fix #I3RHPD 完成在api中对接口权限进行鉴权

2025-04-05 08:37:28 +08:00 · 2025-03-11 17:34:54 +08:00 · 2025-03-11 17:34:54 +08:00 · 2d108586e7
commit 2d108586e7
parent 18c6fbfaad
6 changed files with 119 additions and 15 deletions
--- a/OpenAuth.App/Relevance/Request/AssignRoleResources.cs
+++ b/OpenAuth.App/Relevance/Request/AssignRoleResources.cs
@ -0,0 +1,17 @@
+namespace OpenAuth.App.Request
+{
+    /// <summary>
+    /// 角色分配资源
+    /// </summary>
+    public class AssignRoleResources
+    {
+        /// <summary>
+        /// 角色id
+        /// </summary>
+        public string RoleId { get; set; }
+        /// <summary>
+        /// 资源id列表
+        /// </summary>
+        public string[] ResourceIds { get; set; }
+    }
+}
--- a/OpenAuth.App/Relevance/RevelanceManagerApp.cs
+++ b/OpenAuth.App/Relevance/RevelanceManagerApp.cs
@ -234,5 +234,28 @@ namespace OpenAuth.App
                UnitWork.Save();
            });
        }
+
+        /// <summary>
+        /// 为角色分配资源，需要统一提交，会删除以前该角色的所有资源
+        /// </summary>
+        /// <param name="request"></param>
+        public void AssignRoleResources(AssignRoleResources request)
+        {
+            UnitWork.ExecuteWithTransaction(() =>
+            {
+                //删除以前的所有资源
+                UnitWork.Delete<Relevance>(u => u.FirstId == request.RoleId && u.Key == Define.ROLERESOURCE);
+                //批量分配角色资源
+                UnitWork.BatchAdd((from firstId in request.ResourceIds
+                    select new Relevance
+                    {
+                        Key = Define.ROLERESOURCE,
+                        FirstId = request.RoleId,
+                        SecondId = firstId,
+                        OperateTime = DateTime.Now
+                    }).ToArray());
+                UnitWork.Save();
+            });
+        }
    }
 }
--- a/OpenAuth.App/Resources/ResourceApp.cs
+++ b/OpenAuth.App/Resources/ResourceApp.cs
@ -21,7 +21,7 @@ namespace OpenAuth.App
        private RevelanceManagerApp _revelanceApp;
        private ApiService _apiService;

-        private IAuth _auth;
+        private readonly IAuth _auth;

        public ResourceApp(ISqlSugarClient client, IAuth auth, RevelanceManagerApp revelanceApp, ApiService apiService) : base(client, auth)
        {
@ -155,7 +155,40 @@ namespace OpenAuth.App
                Repository.Insert(resource);
            }
        }
-        
+
+        /// <summary>
+        /// 判断当前登录用户是否拥有访问该API的权限
+        /// <para>如果角色没有做任何分配，则默认拥有权限。这个可以根据实际需要修改。</para>
+        /// </summary>
+        /// <param name="apiPath">API路径</param>
+        /// <returns>true:拥有权限,false:没有权限</returns>
+        public bool CanAccess(string apiPath)
+        {
+            var loginContext = _auth.GetCurrentUser();
+            if (loginContext == null)
+            {
+                throw new CommonException("登录已过期", Define.INVALID_TOKEN);
+            }
+
+            //如果当前登录用户是管理员，则拥有所有权限
+            if(loginContext.User.Account == Define.SYSTEM_USERNAME){
+                return true;
+            }
+
+            var elementIds = _revelanceApp.Get(Define.ROLERESOURCE, true, loginContext.Roles.Select(u => u.Id).ToArray());
+            //如果角色没有做任何分配，则默认拥有权限。这个可以根据实际需要修改。
+            if(elementIds.Count == 0)
+            {
+                return true;
+            }
+            //如果分配了资源，则判断是否拥有权限
+            var resource = Repository.GetFirst(u => u.Name.Contains(apiPath) && u.TypeId == Define.API && elementIds.Contains(u.Id));
+            if(resource == null)
+            {
+                return false;
+            }
+            return true;
+        }
    }

