From 5d6f3c7bb33a479c4d726ba017f27241e8d9c16a Mon Sep 17 00:00:00 2001
From: inji-hanbin <hanbin@jinji-inc.com>
Date: Fri, 13 May 2022 20:10:42 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=F0=9F=8E=B8=20=E6=9D=83=E9=99=90?=
 =?UTF-8?q?=E9=AA=8C=E8=AF=81=E5=AE=8C=E6=88=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 arkid/core/api.py                  | 18 +++++------
 arkid/core/perm/permission_data.py | 48 +++++++++++++++++++++++++++---
 2 files changed, 52 insertions(+), 14 deletions(-)

diff --git a/arkid/core/api.py b/arkid/core/api.py
index c8171c066..f2b165980 100644
--- a/arkid/core/api.py
+++ b/arkid/core/api.py
@@ -79,16 +79,14 @@ def authenticate(self, request, token):
             if token.expired(request.tenant):
                 raise Exception(_('Token has expired','秘钥已经过期'))
 
-            # operation_id = request.operation_id
-            # if operation_id:
-            #     # 权限鉴定
-            #     apipermission = ApiPermission.valid_objects.filter(
-            #         operation_id=operation_id
-            #     ).first()
-            #     if apipermission:
-            #         print('存在api权限')
-            #     else:
-            #         print('不存在api权限')
+            operation_id = request.operation_id
+            if operation_id:
+                from arkid.core.perm.permission_data import PermissionData
+                permissiondata = PermissionData()
+                if token.user and request.tenant:
+                    result =permissiondata.api_system_permission_check(request.tenant, token.user, operation_id)
+                    if result == True:
+                        raise Exception(_('You do not have api permission','你没有这个接口的权限'))
         except ExpiringToken.DoesNotExist:
             logger.error(_("Invalid token","无效的秘钥"))
             return
diff --git a/arkid/core/perm/permission_data.py b/arkid/core/perm/permission_data.py
index ca2e2d42c..f6ed90239 100644
--- a/arkid/core/perm/permission_data.py
+++ b/arkid/core/perm/permission_data.py
@@ -35,6 +35,34 @@ def get_platfrom_tenant(self):
         )
         return tenant
     
+    def api_system_permission_check(self, tenant, user, operation_id):
+        '''
+        检查api接口权限
+        '''
+        systempermission = SystemPermission.valid_objects.filter(tenant=None, is_system=True, operation_id=operation_id, category='api').first()
+        if systempermission:
+            sort_id = systempermission.sort_id
+            permission_result_arr = self.get_permission_result(tenant, user, None)
+            if permission_result_arr and len(permission_result_arr) > sort_id and int(permission_result_arr[sort_id]) == 0:
+                return False
+        return True
+    
+    def get_permission_result(self, tenant, user, app):
+        '''
+        取得用户解码后的权限数组
+        '''
+        userpermissionresult = UserPermissionResult.valid_objects.filter(
+            user=user,
+            tenant=tenant,
+            app=app,
+        ).first()
+        compress = Compress()
+        permission_result_arr = []
+        if userpermissionresult:
+            permission_result = compress.decrypt(userpermissionresult.result)
+            permission_result_arr = list(permission_result)
+            return permission_result_arr
+
     def add_system_permission_to_user(self, tenant_id, user_id, permission_id):
         '''
         给某个用户增加系统权限
@@ -43,7 +71,19 @@ def add_system_permission_to_user(self, tenant_id, user_id, permission_id):
         user = User.valid_objects.filter(id=user_id).first()
         permission = SystemPermission.valid_objects.filter(id=permission_id).first()
         if tenant and user:
-            self.update_arkid_single_user_permission(tenant, user, permission)
+            self.update_arkid_single_user_permission(tenant, user, permission, 1)
+        else:
+            print('不存在租户或者用户无法更新')
+    
+    def remove_system_permission_to_user(self, tenant_id, user_id, permission_id):
+        '''
+        给某个用户删除系统权限
+        '''
+        tenant = Tenant.valid_objects.filter(id=tenant_id).first()
+        user = User.valid_objects.filter(id=user_id).first()
+        permission = SystemPermission.valid_objects.filter(id=permission_id).first()
+        if tenant and user:
+            self.update_arkid_single_user_permission(tenant, user, permission, 0)
         else:
             print('不存在租户或者用户无法更新')
 
@@ -54,7 +94,7 @@ def update_single_user_system_permission(self, tenant_id, user_id):
         tenant = Tenant.valid_objects.filter(id=tenant_id).first()
         user = User.valid_objects.filter(id=user_id).first()
         if tenant and user:
-            self.update_arkid_single_user_permission(tenant, user, None)
+            self.update_arkid_single_user_permission(tenant, user, None, None)
         else:
             print('不存在租户或者用户无法更新')
 
@@ -265,7 +305,7 @@ def update_arkid_all_user_permission(self):
                     userpermissionresult.result = compress_str_result
                     userpermissionresult.save()
 
-    def update_arkid_single_user_permission(self, tenant, auth_user, pass_permission):
+    def update_arkid_single_user_permission(self, tenant, auth_user, pass_permission, permission_value):
         '''
         更新指定用户权限
         '''
@@ -303,7 +343,7 @@ def update_arkid_single_user_permission(self, tenant, auth_user, pass_permission
             if hasattr(data_item, 'is_pass') == True and data_item.is_pass == 1:
                 continue
             if pass_permission != None and data_item.id == pass_permission.id:
-                data_item.is_pass = 1
+                data_item.is_pass = permission_value
                 continue
             # 如果是超级管理员直接就通过
             if auth_user.is_superuser: