/// <summary>
/// 移除指定角色名与实体类型的缓存项
/// </summary>
/// <param name="roleName">角色名称</param>
/// <param name="entityTypeFullName">实体类型名称</param>
/// <param name="operation">数据权限操作</param>
public void RemoveCache(string roleName, string entityTypeFullName, DataAuthOperation operation)
{
string key = GetKey(roleName, entityTypeFullName, operation);
string name = GetName(roleName, entityTypeFullName, operation);
_cache.Remove(key);
_logger.LogDebug($"移除{name}的数据权限规则缓存");
}
/// <summary>
/// 获取指定查询条件组的查询表达式,并综合数据权限
/// </summary>
/// <typeparam name="T">实体类型</typeparam>
/// <param name="group">传入的查询条件组,为空时则只返回数据权限过滤器</param>
/// <param name="operation">数据权限操作</param>
/// <returns>综合之后的表达式</returns>
public virtual Expression <Func <T, bool> > GetDataFilterExpression <T>(FilterGroup group = null,
DataAuthOperation operation = DataAuthOperation.Read)
{
Expression <Func <T, bool> > exp = m => true;
if (group != null)
{
exp = GetExpression <T>(group);
}
//从缓存中查找当前用户的角色与实体T的过滤条件
ClaimsPrincipal user = _serviceProvider.GetCurrentUser();
if (user == null)
{
return(exp);
}
IDataAuthCache dataAuthCache = _serviceProvider.GetService <IDataAuthCache>();
if (dataAuthCache == null)
{
return(exp);
}
// 要判断数据权限功能,先要排除没有执行当前功能权限的角色,判断剩余角色的数据权限
string[] roleNames = user.Identity.GetRoles();
ScopedDictionary scopedDict = _serviceProvider.GetService <ScopedDictionary>();
if (scopedDict?.Function != null)
{
roleNames = scopedDict.DataAuthValidRoleNames;
}
string typeName = typeof(T).GetFullNameWithModule();
Expression <Func <T, bool> > subExp = null;
foreach (string roleName in roleNames)
{
FilterGroup subGroup = dataAuthCache.GetFilterGroup(roleName, typeName, operation);
if (subGroup == null)
{
continue;
}
subExp = subExp == null?GetExpression <T>(subGroup) : subExp.Or(GetExpression <T>(subGroup));
}
if (subExp != null)
{
if (group == null)
{
return(subExp);
}
exp = subExp.And(exp);
}
return(exp);
}
/// <summary>
/// 检查指定操作的数据权限,验证要操作的数据是否符合特定的验证委托
/// </summary>
/// <typeparam name="TEntity">实体类型</typeparam>
/// <param name="operation">数据权限操作</param>
/// <param name="entities">待检测的实体数据</param>
/// <returns>是否有权限</returns>
public bool CheckDataAuth <TEntity>(DataAuthOperation operation, params TEntity[] entities)
{
if (entities.Length == 0)
{
return(true);
}
Expression <Func <TEntity, bool> > exp = GetDataFilter <TEntity>(operation);
Func <TEntity, bool> func = exp.Compile();
bool has = entities.All(func);
return(has);
}
/// <summary>
/// 检查指定操作的数据权限,验证要操作的数据是否符合特定的验证委托
/// </summary>
/// <param name="operation">数据权限操作</param>
/// <param name="entities">要验证的实体对象</param>
private void CheckDataAuth(DataAuthOperation operation, params TEntity[] entities)
{
if (entities.Length == 0 || _dataAuthService == null)
{
return;
}
bool flag = _dataAuthService.CheckDataAuth <TEntity>(operation, entities);
if (!flag)
{
throw new OsharpException($"实体 {typeof(TEntity)} 的数据 {entities.ExpandAndToString(m => m.Id.ToString())} 进行 {operation.ToDescription()} 操作时权限不足");
}
}
/// <summary>
/// 检查指定操作的数据权限,验证要操作的数据是否符合特定的验证委托
/// </summary>
/// <param name="operation">数据权限操作</param>
/// <param name="entities">要验证的实体对象</param>
private static void CheckDataAuth(DataAuthOperation operation, params TEntity[] entities)
{
if (entities.Length == 0)
{
return;
}
Expression <Func <TEntity, bool> > exp = GetDataFilter(operation);
Func <TEntity, bool> func = exp.Compile();
bool flag = entities.All(func);
if (!flag)
{
throw new OsharpException($"实体 {typeof(TEntity)} 的数据 {entities.ExpandAndToString(m => m.Id.ToString())} 进行 {operation.ToDescription()} 操作时权限不足");
}
}
/// <summary>
/// 获取指定角色和实体的过滤条件组
/// </summary>
/// <param name="roleId">角色编号</param>
/// <param name="entityId">实体编号</param>
/// <param name="operation">操作</param>
/// <returns>过滤条件组</returns>
public virtual FilterGroup[] GetEntityRoleFilterGroups(TRoleKey roleId, Guid entityId, DataAuthOperation operation)
{
return(_entityRoleRepository.Query(m => m.RoleId.Equals(roleId) && m.EntityId == entityId && m.Operation == operation)
.Select(m => m.FilterGroupJson).ToArray().Select(m => m.FromJsonString <FilterGroup>()).ToArray());
}
private static string GetName(string roleName, string entityTypeFullName, DataAuthOperation operation)
{
return($"角色“{roleName}”和实体“{entityTypeFullName}”和操作“{operation}”");
}
private static string GetKey(string roleName, string entityTypeFullName, DataAuthOperation operation)
{
return($"Security_EntityRole_{roleName}_{entityTypeFullName}_{operation}");
}
/// <summary>
/// 获取指定角色名与实体类型的数据权限过滤规则
/// </summary>
/// <param name="roleName">角色名称</param>
/// <param name="entityTypeFullName">实体类型名称</param>
/// <returns>数据过滤条件组</returns>
/// <param name="operation">数据权限操作</param>
public virtual FilterGroup GetFilterGroup(string roleName, string entityTypeFullName, DataAuthOperation operation)
{
string key = GetKey(roleName, entityTypeFullName, operation);
return(_cache.Get <FilterGroup>(key));
}
private static Expression <Func <TEntity, bool> > GetDataFilter(DataAuthOperation operation)
{
return(FilterHelper.GetDataFilterExpression <TEntity>(operation: operation));
}
private static string GetKey(string roleName, string entityTypeFullName, DataAuthOperation operation)
{
return($"Auth:Data:EntityRole:{roleName}:{entityTypeFullName}:{operation}");
}