fix #I3RHPD 完成在api中对接口权限进行鉴权

OpenAuth.App/Relevance/Request/AssignRoleResources.cs

@@ -0,0 +1,17 @@
+namespace OpenAuth.App.Request
+{
+    /// <summary>
+    /// 角色分配资源
+    /// </summary>
+    public class AssignRoleResources
+    {
+        /// <summary>
+        /// 角色id
+        /// </summary>
+        public string RoleId { get; set; }
+        /// <summary>
+        /// 资源id列表
+        /// </summary>
+        public string[] ResourceIds { get; set; }
+    }
+}

OpenAuth.App/Relevance/RevelanceManagerApp.cs

@@ -234,5 +234,28 @@ namespace OpenAuth.App
                 UnitWork.Save();
             });
         }
+
+        /// <summary>
+        /// 为角色分配资源，需要统一提交，会删除以前该角色的所有资源
+        /// </summary>
+        /// <param name="request"></param>
+        public void AssignRoleResources(AssignRoleResources request)
+        {
+            UnitWork.ExecuteWithTransaction(() =>
+            {
+                //删除以前的所有资源
+                UnitWork.Delete<Relevance>(u => u.FirstId == request.RoleId && u.Key == Define.ROLERESOURCE);
+                //批量分配角色资源
+                UnitWork.BatchAdd((from firstId in request.ResourceIds
+                    select new Relevance
+                    {
+                        Key = Define.ROLERESOURCE,
+                        FirstId = request.RoleId,
+                        SecondId = firstId,
+                        OperateTime = DateTime.Now
+                    }).ToArray());
+                UnitWork.Save();
+            });
+        }
     }
 }

OpenAuth.App/Resources/ResourceApp.cs

@@ -21,7 +21,7 @@ namespace OpenAuth.App
         private RevelanceManagerApp _revelanceApp;
         private ApiService _apiService;
 
-        private IAuth _auth;
+        private readonly IAuth _auth;
 
         public ResourceApp(ISqlSugarClient client, IAuth auth, RevelanceManagerApp revelanceApp, ApiService apiService) : base(client, auth)
         {
@@ -155,7 +155,40 @@ namespace OpenAuth.App
                 Repository.Insert(resource);
             }
         }
-        
+
+        /// <summary>
+        /// 判断当前登录用户是否拥有访问该API的权限
+        /// <para>如果角色没有做任何分配，则默认拥有权限。这个可以根据实际需要修改。</para>
+        /// </summary>
+        /// <param name="apiPath">API路径</param>
+        /// <returns>true:拥有权限,false:没有权限</returns>
+        public bool CanAccess(string apiPath)
+        {
+            var loginContext = _auth.GetCurrentUser();
+            if (loginContext == null)
+            {
+                throw new CommonException("登录已过期", Define.INVALID_TOKEN);
+            }
+
+            //如果当前登录用户是管理员，则拥有所有权限
+            if(loginContext.User.Account == Define.SYSTEM_USERNAME){
+                return true;
+            }
+
+            var elementIds = _revelanceApp.Get(Define.ROLERESOURCE, true, loginContext.Roles.Select(u => u.Id).ToArray());
+            //如果角色没有做任何分配，则默认拥有权限。这个可以根据实际需要修改。
+            if(elementIds.Count == 0)
+            {
+                return true;
+            }
+            //如果分配了资源，则判断是否拥有权限
+            var resource = Repository.GetFirst(u => u.Name.Contains(apiPath) && u.TypeId == Define.API && elementIds.Contains(u.Id));
+            if(resource == null)
+            {
+                return false;
+            }
+            return true;
+        }
     }
 
     /// <summary>

OpenAuth.WebApi/Controllers/AccessObjsController.cs

@@ -133,6 +133,26 @@ namespace OpenAuth.WebApi.Controllers
 
             return result;
         }
+
+         /// <summary>
+        /// 角色分配资源，整体提交，会覆盖之前的配置
+        /// </summary>
+        [HttpPost]
+        public Response AssignRoleResources([FromBody] AssignRoleResources request)
+        {
+            var result = new Response();
+            try
+            {
+                _app.AssignRoleResources(request);
+            }
+            catch (Exception ex)
+            {
+                result.Code = 500;
+                result.Message = ex.InnerException?.Message ?? ex.Message;
+            }
+
+            return result;
+        }
         
         /// <summary>
         /// 部门分配用户，整体提交，会覆盖之前的配置

OpenAuth.WebApi/Model/OpenAuthFilter.cs

@@ -14,10 +14,13 @@ namespace OpenAuth.WebApi.Model
         private readonly IAuth _authUtil;
         private readonly SysLogApp _logApp;
 
-        public OpenAuthFilter(IAuth authUtil, SysLogApp logApp)
+        private readonly ResourceApp _resourceApp;
+
+        public OpenAuthFilter(IAuth authUtil, SysLogApp logApp, ResourceApp resourceApp)
         {
             _authUtil = authUtil;
             _logApp = logApp;
+            _resourceApp = resourceApp;
         }
 
         public void OnActionExecuting(ActionExecutingContext context)
@@ -28,9 +31,9 @@ namespace OpenAuth.WebApi.Model
             var Controllername = description.ControllerName.ToLower();
             var Actionname = description.ActionName.ToLower();
 
-            //匿名标识
+            //匿名访问的不需要验证
-            var authorize = description.MethodInfo.GetCustomAttribute(typeof(AllowAnonymousAttribute));
+            var allowAnonymous = description.MethodInfo.GetCustomAttribute(typeof(AllowAnonymousAttribute));
-            if (authorize != null)
+            if (allowAnonymous != null)
             {
                 return;
             }
@@ -41,14 +44,29 @@ namespace OpenAuth.WebApi.Model
                 context.Result = new JsonResult(new Response
                 {
                     Code = 401,
-                    Message = "认证失败，请提供认证信息"
+                    Message = "登录已过期，请重新登录"
                 });
                 return;
             }
+
+            var apiPath = $"{Controllername}/{Actionname}";
+            //判断登录角色是否拥有访问该URL的权限
+            var resource = _resourceApp.CanAccess(apiPath);
+            if(!resource)
+            {
+                context.Result = new JsonResult(new Response
+                {
+                    Code = 500,
+                    Message = $"当前用户没有访问{apiPath}的权限,请在【角色管理】中分配资源"
+                });
+                return;
+            }
+
+
             _logApp.Add(new SysLog
             {
                 Content = $"用户访问",
-                Href = $"{Controllername}/{Actionname}",
+                Href = apiPath,
                 CreateName = _authUtil.GetUserName(),
                 CreateId = _authUtil.GetCurrentUser().User.Id,
                 TypeName = "访问日志"

docs/core/apiauth.md

@@ -1,10 +1,3 @@
-<!--
- * @Author: yubaolee <yubaolee@163.com> | ahfu~ <954478625@qq.com>
- * @Date: 2023-12-25 14:43:53
- * @Description: 
- * @LastEditTime: 2025-03-11 11:19:25
- * Copyright (c) 2025 by yubaolee | ahfu~ , All Rights Reserved.  
--->
 # API权限控制
 
 在使用OpenAuth.WebApi过程中，系统会对所有的Api进行权限控制。如果没有登录就访问Api接口，会提示下面信息：