/// <summary> /// 重写以实现 角色限制 的功能的功能权限检查 /// </summary> /// <param name="function">要验证的功能信息</param> /// <param name="principal">用户在线信息</param> /// <returns>功能权限验证结果</returns> protected virtual AuthorizationResult AuthorizeRoleLimit(IFunction function, IPrincipal principal) { //角色限制 if (!(principal.Identity is ClaimsIdentity identity)) { return(new AuthorizationResult(AuthorizationStatus.Error, "当前用户标识IIdentity格式不正确,仅支持ClaimsIdentity类型的用户标识")); } if (!(function is TFunction func)) { return(new AuthorizationResult(AuthorizationStatus.Error, $"要检测的功能类型为“{function.GetType()}”,不是要求的“{typeof(TFunction)}”类型")); } //检查角色-功能的权限 string[] userRoleNames = identity.GetRoles().ToArray(); //如果是超级管理员角色,直接通过 if (userRoleNames.Contains(SuperRoleName)) { return(AuthorizationResult.OK); } string[] functionRoleNames = FunctionAuthCache.GetFunctionRoles(func.Id); if (userRoleNames.Intersect(functionRoleNames).Any()) { return(AuthorizationResult.OK); } //检查用户-功能的权限 Guid[] functionIds = FunctionAuthCache.GetUserFunctions(identity.GetUserName()); if (functionIds.Contains(func.Id)) { return(AuthorizationResult.OK); } return(new AuthorizationResult(AuthorizationStatus.Forbidden)); }
/// <summary> /// 获取功能权限检查通过的角色 /// </summary> /// <param name="function">要检查的功能</param> /// <param name="principal">在线用户信息</param> /// <returns>通过的角色</returns> public virtual string[] GetOkRoles(IFunction function, IPrincipal principal) { if (!principal.Identity.IsAuthenticated) { return(new string[0]); } string[] userRoles = principal.Identity.GetRoles(); string[] functionRoles = FunctionAuthCache.GetFunctionRoles(function.Id); return(userRoles.Intersect(functionRoles).ToArray()); }
/// <summary> /// 重写以实现指定用户是否有执行指定功能的权限 /// </summary> /// <param name="function">功能信息</param> /// <param name="userName">用户名</param> /// <returns>功能权限检查结果</returns> protected virtual AuthorizationResult AuthorizeUserName(IFunction function, string userName) { if (function.AccessType != FunctionAccessType.RoleLimit) { return(AuthorizationResult.OK); } Guid[] functionIds = FunctionAuthCache.GetUserFunctions(userName); if (functionIds.Contains(function.Id)) { return(AuthorizationResult.OK); } return(new AuthorizationResult(AuthorizationStatus.Forbidden)); }
/// <summary> /// 获取功能权限检查通过的角色 /// </summary> /// <param name="function">要检查的功能</param> /// <param name="principal">在线用户信息</param> /// <returns>通过的角色</returns> public virtual string[] GetOkRoles(IFunction function, IPrincipal principal) { if (!principal.Identity.IsAuthenticated) { return(new string[0]); } string[] userRoles = principal.Identity.GetRoles(); if (function.AccessType != FunctionAccessType.RoleLimit) { //不是角色限制的功能,允许用户的所有角色 return(userRoles); } string[] functionRoles = FunctionAuthCache.GetFunctionRoles(function.Id); return(userRoles.Intersect(functionRoles).ToArray()); }
/// <summary> /// 设置模块拥有的功能 /// </summary> /// <param name="id">模块编号</param> /// <param name="functionIds">功能编号集合</param> /// <returns></returns> public virtual async Task <OperationResult> SetModuleFunctions(TModuleKey id, TFunctionKey[] functionIds) { var module = ModuleRepository.TrackEntities.Where(m => m.Id.Equals(id)).Select(m => new { Data = m, FunctionIds = m.Functions.Select(n => n.Id) }).FirstOrDefault(); if (module == null) { return(new OperationResult(OperationResultType.QueryNull, "编号为“{0}”的模块信息不存在".FormatWith(id))); } TModule entity = module.Data; TFunctionKey[] addFunctionIds = functionIds.Except(module.FunctionIds).Distinct().ToArray(); if (addFunctionIds.Length > 0) { TFunction[] functions = FunctionRepository.TrackEntities.Where(m => addFunctionIds.Contains(m.Id)).ToArray(); foreach (TFunction function in functions) { entity.Functions.Add(function); } } TFunctionKey[] removeFunctionIds = module.FunctionIds.Except(functionIds).Distinct().ToArray(); if (removeFunctionIds.Length > 0) { TFunction[] functions = FunctionRepository.TrackEntities.Where(m => removeFunctionIds.Contains(m.Id)).ToArray(); foreach (TFunction function in functions) { entity.Functions.Remove(function); } } int count = await ModuleRepository.UpdateAsync(entity); if (count > 0) { //移除 涉及功能的功能权限缓存,使其更新 TFunctionKey[] relateFunctionIds = addFunctionIds.Union(removeFunctionIds).Distinct().ToArray(); FunctionAuthCache.RemoveFunctionCaches(relateFunctionIds); return(new OperationResult(OperationResultType.Success, "模块“{0}”设置功能成功,共添加 {1} 个功能,移除 {2} 个功能。".FormatWith(entity.Name, addFunctionIds.Length, removeFunctionIds.Length))); } return(OperationResult.NoChanged); }
/// <summary> /// 重写以实现指定角色是否有执行指定功能的权限 /// </summary> /// <param name="function">功能信息</param> /// <param name="roleNames">角色名称</param> /// <returns>功能权限检查结果</returns> protected virtual AuthorizationResult AuthorizeRoleNames(IFunction function, params string[] roleNames) { Check.NotNull(roleNames, nameof(roleNames)); if (roleNames.Length == 0) { return(new AuthorizationResult(AuthorizationStatus.Forbidden)); } if (function.AccessType != FunctionAccessType.RoleLimit || roleNames.Contains(SuperRoleName)) { return(AuthorizationResult.OK); } string[] functionRoleNames = FunctionAuthCache.GetFunctionRoles(function.Id); if (roleNames.Intersect(functionRoleNames).Any()) { return(AuthorizationResult.OK); } return(new AuthorizationResult(AuthorizationStatus.Forbidden)); }