": "home",
|
|
"route_title": "系统概览",
|
|
"icon": "ri-home-line",
|
|
"sort_order": 1,
|
|
"is_hidden": False,
|
|
"is_cache": True,
|
|
"meta": {"group": "overview"},
|
|
},
|
|
{
|
|
"route_path": "/chat-with-llm",
|
|
"route_name": "chat-with-llm",
|
|
"component": "chat-with-llm",
|
|
"route_title": "AI对话",
|
|
"icon": "ri-chat-smile-2-line",
|
|
"sort_order": 2,
|
|
"is_hidden": False,
|
|
"is_cache": True,
|
|
"meta": {"group": "assistant"},
|
|
},
|
|
{
|
|
"route_path": "/files",
|
|
"route_name": "file-management",
|
|
"component": "files",
|
|
"route_title": "文件管理",
|
|
"icon": "ri-folder-line",
|
|
"sort_order": 3,
|
|
"is_hidden": False,
|
|
"is_cache": True,
|
|
"meta": {"group": "documents"},
|
|
},
|
|
{
|
|
"route_path": "/files/upload",
|
|
"route_name": "file-upload",
|
|
"component": "files.upload",
|
|
"route_title": "文件上传",
|
|
"icon": "ri-upload-cloud-line",
|
|
"sort_order": 1,
|
|
"parent_path": "/files",
|
|
"is_hidden": False,
|
|
"is_cache": True,
|
|
"meta": {"group": "documents"},
|
|
},
|
|
{
|
|
"route_path": "/documents",
|
|
"route_name": "documents",
|
|
"component": "documents",
|
|
"route_title": "文档列表",
|
|
"icon": "ri-file-list-3-line",
|
|
"sort_order": 2,
|
|
"parent_path": "/files",
|
|
"is_hidden": False,
|
|
"is_cache": True,
|
|
"meta": {"group": "documents"},
|
|
},
|
|
{
|
|
"route_path": "/settings",
|
|
"route_name": "system-settings",
|
|
"component": "settings",
|
|
"route_title": "系统设置",
|
|
"icon": "ri-settings-4-line",
|
|
"sort_order": 90,
|
|
"is_hidden": False,
|
|
"is_cache": True,
|
|
"meta": {"group": "settings"},
|
|
},
|
|
{
|
|
"route_path": "/entry-modules",
|
|
"route_name": "entry-modules",
|
|
"component": "entry-modules",
|
|
"route_title": "入口模块管理",
|
|
"icon": "ri-apps-2-line",
|
|
"sort_order": 1,
|
|
"parent_path": "/settings",
|
|
"is_hidden": False,
|
|
"is_cache": True,
|
|
"meta": {"group": "settings"},
|
|
},
|
|
{
|
|
"route_path": "/role-permissions",
|
|
"route_name": "role-permissions",
|
|
"component": "role-permissions",
|
|
"route_title": "角色权限管理",
|
|
"icon": "ri-shield-user-line",
|
|
"sort_order": 2,
|
|
"parent_path": "/settings",
|
|
"is_hidden": False,
|
|
"is_cache": True,
|
|
"meta": {"group": "settings"},
|
|
},
|
|
]
|
|
|
|
_MANAGEABLE_PERMISSION_BLUEPRINTS: list[dict[str, Any]] = [
|
|
{"permission_key": "entry_module:list:read", "display_name": "入口模块列表", "module": "entry_module", "resource": "list", "action": "read", "api_method": "GET", "api_path": "/api/v3/entry-modules", "route_path": "/entry-modules"},
|
|
{"permission_key": "entry_module:detail:read", "display_name": "入口模块详情", "module": "entry_module", "resource": "detail", "action": "read", "api_method": "GET", "api_path": "/api/v3/entry-modules/{id}", "route_path": "/entry-modules"},
|
|
{"permission_key": "entry_module:create:write", "display_name": "创建入口模块", "module": "entry_module", "resource": "create", "action": "write", "api_method": "POST", "api_path": "/api/v3/entry-modules", "route_path": "/entry-modules"},
|
|
{"permission_key": "entry_module:update:write", "display_name": "更新入口模块", "module": "entry_module", "resource": "update", "action": "write", "api_method": "PUT", "api_path": "/api/v3/entry-modules/{id}", "route_path": "/entry-modules"},
|
|
{"permission_key": "entry_module:delete:delete", "display_name": "删除入口模块", "module": "entry_module", "resource": "delete", "action": "delete", "api_method": "DELETE", "api_path": "/api/v3/entry-modules/{id}", "route_path": "/entry-modules"},
|
|
{"permission_key": "entry_module:image:write", "display_name": "上传入口模块图标", "module": "entry_module", "resource": "image", "action": "write", "api_method": "POST", "api_path": "/api/v3/entry-modules/{id}/image", "route_path": "/entry-modules"},
|
|
{"permission_key": "rbac:roles:read", "display_name": "角色列表", "module": "rbac", "resource": "roles", "action": "read", "api_method": "GET", "api_path": "/api/v3/rbac/roles", "route_path": "/role-permissions"},
|
|
{"permission_key": "rbac:roles:create", "display_name": "创建角色", "module": "rbac", "resource": "roles", "action": "create", "api_method": "POST", "api_path": "/api/v3/rbac/roles", "route_path": "/role-permissions"},
|
|
{"permission_key": "rbac:roles:update", "display_name": "更新角色", "module": "rbac", "resource": "roles", "action": "update", "api_method": "PUT", "api_path": "/api/v3/rbac/roles/{role_id}", "route_path": "/role-permissions"},
|
|
{"permission_key": "rbac:roles:delete", "display_name": "删除角色", "module": "rbac", "resource": "roles", "action": "delete", "api_method": "DELETE", "api_path": "/api/v3/rbac/roles/{role_id}", "route_path": "/role-permissions"},
|
|
{"permission_key": "rbac:users:read", "display_name": "用户列表", "module": "rbac", "resource": "users", "action": "read", "api_method": "GET", "api_path": "/api/v3/rbac/users", "route_path": "/role-permissions"},
|
|
{"permission_key": "rbac:user_roles:write", "display_name": "分配用户角色", "module": "rbac", "resource": "user_roles", "action": "write", "api_method": "POST", "api_path": "/api/v3/rbac/users/{user_id}/roles", "route_path": "/role-permissions"},
|
|
{"permission_key": "rbac:role_routes:write", "display_name": "配置角色菜单", "module": "rbac", "resource": "role_routes", "action": "write", "api_method": "PUT", "api_path": "/api/rbac/roles/{role_id}/routes", "route_path": "/role-permissions"},
|
|
{"permission_key": "rbac:role_permissions:write", "display_name": "配置角色权限", "module": "rbac", "resource": "role_permissions", "action": "write", "api_method": "POST", "api_path": "/api/v3/rbac/role-permissions", "route_path": "/role-permissions"},
|
|
]
|
|
|
|
async def ListRoles(self, CurrentUserId: int, Page: int, PageSize: int, RoleKey: str | None, RoleName: str | None, IncludeSystem: bool) -> RoleListVO:
|
|
"""查询角色列表。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
offset = max(Page - 1, 0) * PageSize
|
|
filters = ["1=1"]
|
|
params: dict[str, object] = {"limit": PageSize, "offset": offset}
|
|
if RoleKey:
|
|
filters.append("role_key ILIKE :role_key")
|
|
params["role_key"] = f"%{RoleKey.strip()}%"
|
|
if RoleName:
|
|
filters.append("role_name ILIKE :role_name")
|
|
params["role_name"] = f"%{RoleName.strip()}%"
|
|
if not IncludeSystem:
|
|
filters.append("is_system_role = FALSE")
|
|
whereClause = " AND ".join(filters)
|
|
|
|
async with GetAsyncSession() as Session:
|
|
total = int((await Session.execute(text(f"SELECT COUNT(*) FROM roles WHERE {whereClause}"), params)).scalar_one())
|
|
rows = (
|
|
await Session.execute(
|
|
text(
|
|
f"""
|
|
SELECT id, role_key, role_name, data_scope, description, parent_role_id, priority, is_system_role, created_at, updated_at
|
|
FROM roles
|
|
WHERE {whereClause}
|
|
ORDER BY priority DESC, id ASC
|
|
LIMIT :limit OFFSET :offset
|
|
"""
|
|
),
|
|
params,
|
|
)
|
|
).mappings().all()
|
|
return RoleListVO(total=total, page=Page, page_size=PageSize, items=[self._toRoleVo(row) for row in rows])
|
|
|
|
async def CreateRole(self, CurrentUserId: int, Body: RoleCreateDTO) -> RoleVO:
|
|
"""创建角色。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
async with GetAsyncSession() as Session:
|
|
row = (
|
|
await Session.execute(
|
|
text(
|
|
"""
|
|
INSERT INTO roles (role_key, role_name, data_scope, description, priority, is_system_role, metadata, created_at, updated_at)
|
|
VALUES (:role_key, :role_name, :data_scope, :description, 0, FALSE, CAST(:metadata AS jsonb), NOW(), NOW())
|
|
RETURNING id, role_key, role_name, data_scope, description, parent_role_id, priority, is_system_role, created_at, updated_at
|
|
"""
|
|
),
|
|
{
|
|
"role_key": Body.role_key.strip(),
|
|
"role_name": Body.role_name.strip(),
|
|
"data_scope": Body.data_scope,
|
|
"description": (Body.description or "").strip(),
|
|
"metadata": self._jsonDump(Body.metadata or {}),
|
|
},
|
|
)
|
|
).mappings().one()
|
|
await Session.commit()
|
|
return self._toRoleVo(row)
|
|
|
|
async def UpdateRole(self, CurrentUserId: int, RoleId: int, Body: RoleUpdateDTO) -> RoleVO:
|
|
"""更新角色。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
async with GetAsyncSession() as Session:
|
|
current = await self._getRoleRow(Session, RoleId)
|
|
row = (
|
|
await Session.execute(
|
|
text(
|
|
"""
|
|
UPDATE roles
|
|
SET role_name = :role_name,
|
|
description = :description,
|
|
data_scope = :data_scope,
|
|
priority = :priority,
|
|
parent_role_id = :parent_role_id,
|
|
updated_at = NOW()
|
|
WHERE id = :role_id
|
|
RETURNING id, role_key, role_name, data_scope, description, parent_role_id, priority, is_system_role, created_at, updated_at
|
|
"""
|
|
),
|
|
{
|
|
"role_id": RoleId,
|
|
"role_name": Body.role_name if Body.role_name is not None else current["role_name"],
|
|
"description": Body.description if Body.description is not None else current["description"],
|
|
"data_scope": Body.data_scope if Body.data_scope is not None else current["data_scope"],
|
|
"priority": Body.priority if Body.priority is not None else current["priority"],
|
|
"parent_role_id": Body.parent_role_id if Body.parent_role_id is not None else current["parent_role_id"],
|
|
},
|
|
)
|
|
).mappings().one()
|
|
await Session.commit()
|
|
return self._toRoleVo(row)
|
|
|
|
async def DeleteRole(self, CurrentUserId: int, RoleId: int, Force: bool) -> None:
|
|
"""删除角色。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
async with GetAsyncSession() as Session:
|
|
role = await self._getRoleRow(Session, RoleId)
|
|
if role["is_system_role"]:
|
|
raise LeauditException(StatusCodeEnum.HTTP_400_BAD_REQUEST, "系统内置角色不允许删除")
|
|
|
|
userCount = int((await Session.execute(text("SELECT COUNT(*) FROM user_role WHERE role_id = :role_id"), {"role_id": RoleId})).scalar_one())
|
|
if userCount > 0 and not Force:
|
|
raise LeauditException(StatusCodeEnum.HTTP_400_BAD_REQUEST, "角色仍绑定用户,请传 force=true 后重试")
|
|
|
|
if Force:
|
|
await Session.execute(text("DELETE FROM user_role WHERE role_id = :role_id"), {"role_id": RoleId})
|
|
await Session.execute(text("DELETE FROM roles WHERE id = :role_id"), {"role_id": RoleId})
|
|
await Session.commit()
|
|
|
|
async def ListUsers(self, CurrentUserId: int, Page: int, PageSize: int, Area: str | None, NickName: str | None) -> UserListVO:
|
|
"""查询用户列表。"""
|
|
currentUser = await self._getCurrentUserContext(CurrentUserId)
|
|
offset = max(Page - 1, 0) * PageSize
|
|
filters = ["u.deleted_at IS NULL", "u.status = 0"]
|
|
params: dict[str, object] = {"limit": PageSize, "offset": offset}
|
|
if NickName:
|
|
filters.append("u.nick_name ILIKE :nick_name")
|
|
params["nick_name"] = f"%{NickName.strip()}%"
|
|
if Area:
|
|
filters.append("u.area = :query_area")
|
|
params["query_area"] = Area.strip()
|
|
elif not currentUser["is_global"]:
|
|
filters.append("COALESCE(u.area, '') = :user_area")
|
|
params["user_area"] = currentUser["area"]
|
|
whereClause = " AND ".join(filters)
|
|
|
|
async with GetAsyncSession() as Session:
|
|
total = int((await Session.execute(text(f"SELECT COUNT(*) FROM sso_users u WHERE {whereClause}"), params)).scalar_one())
|
|
rows = (
|
|
await Session.execute(
|
|
text(
|
|
f"""
|
|
SELECT
|
|
u.id, u.username, u.nick_name, u.phone_number, u.email, u.area, u.ou_name, u.ou_id, u.status,
|
|
u.is_leader, u.tenant_name, u.dep_name,
|
|
COALESCE(
|
|
json_agg(
|
|
DISTINCT jsonb_build_object('role_id', r.id, 'role_key', r.role_key, 'role_name', r.role_name)
|
|
) FILTER (WHERE r.id IS NOT NULL),
|
|
'[]'::json
|
|
) AS roles
|
|
FROM sso_users u
|
|
LEFT JOIN user_role ur ON ur.user_id = u.id
|
|
LEFT JOIN roles r ON r.id = ur.role_id
|
|
WHERE {whereClause}
|
|
GROUP BY u.id
|
|
ORDER BY u.created_at DESC, u.id DESC
|
|
LIMIT :limit OFFSET :offset
|
|
"""
|
|
),
|
|
params,
|
|
)
|
|
).mappings().all()
|
|
return UserListVO(total=total, page=Page, page_size=PageSize, items=[self._toUserVo(row) for row in rows])
|
|
|
|
async def ListRoleUsers(self, CurrentUserId: int, RoleId: int, Page: int, PageSize: int, Area: str | None, UserName: str | None) -> UserListVO:
|
|
"""查询指定角色下的用户列表。"""
|
|
currentUser = await self._getCurrentUserContext(CurrentUserId)
|
|
offset = max(Page - 1, 0) * PageSize
|
|
filters = ["u.deleted_at IS NULL", "u.status = 0", "ur.role_id = :role_id"]
|
|
params: dict[str, object] = {"role_id": RoleId, "limit": PageSize, "offset": offset}
|
|
if UserName:
|
|
filters.append("(u.username ILIKE :user_name OR u.nick_name ILIKE :user_name)")
|
|
params["user_name"] = f"%{UserName.strip()}%"
|
|
if Area:
|
|
filters.append("u.area = :query_area")
|
|
params["query_area"] = Area.strip()
|
|
elif not currentUser["is_global"]:
|
|
filters.append("COALESCE(u.area, '') = :user_area")
|
|
params["user_area"] = currentUser["area"]
|
|
whereClause = " AND ".join(filters)
|
|
|
|
async with GetAsyncSession() as Session:
|
|
total = int(
|
|
(
|
|
await Session.execute(
|
|
text(
|
|
f"""
|
|
SELECT COUNT(DISTINCT u.id)
|
|
FROM sso_users u
|
|
JOIN user_role ur ON ur.user_id = u.id
|
|
WHERE {whereClause}
|
|
"""
|
|
),
|
|
params,
|
|
)
|
|
).scalar_one()
|
|
)
|
|
rows = (
|
|
await Session.execute(
|
|
text(
|
|
f"""
|
|
SELECT
|
|
u.id, u.username, u.nick_name, u.phone_number, u.email, u.area, u.ou_name, u.ou_id, u.status,
|
|
u.is_leader, u.tenant_name, u.dep_name,
|
|
COALESCE(
|
|
json_agg(
|
|
DISTINCT jsonb_build_object('role_id', r.id, 'role_key', r.role_key, 'role_name', r.role_name)
|
|
) FILTER (WHERE r.id IS NOT NULL),
|
|
'[]'::json
|
|
) AS roles
|
|
FROM sso_users u
|
|
JOIN user_role ur ON ur.user_id = u.id
|
|
LEFT JOIN user_role all_ur ON all_ur.user_id = u.id
|
|
LEFT JOIN roles r ON r.id = all_ur.role_id
|
|
WHERE {whereClause}
|
|
GROUP BY u.id
|
|
ORDER BY u.created_at DESC, u.id DESC
|
|
LIMIT :limit OFFSET :offset
|
|
"""
|
|
),
|
|
params,
|
|
)
|
|
).mappings().all()
|
|
return UserListVO(total=total, page=Page, page_size=PageSize, items=[self._toUserVo(row) for row in rows])
|
|
|
|
async def AssignUserRoles(self, CurrentUserId: int, UserId: int, RoleIds: list[int]) -> UserRolesVO:
|
|
"""为用户分配角色。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
async with GetAsyncSession() as Session:
|
|
await Session.execute(text("DELETE FROM user_role WHERE user_id = :user_id"), {"user_id": UserId})
|
|
for roleId in sorted(set(RoleIds)):
|
|
await Session.execute(
|
|
text(
|
|
"INSERT INTO user_role (user_id, role_id, created_at, updated_at) VALUES (:user_id, :role_id, NOW(), NOW())"
|
|
),
|
|
{"user_id": UserId, "role_id": roleId},
|
|
)
|
|
await Session.commit()
|
|
return await self.GetUserRoles(CurrentUserId, UserId)
|
|
|
|
async def RevokeUserRole(self, CurrentUserId: int, UserId: int, RoleId: int) -> None:
|
|
"""移除用户角色。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
async with GetAsyncSession() as Session:
|
|
await Session.execute(text("DELETE FROM user_role WHERE user_id = :user_id AND role_id = :role_id"), {"user_id": UserId, "role_id": RoleId})
|
|
await Session.commit()
|
|
|
|
async def GetUserRoles(self, CurrentUserId: int, UserId: int) -> UserRolesVO:
|
|
"""查询用户角色。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
async with GetAsyncSession() as Session:
|
|
userRow = (
|
|
await Session.execute(text("SELECT id, username FROM sso_users WHERE id = :user_id"), {"user_id": UserId})
|
|
).mappings().first()
|
|
if not userRow:
|
|
raise LeauditException(StatusCodeEnum.HTTP_404_NOT_FOUND, "用户不存在")
|
|
roleRows = (
|
|
await Session.execute(
|
|
text(
|
|
"""
|
|
SELECT r.id, r.role_key, r.role_name, r.data_scope, r.description, r.parent_role_id, r.priority, r.is_system_role, r.created_at, r.updated_at
|
|
FROM user_role ur
|
|
JOIN roles r ON r.id = ur.role_id
|
|
WHERE ur.user_id = :user_id
|
|
ORDER BY r.priority DESC, r.id ASC
|
|
"""
|
|
),
|
|
{"user_id": UserId},
|
|
)
|
|
).mappings().all()
|
|
return UserRolesVO(user_id=UserId, username=str(userRow["username"] or ""), roles=[self._toRoleVo(row) for row in roleRows])
|
|
|
|
async def ListAllRoutes(self, CurrentUserId: int, Format: str, IncludeHidden: bool) -> list[RouteVO]:
|
|
"""查询全部可管理路由。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
async with GetAsyncSession() as Session:
|
|
routeMap = await self._ensureAdminSeeds(Session)
|
|
rows = (
|
|
await Session.execute(
|
|
text(
|
|
"""
|
|
SELECT id, route_path, route_name, component, parent_id, route_title, icon, sort_order, is_hidden, is_cache, status
