修正了对更新数据中userRelation的合法性判定
This commit is contained in:
parent
846626d9dc
commit
075c967e0b
|
|
@ -1055,47 +1055,79 @@ var RelationAuth = /** @class */ (function () {
|
|||
// 算法是先将整个update的根结点对象找到,并找到为其赋权的relation,再用此relation去查找所有子对象上的actionAuth
|
||||
var result = [];
|
||||
var _a = this.destructCascadeOperation(entity, operation), root = _a.root, children_1 = _a.children, userRelations = _a.userRelations;
|
||||
var e_4 = root.entity, d = root.data, f = root.filter, a = root.action;
|
||||
var e = root.entity, d = root.data, f = root.filter, a = root.action;
|
||||
if (userRelations.length > 0) {
|
||||
(0, assert_1.default)(e_4 !== 'user');
|
||||
(0, assert_1.default)(e !== 'user');
|
||||
(0, assert_1.default)(!(d instanceof Array));
|
||||
var createIds_1 = userRelations.map(function (ele) { return ele.relationId; });
|
||||
// 这里处理的是创建对象时顺带创建相关权限,要检查该权限是不是有create动作授权
|
||||
var aas = context.select('actionAuth', {
|
||||
data: {
|
||||
id: 1,
|
||||
relationId: 1,
|
||||
},
|
||||
filter: {
|
||||
destEntity: e_4,
|
||||
deActions: {
|
||||
$contains: 'create',
|
||||
/**
|
||||
* 当某一个对象更新授予权限时,有两种情况:
|
||||
* 1)当前用户有授予此权限的权限
|
||||
* 2)当前权限可以在创建的时候自动被创建(根据actionAuth的path = ''同时有create权限来判定)
|
||||
*/
|
||||
var promises = [
|
||||
context.select('relationAuth', {
|
||||
data: {
|
||||
id: 1,
|
||||
destRelationId: 1,
|
||||
},
|
||||
path: '',
|
||||
},
|
||||
}, { dontCollect: true });
|
||||
if (aas instanceof Promise) {
|
||||
result.push(aas.then(function (aas2) {
|
||||
var relationIds = aas2.map(function (ele) { return ele.relationId; });
|
||||
var diff = (0, lodash_1.difference)(createIds_1, relationIds);
|
||||
if (diff.length > 0) {
|
||||
return "\u60A8\u65E0\u6743\u521B\u5EFA\u300C".concat(e_4, "\u300D\u5BF9\u8C61\u4E0Aid\u4E3A\u300C").concat(diff.join(','), "\u300D\u7684\u7528\u6237\u6743\u9650");
|
||||
filter: {
|
||||
destRelationId: {
|
||||
$in: createIds_1,
|
||||
},
|
||||
sourceRelationId: {
|
||||
$in: {
|
||||
entity: 'userRelation',
|
||||
data: {
|
||||
relationId: 1,
|
||||
},
|
||||
filter: {
|
||||
userId: userId,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return '';
|
||||
}, { dontCollect: true }),
|
||||
action === 'create' && context.select('actionAuth', {
|
||||
data: {
|
||||
id: 1,
|
||||
relationId: 1,
|
||||
},
|
||||
filter: {
|
||||
destEntity: e,
|
||||
deActions: {
|
||||
$contains: 'create',
|
||||
},
|
||||
path: '',
|
||||
},
|
||||
}, { dontCollect: true })
|
||||
];
|
||||
var checkRelationLegal_1 = function (selectResult) {
|
||||
if (selectResult[0].length > 0 && (0, lodash_1.difference)(createIds_1, selectResult[0].map(function (ele) { return ele.destRelationId; })).length === 0) {
|
||||
return true;
|
||||
}
|
||||
if (selectResult[1] && (0, lodash_1.difference)(createIds_1, selectResult[1].map(function (ele) { return ele.relationId; })).length === 0) {
|
||||
return true;
|
||||
}
|
||||
};
|
||||
if (promises[0] instanceof Promise) {
|
||||
result.push(Promise.all(promises).then(function (r2) {
|
||||
if (checkRelationLegal_1(r2)) {
|
||||
return '';
|
||||
}
|
||||
return "\u60A8\u6CA1\u6709\u521B\u5EFA".concat(createIds_1.join(','), "\u4E4B\u4E00\u5173\u7CFB\u7684\u6743\u9650");
|
||||
}));
|
||||
}
|
||||
else {
|
||||
var relationIds = aas.map(function (ele) { return ele.relationId; });
|
||||
var diff = (0, lodash_1.difference)(createIds_1, relationIds);
|
||||
if (diff.length > 0) {
|
||||
return "\u60A8\u65E0\u6743\u521B\u5EFA\u300C".concat(e_4, "\u300D\u5BF9\u8C61\u4E0Aid\u4E3A\u300C").concat(diff.join(','), "\u300D\u7684\u7528\u6237\u6743\u9650");
|
||||
if (!checkRelationLegal_1(promises)) {
|
||||
return "\u60A8\u6CA1\u6709\u521B\u5EFA".concat(createIds_1.join(','), "\u5173\u7CFB\u4E4B\u4E00\u7684\u6743\u9650");
|
||||
}
|
||||
}
|
||||
}
|
||||
if (['user', 'relation', 'oper', 'operEntity', 'modi', 'modiEntity', 'userRelation', 'actionAuth',
|
||||
'freeActionAuth', 'relationAuth', 'userEntityGrant', 'relation'].includes(e_4)) {
|
||||
'freeActionAuth', 'relationAuth', 'userEntityGrant', 'relation'].includes(e)) {
|
||||
// 只要根对象能检查通过就算通过(暂定这个策略)
|
||||
var r = this.checkSpecialEntity(e_4, {
|
||||
var r = this.checkSpecialEntity(e, {
|
||||
action: a,
|
||||
data: d,
|
||||
filter: f,
|
||||
|
|
@ -1105,7 +1137,7 @@ var RelationAuth = /** @class */ (function () {
|
|||
}
|
||||
}
|
||||
else {
|
||||
if (!this.relationalChecker[e_4]) {
|
||||
if (!this.relationalChecker[e]) {
|
||||
throw new types_1.OakUserUnpermittedException("".concat(root.entity, "\u4E0A\u4E0D\u5B58\u5728\u6709\u6548\u7684actionPath"));
|
||||
}
|
||||
var checker = this.relationalChecker[root.entity](userId, actions || [root.action], root.data, root.filter, userRelations);
|
||||
|
|
|
|||
|
|
@ -1247,41 +1247,78 @@ export class RelationAuth<ED extends EntityDict & BaseEntityDict>{
|
|||
assert(e !== 'user');
|
||||
assert(!(d instanceof Array));
|
||||
const createIds = userRelations.map(ele => ele.relationId!);
|
||||
// 这里处理的是创建对象时顺带创建相关权限,要检查该权限是不是有create动作授权
|
||||
const aas = context.select('actionAuth', {
|
||||
data: {
|
||||
id: 1,
|
||||
relationId: 1,
|
||||
},
|
||||
filter: {
|
||||
destEntity: e as string,
|
||||
deActions: {
|
||||
$contains: 'create',
|
||||
/**
|
||||
* 当某一个对象更新授予权限时,有两种情况:
|
||||
* 1)当前用户有授予此权限的权限
|
||||
* 2)当前权限可以在创建的时候自动被创建(根据actionAuth的path = ''同时有create权限来判定)
|
||||
*/
|
||||
const promises = [
|
||||
context.select('relationAuth', {
|
||||
data: {
|
||||
id: 1,
|
||||
destRelationId: 1,
|
||||
},
|
||||
path: '',
|
||||
},
|
||||
}, { dontCollect: true });
|
||||
if (aas instanceof Promise) {
|
||||
result.push(
|
||||
aas.then(
|
||||
(aas2) => {
|
||||
const relationIds = aas2.map(ele => ele.relationId);
|
||||
const diff = difference(createIds, relationIds);
|
||||
if (diff.length > 0) {
|
||||
return `您无权创建「${e as string}」对象上id为「${diff.join(',')}」的用户权限`;
|
||||
filter: {
|
||||
destRelationId: {
|
||||
$in: createIds,
|
||||
},
|
||||
sourceRelationId: {
|
||||
$in: {
|
||||
entity: 'userRelation',
|
||||
data: {
|
||||
relationId: 1,
|
||||
},
|
||||
filter: {
|
||||
userId,
|
||||
}
|
||||
}
|
||||
return '';
|
||||
}
|
||||
}
|
||||
}, { dontCollect: true}),
|
||||
action === 'create' && context.select('actionAuth', {
|
||||
data: {
|
||||
id: 1,
|
||||
relationId: 1,
|
||||
},
|
||||
filter: {
|
||||
destEntity: e as string,
|
||||
deActions: {
|
||||
$contains: 'create',
|
||||
},
|
||||
path: '',
|
||||
},
|
||||
}, { dontCollect: true })
|
||||
] as [
|
||||
Partial<ED['relationAuth']['Schema']>[] | Promise<Partial<ED['relationAuth']['Schema']>[]>,
|
||||
Partial<ED['actionAuth']['Schema']>[] | Promise<Partial<ED['actionAuth']['Schema']>[]>
|
||||
];
|
||||
|
||||
const checkRelationLegal = (selectResult: [Partial<ED['relationAuth']['Schema']>[], Partial<ED['actionAuth']['Schema']>[] | undefined]) => {
|
||||
if (selectResult[0].length > 0 && difference(createIds, selectResult[0].map(ele => ele.destRelationId)).length === 0) {
|
||||
return true;
|
||||
}
|
||||
if (selectResult[1] && difference(createIds, selectResult[1].map(ele => ele.relationId)).length === 0) {
|
||||
return true;
|
||||
}
|
||||
};
|
||||
|
||||
if (promises[0] instanceof Promise) {
|
||||
result.push(
|
||||
Promise.all(promises).then(
|
||||
(r2) => {
|
||||
if (checkRelationLegal(r2)) {
|
||||
return '';
|
||||
}
|
||||
return `您没有创建${createIds.join(',')}之一关系的权限`;
|
||||
}
|
||||
)
|
||||
);
|
||||
}
|
||||
else {
|
||||
const relationIds = aas.map(ele => ele.relationId!);
|
||||
const diff = difference(createIds, relationIds);
|
||||
if (diff.length > 0) {
|
||||
return `您无权创建「${e as string}」对象上id为「${diff.join(',')}」的用户权限`;
|
||||
if (!checkRelationLegal(promises as [Partial<ED['relationAuth']['Schema']>[], Partial<ED['actionAuth']['Schema']>[]])) {
|
||||
return `您没有创建${createIds.join(',')}关系之一的权限`;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (['user', 'relation', 'oper', 'operEntity', 'modi', 'modiEntity', 'userRelation', 'actionAuth',
|
||||
'freeActionAuth', 'relationAuth', 'userEntityGrant', 'relation'].includes(e as string)) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue