/// <summary>
/// 重写以实现 角色限制 的功能的功能权限检查
/// </summary>
/// <param name="function">要验证的功能信息</param>
/// <param name="principal">用户在线信息</param>
/// <returns>功能权限验证结果</returns>
protected virtual AuthorizationResult AuthorizeRoleLimit(IFunction function, IPrincipal principal)
{
//角色限制
if (!(principal.Identity is ClaimsIdentity identity))
{
return(new AuthorizationResult(AuthorizationStatus.Error, "当前用户标识IIdentity格式不正确,仅支持ClaimsIdentity类型的用户标识"));
}
if (!(function is TFunction func))
{
return(new AuthorizationResult(AuthorizationStatus.Error, $"要检测的功能类型为“{function.GetType()}”,不是要求的“{typeof(TFunction)}”类型"));
}
//检查角色-功能的权限
string[] userRoleNames = identity.GetRoles().ToArray();
//如果是超级管理员角色,直接通过
if (userRoleNames.Contains(SuperRoleName))
{
return(AuthorizationResult.OK);
}
string[] functionRoleNames = FunctionAuthCache.GetFunctionRoles(func.Id);
if (userRoleNames.Intersect(functionRoleNames).Any())
{
return(AuthorizationResult.OK);
}
//检查用户-功能的权限
Guid[] functionIds = FunctionAuthCache.GetUserFunctions(identity.GetUserName());
if (functionIds.Contains(func.Id))
{
return(AuthorizationResult.OK);
}
return(new AuthorizationResult(AuthorizationStatus.Forbidden));
}
/// <summary>
/// 获取功能权限检查通过的角色
/// </summary>
/// <param name="function">要检查的功能</param>
/// <param name="principal">在线用户信息</param>
/// <returns>通过的角色</returns>
public virtual string[] GetOkRoles(IFunction function, IPrincipal principal)
{
if (!principal.Identity.IsAuthenticated)
{
return(new string[0]);
}
string[] userRoles = principal.Identity.GetRoles();
string[] functionRoles = FunctionAuthCache.GetFunctionRoles(function.Id);
return(userRoles.Intersect(functionRoles).ToArray());
}
/// <summary>
/// 重写以实现指定用户是否有执行指定功能的权限
/// </summary>
/// <param name="function">功能信息</param>
/// <param name="userName">用户名</param>
/// <returns>功能权限检查结果</returns>
protected virtual AuthorizationResult AuthorizeUserName(IFunction function, string userName)
{
if (function.AccessType != FunctionAccessType.RoleLimit)
{
return(AuthorizationResult.OK);
}
Guid[] functionIds = FunctionAuthCache.GetUserFunctions(userName);
if (functionIds.Contains(function.Id))
{
return(AuthorizationResult.OK);
}
return(new AuthorizationResult(AuthorizationStatus.Forbidden));
}
/// <summary>
/// 获取功能权限检查通过的角色
/// </summary>
/// <param name="function">要检查的功能</param>
/// <param name="principal">在线用户信息</param>
/// <returns>通过的角色</returns>
public virtual string[] GetOkRoles(IFunction function, IPrincipal principal)
{
if (!principal.Identity.IsAuthenticated)
{
return(new string[0]);
}
string[] userRoles = principal.Identity.GetRoles();
if (function.AccessType != FunctionAccessType.RoleLimit)
{
//不是角色限制的功能,允许用户的所有角色
return(userRoles);
}
string[] functionRoles = FunctionAuthCache.GetFunctionRoles(function.Id);
return(userRoles.Intersect(functionRoles).ToArray());
}
/// <summary>
/// 设置模块拥有的功能
/// </summary>
/// <param name="id">模块编号</param>
/// <param name="functionIds">功能编号集合</param>
/// <returns></returns>
public virtual async Task <OperationResult> SetModuleFunctions(TModuleKey id, TFunctionKey[] functionIds)
{
var module = ModuleRepository.TrackEntities.Where(m => m.Id.Equals(id)).Select(m => new
{
Data = m,
FunctionIds = m.Functions.Select(n => n.Id)
}).FirstOrDefault();
if (module == null)
{
return(new OperationResult(OperationResultType.QueryNull, "编号为“{0}”的模块信息不存在".FormatWith(id)));
}
TModule entity = module.Data;
TFunctionKey[] addFunctionIds = functionIds.Except(module.FunctionIds).Distinct().ToArray();
if (addFunctionIds.Length > 0)
{
TFunction[] functions = FunctionRepository.TrackEntities.Where(m => addFunctionIds.Contains(m.Id)).ToArray();
foreach (TFunction function in functions)
{
entity.Functions.Add(function);
}
}
TFunctionKey[] removeFunctionIds = module.FunctionIds.Except(functionIds).Distinct().ToArray();
if (removeFunctionIds.Length > 0)
{
TFunction[] functions = FunctionRepository.TrackEntities.Where(m => removeFunctionIds.Contains(m.Id)).ToArray();
foreach (TFunction function in functions)
{
entity.Functions.Remove(function);
}
}
int count = await ModuleRepository.UpdateAsync(entity);
if (count > 0)
{
//移除 涉及功能的功能权限缓存,使其更新
TFunctionKey[] relateFunctionIds = addFunctionIds.Union(removeFunctionIds).Distinct().ToArray();
FunctionAuthCache.RemoveFunctionCaches(relateFunctionIds);
return(new OperationResult(OperationResultType.Success,
"模块“{0}”设置功能成功,共添加 {1} 个功能,移除 {2} 个功能。".FormatWith(entity.Name, addFunctionIds.Length, removeFunctionIds.Length)));
}
return(OperationResult.NoChanged);
}
/// <summary>
/// 重写以实现指定角色是否有执行指定功能的权限
/// </summary>
/// <param name="function">功能信息</param>
/// <param name="roleNames">角色名称</param>
/// <returns>功能权限检查结果</returns>
protected virtual AuthorizationResult AuthorizeRoleNames(IFunction function, params string[] roleNames)
{
Check.NotNull(roleNames, nameof(roleNames));
if (roleNames.Length == 0)
{
return(new AuthorizationResult(AuthorizationStatus.Forbidden));
}
if (function.AccessType != FunctionAccessType.RoleLimit || roleNames.Contains(SuperRoleName))
{
return(AuthorizationResult.OK);
}
string[] functionRoleNames = FunctionAuthCache.GetFunctionRoles(function.Id);
if (roleNames.Intersect(functionRoleNames).Any())
{
return(AuthorizationResult.OK);
}
return(new AuthorizationResult(AuthorizationStatus.Forbidden));
}