|
|
FROM sys_routes
|
|
WHERE deleted_at IS NULL AND route_path = ANY(:paths)
|
|
ORDER BY sort_order ASC, id ASC
|
|
"""
|
|
).bindparams(paths=list(routeMap.keys())),
|
|
)
|
|
).mappings().all()
|
|
permissionMap = await self._loadPermissionsByRoute(Session, [int(row["id"]) for row in rows])
|
|
routeVos = [self._toRouteVo(row, permissionMap.get(int(row["id"]), []), False) for row in rows if IncludeHidden or not bool(row["is_hidden"])]
|
|
return routeVos if Format == "flat" else self._buildRouteTree(routeVos)
|
|
|
|
async def GetRoleRoutes(self, CurrentUserId: int, RoleId: int) -> RoleRoutesVO:
|
|
"""查询角色路由授权。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
async with GetAsyncSession() as Session:
|
|
routeMap = await self._ensureAdminSeeds(Session)
|
|
rows = (
|
|
await Session.execute(
|
|
text(
|
|
"""
|
|
SELECT
|
|
sr.id, sr.route_path, sr.route_name, sr.component, sr.parent_id, sr.route_title, sr.icon,
|
|
sr.sort_order, sr.is_hidden, sr.is_cache, sr.status,
|
|
COALESCE(rr.status, 0) AS enabled
|
|
FROM sys_routes sr
|
|
LEFT JOIN role_route rr ON rr.route_id = sr.id AND rr.role_id = :role_id
|
|
WHERE sr.deleted_at IS NULL AND sr.route_path = ANY(:paths)
|
|
ORDER BY sr.sort_order ASC, sr.id ASC
|
|
"""
|
|
).bindparams(paths=list(routeMap.keys())),
|
|
{"role_id": RoleId},
|
|
)
|
|
).mappings().all()
|
|
permissionMap = await self._loadPermissionsByRoute(Session, [int(row["id"]) for row in rows])
|
|
routeVos = [self._toRouteVo(row, permissionMap.get(int(row["id"]), []), bool(row["enabled"])) for row in rows]
|
|
return RoleRoutesVO(role_id=RoleId, routes=self._buildRouteTree(routeVos))
|
|
|
|
async def UpdateRoleRoutes(self, CurrentUserId: int, RoleId: int, Body: RoleRoutesUpdateDTO) -> RoleRouteUpdateResultVO:
|
|
"""更新角色路由授权。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
routeIds = sorted(set(Body.route_ids))
|
|
async with GetAsyncSession() as Session:
|
|
await self._ensureAdminSeeds(Session)
|
|
allRouteIds = [row[0] for row in (await Session.execute(text("SELECT id FROM sys_routes WHERE deleted_at IS NULL AND route_path = ANY(:paths)").bindparams(paths=[item["route_path"] for item in self._MANAGEABLE_ROUTE_BLUEPRINTS]))).fetchall()]
|
|
existingRows = (
|
|
await Session.execute(text("SELECT route_id, status FROM role_route WHERE role_id = :role_id AND route_id = ANY(:route_ids)").bindparams(route_ids=allRouteIds), {"role_id": RoleId})
|
|
).fetchall()
|
|
existingMap = {int(routeId): int(status) for routeId, status in existingRows}
|
|
insertedCount = 0
|
|
for routeId in allRouteIds:
|
|
if routeId in routeIds:
|
|
if routeId in existingMap:
|
|
await Session.execute(
|
|
text("UPDATE role_route SET status = 1, permission = :permission, updated_at = NOW() WHERE role_id = :role_id AND route_id = :route_id"),
|
|
{"role_id": RoleId, "route_id": routeId, "permission": Body.permission},
|
|
)
|
|
else:
|
|
await Session.execute(
|
|
text("INSERT INTO role_route (role_id, route_id, permission, status, created_at, updated_at) VALUES (:role_id, :route_id, :permission, 1, NOW(), NOW())"),
|
|
{"role_id": RoleId, "route_id": routeId, "permission": Body.permission},
|
|
)
|
|
insertedCount += 1
|
|
elif routeId in existingMap and existingMap[routeId] != 0:
|
|
await Session.execute(
|
|
text("UPDATE role_route SET status = 0, updated_at = NOW() WHERE role_id = :role_id AND route_id = :route_id"),
|
|
{"role_id": RoleId, "route_id": routeId},
|
|
)
|
|
await Session.commit()
|
|
return RoleRouteUpdateResultVO(role_id=RoleId, enabled_count=len(routeIds), disabled_count=max(len(allRouteIds) - len(routeIds), 0), inserted_count=insertedCount, route_ids=routeIds)
|
|
|
|
async def GetRolePermissions(self, CurrentUserId: int, RoleId: int) -> RolePermissionsVO:
|
|
"""查询角色权限授权。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
async with GetAsyncSession() as Session:
|
|
await self._ensureAdminSeeds(Session)
|
|
rows = (
|
|
await Session.execute(
|
|
text(
|
|
"""
|
|
SELECT rp.id, rp.permission_id, p.permission_key, p.display_name, rp.grant_type, rp.data_scope
|
|
FROM role_permissions rp
|
|
JOIN permissions p ON p.id = rp.permission_id
|
|
WHERE rp.role_id = :role_id
|
|
ORDER BY p.sort_order ASC, p.id ASC
|
|
"""
|
|
),
|
|
{"role_id": RoleId},
|
|
)
|
|
).mappings().all()
|
|
return RolePermissionsVO(role_id=RoleId, permissions=[self._toRolePermissionVo(row) for row in rows])
|
|
|
|
async def SaveRolePermissions(self, CurrentUserId: int, Body: RolePermissionsBatchDTO) -> RolePermissionsVO:
|
|
"""保存角色权限授权。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
async with GetAsyncSession() as Session:
|
|
await self._ensureAdminSeeds(Session)
|
|
permissionIds = [item.permission_id for item in Body.permissions]
|
|
if Body.replace:
|
|
await Session.execute(text("DELETE FROM role_permissions WHERE role_id = :role_id"), {"role_id": Body.role_id})
|
|
for item in Body.permissions:
|
|
await Session.execute(
|
|
text(
|
|
"""
|
|
INSERT INTO role_permissions (role_id, permission_id, grant_type, data_scope, created_at, updated_at)
|
|
VALUES (:role_id, :permission_id, :grant_type, :data_scope, NOW(), NOW())
|
|
ON CONFLICT (role_id, permission_id)
|
|
DO UPDATE SET grant_type = EXCLUDED.grant_type, data_scope = EXCLUDED.data_scope, updated_at = NOW()
|
|
"""
|
|
),
|
|
{
|
|
"role_id": Body.role_id,
|
|
"permission_id": item.permission_id,
|
|
"grant_type": item.grant_type,
|
|
"data_scope": item.data_scope,
|
|
},
|
|
)
|
|
await Session.commit()
|
|
return await self.GetRolePermissions(CurrentUserId, Body.role_id)
|
|
|
|
async def GetRoutePermissions(self, CurrentUserId: int, RouteId: int) -> RoutePermissionsVO:
|
|
"""查询路由关联权限定义。"""
|
|
await self._assertManagePermission(CurrentUserId)
|
|
async with GetAsyncSession() as Session:
|
|
await self._ensureAdminSeeds(Session)
|
|
routeRow = (
|
|
await Session.execute(text("SELECT id, route_path, route_title FROM sys_routes WHERE id = :route_id"), {"route_id": RouteId})
|
|
).mappings().first()
|
|
if not routeRow:
|
|
raise LeauditException(StatusCodeEnum.HTTP_404_NOT_FOUND, "路由不存在")
|
|
permissionMap = await self._loadPermissionsByRoute(Session, [RouteId])
|
|
return RoutePermissionsVO(
|
|
route_id=RouteId,
|
|
route_path=str(routeRow["route_path"] or ""),
|
|
route_title=str(routeRow["route_title"] or ""),
|
|
permissions=permissionMap.get(RouteId, []),
|
|
)
|
|
|
|
async def _assertManagePermission(self, CurrentUserId: int) -> None:
|
|
"""校验当前用户是否具备管理能力。"""
|
|
context = await self._getCurrentUserContext(CurrentUserId)
|
|
if not context["can_manage"]:
|
|
raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, "当前用户没有系统设置管理权限")
|
|
|
|
async def _getCurrentUserContext(self, CurrentUserId: int) -> dict[str, Any]:
|
|
"""加载当前用户上下文。"""
|
|
async with GetAsyncSession() as Session:
|
|
row = (
|
|
await Session.execute(
|
|
text(
|
|
"""
|
|
SELECT
|
|
u.id,
|
|
COALESCE(u.area, '') AS area,
|
|
COALESCE(bool_or(r.role_key IN ('super_admin', 'provincial_admin')), FALSE) AS is_global,
|
|
COALESCE(bool_or(r.role_key IN ('super_admin', 'provincial_admin', 'admin')), FALSE) AS can_manage
|
|
FROM sso_users u
|
|
LEFT JOIN user_role ur ON ur.user_id = u.id
|
|
LEFT JOIN roles r ON r.id = ur.role_id
|
|
WHERE u.id = :user_id
|
|
GROUP BY u.id, u.area
|
|
"""
|
|
),
|
|
{"user_id": CurrentUserId},
|
|
)
|
|
).mappings().first()
|
|
if not row:
|
|
raise LeauditException(StatusCodeEnum.HTTP_404_NOT_FOUND, "当前用户不存在")
|
|
return {"area": str(row["area"] or ""), "is_global": bool(row["is_global"]), "can_manage": bool(row["can_manage"])}
|
|
|
|
async def _ensureAdminSeeds(self, Session) -> dict[str, int]:
|
|
"""确保系统设置所需路由和权限定义已存在。"""
|
|
routeIdsByPath: dict[str, int] = {}
|
|
for blueprint in self._MANAGEABLE_ROUTE_BLUEPRINTS:
|
|
parentId = routeIdsByPath.get(str(blueprint.get("parent_path"))) if blueprint.get("parent_path") else None
|
|
row = (
|
|
await Session.execute(
|
|
text(
|
|
"""
|
|
INSERT INTO sys_routes (route_path, route_name, component, parent_id, route_title, icon, sort_order, is_hidden, is_cache, meta, status, created_at, updated_at, deleted_at)
