diff --git a/arkid/core/api.py b/arkid/core/api.py index c8171c066..f2b165980 100644 --- a/arkid/core/api.py +++ b/arkid/core/api.py @@ -79,16 +79,14 @@ def authenticate(self, request, token): if token.expired(request.tenant): raise Exception(_('Token has expired','秘钥已经过期')) - # operation_id = request.operation_id - # if operation_id: - # # 权限鉴定 - # apipermission = ApiPermission.valid_objects.filter( - # operation_id=operation_id - # ).first() - # if apipermission: - # print('存在api权限') - # else: - # print('不存在api权限') + operation_id = request.operation_id + if operation_id: + from arkid.core.perm.permission_data import PermissionData + permissiondata = PermissionData() + if token.user and request.tenant: + result =permissiondata.api_system_permission_check(request.tenant, token.user, operation_id) + if result == True: + raise Exception(_('You do not have api permission','你没有这个接口的权限')) except ExpiringToken.DoesNotExist: logger.error(_("Invalid token","无效的秘钥")) return diff --git a/arkid/core/perm/permission_data.py b/arkid/core/perm/permission_data.py index ca2e2d42c..f6ed90239 100644 --- a/arkid/core/perm/permission_data.py +++ b/arkid/core/perm/permission_data.py @@ -35,6 +35,34 @@ def get_platfrom_tenant(self): ) return tenant + def api_system_permission_check(self, tenant, user, operation_id): + ''' + 检查api接口权限 + ''' + systempermission = SystemPermission.valid_objects.filter(tenant=None, is_system=True, operation_id=operation_id, category='api').first() + if systempermission: + sort_id = systempermission.sort_id + permission_result_arr = self.get_permission_result(tenant, user, None) + if permission_result_arr and len(permission_result_arr) > sort_id and int(permission_result_arr[sort_id]) == 0: + return False + return True + + def get_permission_result(self, tenant, user, app): + ''' + 取得用户解码后的权限数组 + ''' + userpermissionresult = UserPermissionResult.valid_objects.filter( + user=user, + tenant=tenant, + app=app, + ).first() + compress = Compress() + permission_result_arr = [] + if userpermissionresult: + permission_result = compress.decrypt(userpermissionresult.result) + permission_result_arr = list(permission_result) + return permission_result_arr + def add_system_permission_to_user(self, tenant_id, user_id, permission_id): ''' 给某个用户增加系统权限 @@ -43,7 +71,19 @@ def add_system_permission_to_user(self, tenant_id, user_id, permission_id): user = User.valid_objects.filter(id=user_id).first() permission = SystemPermission.valid_objects.filter(id=permission_id).first() if tenant and user: - self.update_arkid_single_user_permission(tenant, user, permission) + self.update_arkid_single_user_permission(tenant, user, permission, 1) + else: + print('不存在租户或者用户无法更新') + + def remove_system_permission_to_user(self, tenant_id, user_id, permission_id): + ''' + 给某个用户删除系统权限 + ''' + tenant = Tenant.valid_objects.filter(id=tenant_id).first() + user = User.valid_objects.filter(id=user_id).first() + permission = SystemPermission.valid_objects.filter(id=permission_id).first() + if tenant and user: + self.update_arkid_single_user_permission(tenant, user, permission, 0) else: print('不存在租户或者用户无法更新') @@ -54,7 +94,7 @@ def update_single_user_system_permission(self, tenant_id, user_id): tenant = Tenant.valid_objects.filter(id=tenant_id).first() user = User.valid_objects.filter(id=user_id).first() if tenant and user: - self.update_arkid_single_user_permission(tenant, user, None) + self.update_arkid_single_user_permission(tenant, user, None, None) else: print('不存在租户或者用户无法更新') @@ -265,7 +305,7 @@ def update_arkid_all_user_permission(self): userpermissionresult.result = compress_str_result userpermissionresult.save() - def update_arkid_single_user_permission(self, tenant, auth_user, pass_permission): + def update_arkid_single_user_permission(self, tenant, auth_user, pass_permission, permission_value): ''' 更新指定用户权限 ''' @@ -303,7 +343,7 @@ def update_arkid_single_user_permission(self, tenant, auth_user, pass_permission if hasattr(data_item, 'is_pass') == True and data_item.is_pass == 1: continue if pass_permission != None and data_item.id == pass_permission.id: - data_item.is_pass = 1 + data_item.is_pass = permission_value continue # 如果是超级管理员直接就通过 if auth_user.is_superuser: