public async Task AssignPermissionsAsync(string id, AssignPermissionToUserDto permissions, IEnumerable <string> allowedClientIds = null)
{
if (permissions == null || permissions.PermissionIds == null || !permissions.PermissionIds.Any())
{
return;
}
var user = await _userRepo.GetAsync(id, isReadonly : false);
if (user == null)
{
throw new IamException(HttpStatusCode.BadRequest, "用户不存在");
}
var ownedPermission = await GetRolesAndPermissionsAsync(id, allowedClientIds, true);
foreach (var permission in permissions.PermissionIds)
{
var existed = user.UserPermissions.SingleOrDefault(itm => itm.PermissionId == permission);
bool hasPermissionInRole = ownedPermission.Roles.Any(itm => itm.Permissions != null && itm.Permissions.Any(perm => perm.Id == permission));
if (existed != null)
{
if (existed.Action == PermissionAction.Include)
{
continue;
}
else
{
if (hasPermissionInRole)
{
// 如果角色中已经包含该权限,则只需要移除这个 exclude 权限即可。
user.RemovePermission(existed);
}
else
{
existed.Update(PermissionAction.Include);
}
continue;
}
}
if (!hasPermissionInRole)
{
// 只有当角色中没有该权限时,才需要添加
user.AddPermission(permission, PermissionAction.Include);
}
}
}
public async Task <ActionResult> RemovePermissions(string id, AssignPermissionToUserDto permissions)
{
if (permissions == null || permissions.PermissionIds == null)
{
return(Ok());
}
// 除了平台的超级管理员,其他管理员只能管理所属 Client 的资源
bool isSuper = User.IsSuperAdmin();
IEnumerable <string> allowedClientIds = null;
if (!isSuper)
{
allowedClientIds = User.FindAll(JwtClaimTypes.ClientId).Select(itm => itm.Value);
}
await _userService.RemovePermissionsAsync(id, permissions.PermissionIds, allowedClientIds);
return(Ok());
}