|
|
VALUES (:route_path, :route_name, :component, :parent_id, :route_title, :icon, :sort_order, :is_hidden, :is_cache, CAST(:meta AS jsonb), 0, NOW(), NOW(), NULL)
|
|
ON CONFLICT (route_path) WHERE deleted_at IS NULL
|
|
DO UPDATE SET route_name = EXCLUDED.route_name, component = EXCLUDED.component, parent_id = EXCLUDED.parent_id,
|
|
route_title = EXCLUDED.route_title, icon = EXCLUDED.icon, sort_order = EXCLUDED.sort_order,
|
|
is_hidden = EXCLUDED.is_hidden, is_cache = EXCLUDED.is_cache, meta = EXCLUDED.meta, status = 0, updated_at = NOW()
|
|
RETURNING id
|
|
"""
|
|
),
|
|
{
|
|
"route_path": blueprint["route_path"],
|
|
"route_name": blueprint["route_name"],
|
|
"component": blueprint.get("component"),
|
|
"parent_id": parentId,
|
|
"route_title": blueprint["route_title"],
|
|
"icon": blueprint.get("icon"),
|
|
"sort_order": blueprint.get("sort_order", 0),
|
|
"is_hidden": bool(blueprint.get("is_hidden", False)),
|
|
"is_cache": bool(blueprint.get("is_cache", True)),
|
|
"meta": self._jsonDump(blueprint.get("meta") or {}),
|
|
},
|
|
)
|
|
).scalar_one()
|
|
routeIdsByPath[str(blueprint["route_path"])] = int(row)
|
|
|
|
for blueprint in self._MANAGEABLE_PERMISSION_BLUEPRINTS:
|
|
routeId = routeIdsByPath.get(str(blueprint["route_path"]))
|
|
await Session.execute(
|
|
text(
|
|
"""
|
|
INSERT INTO permissions (
|
|
permission_key, module, resource, action, description, display_name, permission_type,
|
|
is_system, metadata, created_at, updated_at, parent_id, sort_order, route_id, api_path, api_method, related_routes
|
|
) VALUES (
|
|
:permission_key, :module, :resource, :action, :description, :display_name, 'API', TRUE,
|
|
NULL, NOW(), NOW(), NULL, 0, :route_id, :api_path, :api_method, NULL
|
|
)
|
|
ON CONFLICT (permission_key)
|
|
DO UPDATE SET module = EXCLUDED.module, resource = EXCLUDED.resource, action = EXCLUDED.action,
|
|
display_name = EXCLUDED.display_name, route_id = EXCLUDED.route_id,
|
|
api_path = EXCLUDED.api_path, api_method = EXCLUDED.api_method, updated_at = NOW()
|
|
"""
|
|
),
|
|
{
|
|
"permission_key": blueprint["permission_key"],
|
|
"module": blueprint["module"],
|
|
"resource": blueprint["resource"],
|
|
"action": blueprint["action"],
|
|
"description": blueprint["display_name"],
|
|
"display_name": blueprint["display_name"],
|
|
"route_id": routeId,
|
|
"api_path": blueprint["api_path"],
|
|
"api_method": blueprint["api_method"],
|
|
},
|
|
)
|
|
await Session.commit()
|
|
return routeIdsByPath
|
|
|
|
async def _loadPermissionsByRoute(self, Session, RouteIds: list[int]) -> dict[int, list[RoutePermissionVO]]:
|
|
"""加载路由关联权限定义。"""
|
|
if not RouteIds:
|
|
return {}
|
|
rows = (
|
|
await Session.execute(
|
|
text(
|
|
"""
|
|
SELECT id, permission_key, display_name, api_method, api_path, route_id, related_routes
|
|
FROM permissions
|
|
WHERE route_id = ANY(:route_ids)
|
|
OR EXISTS (
|
|
SELECT 1
|
|
FROM unnest(COALESCE(related_routes, ARRAY[]::bigint[])) AS related_route_id
|
|
WHERE related_route_id = ANY(:route_ids)
|
|
)
|
|
ORDER BY sort_order ASC, id ASC
|
|
"""
|
|
).bindparams(route_ids=RouteIds),
|
|
)
|
|
).mappings().all()
|
|
output: dict[int, list[RoutePermissionVO]] = {int(routeId): [] for routeId in RouteIds}
|
|
for row in rows:
|
|
relatedRoutes = [int(item) for item in list(row.get("related_routes") or [])]
|
|
targetRouteIds = []
|
|
if row.get("route_id") is not None:
|
|
targetRouteIds.append(int(row["route_id"]))
|
|
targetRouteIds.extend(relatedRoutes)
|
|
permissionVo = RoutePermissionVO(
|
|
id=int(row["id"]),
|
|
permission_key=str(row["permission_key"] or ""),
|
|
display_name=row.get("display_name"),
|
|
api_method=row.get("api_method"),
|
|
api_path=row.get("api_path"),
|
|
route_id=int(row["route_id"]) if row.get("route_id") is not None else None,
|
|
related_routes=relatedRoutes or None,
|
|
is_shared=bool(relatedRoutes),
|
|
)
|
|
for routeId in targetRouteIds:
|
|
if routeId in output:
|
|
output[routeId].append(permissionVo)
|
|
return output
|
|
|
|
async def _getRoleRow(self, Session, RoleId: int):
