Oak-Team
/
oak-domain
13
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 33 Wiki Activity

补充了deduceAuth的case

This commit is contained in:
Xu Chang 2023-07-14 16:54:08 +08:00
parent 9b6435ebda
commit 5789bbc96e
2 changed files with 60 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
lib/store/RelationAuth.js
View File

@ -665,7 +665,7 @@ var RelationAuth = /** @class */ (function () {
this.checkActions(entity, operation, context);
};
RelationAuth.prototype.getDeducedCheckOperation = function (entity, operation) {
var e_2, _a;
var e_2, _a, e_3, _b;
// 如果是deduce的对象将之转化为所deduce的对象上的权限检查
var deduceAttr = this.authDeduceRelationMap[entity];
(0, assert_1.default)(deduceAttr === 'entity', "\u5F53\u524D\u53EA\u652F\u6301entity\u4F5C\u4E3Adeduce\u5916\u952E\uFF0Centity\u662F\u300C".concat(entity, "\u300D"));
@ -729,22 +729,48 @@ var RelationAuth = /** @class */ (function () {
}
else {
// 目前应该都有这两个属性包括select
var _b = filter, deduceEntity = _b.entity, deduceEntityId = _b.entityId;
var _c = filter, deduceEntity = _c.entity, deduceEntityId = _c.entityId;
// assert(deduceEntity, `${entity as string}对象上的${action}行为,必须带上${deduceAttr as string}的外键条件`);
// assert(deduceEntityId, `${entity as string}对象上的${action}行为,必须带上${deduceAttr as string}Id的外键条件`);
var deduceFilter = {};
if (deduceEntity && deduceEntityId) {
deduceFilter = { id: deduceEntityId };
}
else {
// 也可能是用cascade方式进行查找这里有时候filter上会带有两个不同的entity目标尚未处理todo!
var ref = this.schema[entity].attributes.entity.ref;
(0, assert_1.default)(ref instanceof Array);
try {
for (var ref_1 = tslib_1.__values(ref), ref_1_1 = ref_1.next(); !ref_1_1.done; ref_1_1 = ref_1.next()) {
var refEntity = ref_1_1.value;
if (filter[refEntity]) {
deduceEntity = refEntity;
deduceFilter = filter[refEntity];
break;
}
}
}
catch (e_3_1) { e_3 = { error: e_3_1 }; }
finally {
try {
if (ref_1_1 && !ref_1_1.done && (_b = ref_1.return)) _b.call(ref_1);
}
finally { if (e_3) throw e_3.error; }
}
}
if (deduceEntity && deduceFilter) {
if (action === 'select') {
return {
entity: deduceEntity,
operation: {
action: 'select',
data: { id: 1 },
filter: { id: deduceEntityId },
filter: deduceFilter,
}
};
}
else {
// 目前对于非select和create的action只要有其父对象的update/remove属性即可以
// 目前对于非select和create的action只要有其父对象的某一update/remove属性即可以(这样设计可能不严谨)
var excludeActions_2 = action_1.readOnlyActions.concat(['create']);
var updateActions = this.schema[deduceEntity].actions.filter(function (a) { return !excludeActions_2.includes(a); });
return {
@ -752,9 +778,7 @@ var RelationAuth = /** @class */ (function () {
operation: {
action: 'update',
data: {},
filter: {
id: deduceEntityId,
},
filter: deduceFilter,
},
actions: updateActions,
};
@ -982,9 +1006,9 @@ var RelationAuth = /** @class */ (function () {
// 算法是先将整个update的根结点对象找到并找到为其赋权的relation再用此relation去查找所有子对象上的actionAuth
var result = [];
var _a = this.destructCascadeOperation(entity, operation), root = _a.root, children_1 = _a.children, userRelations = _a.userRelations;
var e_3 = root.entity, d = root.data, f = root.filter, a = root.action;
var e_4 = root.entity, d = root.data, f = root.filter, a = root.action;
if (userRelations.length > 0) {
(0, assert_1.default)(e_3 !== 'user');
(0, assert_1.default)(e_4 !== 'user');
(0, assert_1.default)(a === 'create' && !(d instanceof Array));
var createIds_1 = userRelations.map(function (ele) { return ele.relationId; });
// 这里处理的是创建对象时顺带创建相关权限要检查该权限是不是有create动作授权
@ -994,7 +1018,7 @@ var RelationAuth = /** @class */ (function () {
relationId: 1,
},
filter: {
destEntity: e_3,
destEntity: e_4,
deActions: {
$contains: 'create',
},
@ -1006,7 +1030,7 @@ var RelationAuth = /** @class */ (function () {
var relationIds = aas2.map(function (ele) { return ele.relationId; });
var diff = (0, lodash_1.difference)(createIds_1, relationIds);
if (diff.length > 0) {
return "\u60A8\u65E0\u6743\u521B\u5EFA\u300C".concat(e_3, "\u300D\u5BF9\u8C61\u4E0Aid\u4E3A\u300C").concat(diff.join(','), "\u300D\u7684\u7528\u6237\u6743\u9650");
return "\u60A8\u65E0\u6743\u521B\u5EFA\u300C".concat(e_4, "\u300D\u5BF9\u8C61\u4E0Aid\u4E3A\u300C").concat(diff.join(','), "\u300D\u7684\u7528\u6237\u6743\u9650");
}
return '';
}));
@ -1015,14 +1039,14 @@ var RelationAuth = /** @class */ (function () {
var relationIds = aas.map(function (ele) { return ele.relationId; });
var diff = (0, lodash_1.difference)(createIds_1, relationIds);
if (diff.length > 0) {
return "\u60A8\u65E0\u6743\u521B\u5EFA\u300C".concat(e_3, "\u300D\u5BF9\u8C61\u4E0Aid\u4E3A\u300C").concat(diff.join(','), "\u300D\u7684\u7528\u6237\u6743\u9650");
return "\u60A8\u65E0\u6743\u521B\u5EFA\u300C".concat(e_4, "\u300D\u5BF9\u8C61\u4E0Aid\u4E3A\u300C").concat(diff.join(','), "\u300D\u7684\u7528\u6237\u6743\u9650");
}
}
}
if (['user', 'relation', 'oper', 'operEntity', 'modi', 'modiEntity', 'userRelation', 'actionAuth',
'freeActionAuth', 'relationAuth', 'userEntityGrant', 'relation'].includes(e_3)) {
'freeActionAuth', 'relationAuth', 'userEntityGrant', 'relation'].includes(e_4)) {
// 只要根对象能检查通过就算通过(暂定这个策略)
var r = this.checkSpecialEntity(e_3, {
var r = this.checkSpecialEntity(e_4, {
action: a,
data: d,
filter: f,
@ -1032,7 +1056,7 @@ var RelationAuth = /** @class */ (function () {
}
}
else {
if (!this.relationalChecker[e_3]) {
if (!this.relationalChecker[e_4]) {
throw new types_1.OakUserUnpermittedException("".concat(root.entity, "\u4E0A\u4E0D\u5B58\u5728\u6709\u6548\u7684actionPath"));
}
var checker = this.relationalChecker[root.entity](userId, actions || [root.action], root.data, root.filter, userRelations);

27
src/store/RelationAuth.ts
View File

@ -893,22 +893,39 @@ export class RelationAuth<ED extends EntityDict & BaseEntityDict>{
}
else {
// 目前应该都有这两个属性包括select
const { entity: deduceEntity, entityId: deduceEntityId } = filter!;
let { entity: deduceEntity, entityId: deduceEntityId } = filter!;
// assert(deduceEntity, `${entity as string}对象上的${action}行为,必须带上${deduceAttr as string}的外键条件`);
// assert(deduceEntityId, `${entity as string}对象上的${action}行为,必须带上${deduceAttr as string}Id的外键条件`);
let deduceFilter: ED[keyof ED]['Selection']['filter'] = {};
if (deduceEntity && deduceEntityId) {
deduceFilter = { id: deduceEntityId };
}
else {
// 也可能是用cascade方式进行查找这里有时候filter上会带有两个不同的entity目标尚未处理todo!
const { ref } = this.schema[entity].attributes.entity;
assert (ref instanceof Array);
for (const refEntity of ref) {
if (filter![refEntity]) {
deduceEntity = refEntity;
deduceFilter = filter![refEntity];
break;
}
}
}
if (deduceEntity && deduceFilter) {
if (action === 'select') {
return {
entity: deduceEntity,
operation: {
action: 'select',
data: { id: 1 },
filter: { id: deduceEntityId },
filter: deduceFilter,
}
};
}
else {
// 目前对于非select和create的action只要有其父对象的update/remove属性即可以
// 目前对于非select和create的action只要有其父对象的某一update/remove属性即可以(这样设计可能不严谨)
const excludeActions = readOnlyActions.concat(['create']);
const updateActions = this.schema[deduceEntity].actions.filter(
(a) => !excludeActions.includes(a)
@ -919,9 +936,7 @@ export class RelationAuth<ED extends EntityDict & BaseEntityDict>{
operation: {
action: 'update',
data: {},
filter: {
id: deduceEntityId,
},
filter: deduceFilter,
},
actions: updateActions,
};