    /// <summary>
--- a/OpenAuth.WebApi/Controllers/AccessObjsController.cs
+++ b/OpenAuth.WebApi/Controllers/AccessObjsController.cs
@ -133,6 +133,26 @@ namespace OpenAuth.WebApi.Controllers

            return result;
        }
+
+         /// <summary>
+        /// 角色分配资源，整体提交，会覆盖之前的配置
+        /// </summary>
+        [HttpPost]
+        public Response AssignRoleResources([FromBody] AssignRoleResources request)
+        {
+            var result = new Response();
+            try
+            {
+                _app.AssignRoleResources(request);
+            }
+            catch (Exception ex)
+            {
+                result.Code = 500;
+                result.Message = ex.InnerException?.Message ?? ex.Message;
+            }
+
+            return result;
+        }
        
        /// <summary>
        /// 部门分配用户，整体提交，会覆盖之前的配置
--- a/OpenAuth.WebApi/Model/OpenAuthFilter.cs
+++ b/OpenAuth.WebApi/Model/OpenAuthFilter.cs
@ -14,10 +14,13 @@ namespace OpenAuth.WebApi.Model
        private readonly IAuth _authUtil;
        private readonly SysLogApp _logApp;

-        public OpenAuthFilter(IAuth authUtil, SysLogApp logApp)
+        private readonly ResourceApp _resourceApp;
+
+        public OpenAuthFilter(IAuth authUtil, SysLogApp logApp, ResourceApp resourceApp)
        {
            _authUtil = authUtil;
            _logApp = logApp;
+            _resourceApp = resourceApp;
        }

        public void OnActionExecuting(ActionExecutingContext context)
@ -28,9 +31,9 @@ namespace OpenAuth.WebApi.Model
            var Controllername = description.ControllerName.ToLower();
            var Actionname = description.ActionName.ToLower();

-            //匿名标识
-            var authorize = description.MethodInfo.GetCustomAttribute(typeof(AllowAnonymousAttribute));
-            if (authorize != null)
+            //匿名访问的不需要验证
+            var allowAnonymous = description.MethodInfo.GetCustomAttribute(typeof(AllowAnonymousAttribute));
+            if (allowAnonymous != null)
            {
                return;
            }
@ -41,14 +44,29 @@ namespace OpenAuth.WebApi.Model
                context.Result = new JsonResult(new Response
                {
                    Code = 401,
-                    Message = "认证失败，请提供认证信息"
+                    Message = "登录已过期，请重新登录"
                });
                return;
            }
+
+            var apiPath = $"{Controllername}/{Actionname}";
+            //判断登录角色是否拥有访问该URL的权限
+            var resource = _resourceApp.CanAccess(apiPath);
+            if(!resource)
+            {
+                context.Result = new JsonResult(new Response
+                {
+                    Code = 500,
+                    Message = $"当前用户没有访问{apiPath}的权限,请在【角色管理】中分配资源"
+                });
+                return;
+            }
+
+
            _logApp.Add(new SysLog
            {
                Content = $"用户访问",
-                Href = $"{Controllername}/{Actionname}",
+                Href = apiPath,
                CreateName = _authUtil.GetUserName(),
                CreateId = _authUtil.GetCurrentUser().User.Id,
                TypeName = "访问日志"
--- a/docs/core/apiauth.md
+++ b/docs/core/apiauth.md
@ -1,10 +1,3 @@
-<!--
- * @Author: yubaolee <yubaolee@163.com> | ahfu~ <954478625@qq.com>
- * @Date: 2023-12-25 14:43:53
- * @Description: 
- * @LastEditTime: 2025-03-11 11:19:25
- * Copyright (c) 2025 by yubaolee | ahfu~ , All Rights Reserved.  
-->
 # API权限控制

 在使用OpenAuth.WebApi过程中，系统会对所有的Api进行权限控制。如果没有登录就访问Api接口，会提示下面信息：