|
|
"""查询角色原始记录。"""
|
|
row = (
|
|
await Session.execute(
|
|
text(
|
|
"SELECT id, role_key, role_name, data_scope, description, parent_role_id, priority, is_system_role, created_at, updated_at FROM roles WHERE id = :role_id"
|
|
),
|
|
{"role_id": RoleId},
|
|
)
|
|
).mappings().first()
|
|
if not row:
|
|
raise LeauditException(StatusCodeEnum.HTTP_404_NOT_FOUND, "角色不存在")
|
|
return row
|
|
|
|
def _toRoleVo(self, Row) -> RoleVO:
|
|
"""角色记录转 VO。"""
|
|
return RoleVO(
|
|
id=int(Row["id"]),
|
|
role_key=str(Row["role_key"] or ""),
|
|
role_name=str(Row["role_name"] or ""),
|
|
data_scope=str(Row["data_scope"] or "SELF"),
|
|
description=str(Row.get("description") or ""),
|
|
parent_role_id=int(Row["parent_role_id"]) if Row.get("parent_role_id") is not None else None,
|
|
priority=int(Row.get("priority") or 0),
|
|
is_system=bool(Row.get("is_system_role", False)),
|
|
created_at=self._toIso(Row.get("created_at")),
|
|
updated_at=self._toIso(Row.get("updated_at")),
|
|
)
|
|
|
|
def _toUserVo(self, Row) -> UserVO:
|
|
"""用户记录转 VO。"""
|
|
roles = []
|
|
for item in list(Row.get("roles") or []):
|
|
if isinstance(item, dict) and item.get("role_id") is not None:
|
|
roles.append(UserRoleVO(role_id=int(item["role_id"]), role_key=str(item.get("role_key") or ""), role_name=str(item.get("role_name") or "")))
|
|
return UserVO(
|
|
id=int(Row["id"]),
|
|
username=str(Row.get("username") or ""),
|
|
nick_name=str(Row.get("nick_name") or ""),
|
|
phone_number=Row.get("phone_number"),
|
|
email=Row.get("email"),
|
|
area=Row.get("area"),
|
|
ou_name=Row.get("ou_name"),
|
|
ou_id=Row.get("ou_id"),
|
|
status=int(Row.get("status") or 0),
|
|
is_leader=bool(Row.get("is_leader", False)),
|
|
roles=roles,
|
|
tenant_name=Row.get("tenant_name"),
|
|
dep_name=Row.get("dep_name"),
|
|
)
|
|
|
|
def _toRouteVo(self, Row, Permissions: list[RoutePermissionVO], Enabled: bool) -> RouteVO:
|
|
"""路由记录转 VO。"""
|
|
return RouteVO(
|
|
id=int(Row["id"]),
|
|
route_path=str(Row.get("route_path") or ""),
|
|
route_name=str(Row.get("route_name") or ""),
|
|
route_title=str(Row.get("route_title") or ""),
|
|
component=Row.get("component"),
|
|
parent_id=int(Row["parent_id"]) if Row.get("parent_id") is not None else None,
|
|
icon=Row.get("icon"),
|
|
sort_order=int(Row.get("sort_order") or 0),
|
|
is_hidden=bool(Row.get("is_hidden", False)),
|
|
is_cache=bool(Row.get("is_cache", True)),
|
|
status=int(Row.get("status") or 0),
|
|
enabled=Enabled,
|
|
permissions=Permissions,
|
|
children=None,
|
|
)
|
|
|
|
def _toRolePermissionVo(self, Row):
|
|
"""角色权限记录转 VO。"""
|
|
from fastapi_modules.fastapi_leaudit.domian.vo.rbacAdminVo import RolePermissionDetailVO
|
|
|
|
return RolePermissionDetailVO(
|
|
id=int(Row["id"]),
|
|
permission_id=int(Row["permission_id"]),
|
|
permission_key=str(Row["permission_key"] or ""),
|
|
display_name=Row.get("display_name"),
|
|
grant_type=str(Row.get("grant_type") or "GRANT"),
|
|
data_scope=Row.get("data_scope"),
|
|
)
|
|
|
|
def _buildRouteTree(self, Routes: list[RouteVO]) -> list[RouteVO]:
|
|
"""构建路由树。"""
|
|
routeMap = {route.id: route.model_copy(deep=True) for route in Routes}
|
|
rootRoutes: list[RouteVO] = []
|
|
for route in routeMap.values():
|
|
route.children = []
|
|
for route in routeMap.values():
|
|
if route.parent_id and route.parent_id in routeMap:
|
|
routeMap[route.parent_id].children.append(route)
|
|
else:
|
|
rootRoutes.append(route)
|
|
for route in routeMap.values():
|
|
if route.children is not None and len(route.children) == 0:
|
|
route.children = None
|
|
elif route.children:
|
|
route.children.sort(key=lambda item: (item.sort_order, item.id))
|
|
rootRoutes.sort(key=lambda item: (item.sort_order, item.id))
|
|
return rootRoutes
|
|
|
|
def _jsonDump(self, Value: Any) -> str:
|
|
"""JSON 序列化。"""
|
|
import json
|
|
|
|
return json.dumps(Value, ensure_ascii=False)
|
|
|
|
def _toIso(self, Value) -> str | None:
|
|
"""时间转 ISO 字符串。"""
|
|
if Value is None:
|
|
return None
|
|
if isinstance(Value, datetime):
|
|
return Value.isoformat()
|
|
return str(Value)
|