construction_management/web/middleware/accessAuth.go

/*
 * @description: 访问权限认证
 * @Author: CP
 * @Date: 2020-10-09 10:43:39
 * @FilePath: \construction_management\web\middleware\accessAuth.go
 */
package middleware

import (
	"encoding/json"
	"errors"
	"fmt"
	"io/ioutil"
	"log"

	"github.com/kataras/iris/v12"
	"go.mod/dao"
	"go.mod/datasource"
	"go.mod/lib"
	"go.mod/models"
)

// 员工表权限解析
type permission struct {
	Add    int ` json:"add" `
	Delete int ` json:"delete" `
	Access int ` json:"access" `
}

// 权限JSON对象
type permissionPath struct {
	Contract       path     `json:"contract" `
	Safe           path     `json:"safe" `
	Quality        path     `json:"quality" `
	ProjectSetting []string `json:"projectSetting" `
}

// 对象中地址列表
type path struct {
	Add    []string `json:"add" `
	Access []string `json:"access" `
	Delete []string `json:"delete" `
}

// 权限验证中间件
func AccessAuth(ctx iris.Context) {

	// 需要先设置标段ID，在获得权限进行判断
	// 账号活动状态下，入口必须是 /api/contract/survey，
	path := ctx.Path()
	if path == "/api/contract/survey" || path == "/api/quality/survey" || path == "/api/safe/survey" {
		ctx.Next()
		return
	}
	// 1.获得成员信息
	account := ctx.Values().Get("account").(*models.CmProjectAccount)

	// 1-1获得标段ID
	key := fmt.Sprintf("pm_%d_%d", account.ProjectId, account.Id)
	bidsectionId := lib.NewRedis().GetBidsectionIdByCache(key)

	// 1-2 获得账号权限
	permissionAccountDao := dao.NewPermissionAccountDao(datasource.InstanceDbMaster())
	permissionData := permissionAccountDao.GetBidsectionIdAccountId(bidsectionId, account.Id)
	// permissionData := s.permissionAccountDao.GetBidsectionId(bidsectionId)
	fmt.Println(bidsectionId, account.Id)
	fmt.Println(permissionData)

	// 1-1.是管理员- 拥有所有权限
	if account.IsAdmin != 1 {
		// if account.IsAdmin == 1 {
		// 2.获得员工可访问的权限
		contractPermission := permission{}
		if permissionData.ContractPermission != "" {
			err := json.Unmarshal([]byte(permissionData.ContractPermission), &contractPermission)
			// 错误后 全部权限默认为0
			if err != nil {
				log.Println("合同权限解析错误:err=", err)
			}
		}
		safePermission := permission{}
		if permissionData.SafePermission != "" {
			err := json.Unmarshal([]byte(permissionData.SafePermission), &safePermission)
			if err != nil {
				log.Println("安全权限解析错误:err=", err)
			}
		}
		qualityPermission := permission{}
		if permissionData.QualityPermission != "" {
			err := json.Unmarshal([]byte(permissionData.QualityPermission), &qualityPermission)
			if err != nil {
				log.Println("质量权限解析错误:err=", err)
			}
		}

		// 2-1获得权限列表
		permissionPath := permissionPath{}
		permissionPathData, err := ioutil.ReadFile("../lib/permission.json")
		err = json.Unmarshal(permissionPathData, &permissionPath)
		if err != nil {
			log.Println("权限解析错误:err=", err)
			ctx.JSON(iris.Map{"code": 2, "msg": "权限解析错误"})
			return
		}
		// 2-2 不容许访问的权限--比对访问路径
		requestPath := ctx.Path()
		// 合同权限
		err = verifyAuth(contractPermission, permissionPath.Contract, requestPath)
		if err != nil {
			ctx.JSON(iris.Map{"code": 2, "msg": fmt.Sprintf("%s", err)})
			return
		}
		// 安全权限
		err = verifyAuth(contractPermission, permissionPath.Safe, requestPath)
		if err != nil {
			ctx.JSON(iris.Map{"code": 2, "msg": fmt.Sprintf("%s", err)})
			return
		}
		// 质量权限
		err = verifyAuth(contractPermission, permissionPath.Quality, requestPath)
		if err != nil {
			ctx.JSON(iris.Map{"code": 2, "msg": fmt.Sprintf("%s", err)})
			return
		}
		// 项目设置 -只有管理员才能访问
		for _, path := range permissionPath.ProjectSetting {
			if path == requestPath {
				ctx.JSON(iris.Map{"code": 2, "msg": "无权访问"})
				return
			}
		}

	}

	ctx.Next()
}

// 验证权限路径
func verifyAuth(permission permission, pathList path, requestPath string) error {
	if permission.Add == 0 {
		for _, path := range pathList.Add {
			if path == requestPath {
				return errors.New("无权访问")
			}
		}
	}
	if permission.Access == 0 {
		for _, path := range pathList.Access {
			if path == requestPath {
				return errors.New("无权访问")
			}
		}
	}
	if permission.Delete == 0 {
		for _, path := range pathList.Delete {
			if path == requestPath {
				return errors.New("无权访问")
			}
		}
	}
	return nil
}