633bf8c62d
- TenantContext 新增 permission_data_scopes: HashMap<String, DataScope> - DataScope 枚举: All/SelfOnly/Department/DepartmentTree - JWT 中间件查询 role_permissions.data_scope 填充到上下文 - rbac::get_data_scope() 供 service 层按权限获取数据范围 - 默认 All,完全向后兼容现有行为
103 lines
3.3 KiB
Rust
103 lines
3.3 KiB
Rust
use crate::error::AppError;
|
||
use crate::types::{DataScope, TenantContext};
|
||
|
||
/// Check whether the `TenantContext` includes the specified permission code.
|
||
///
|
||
/// Returns `Ok(())` if the permission is present, or `AppError::Forbidden` otherwise.
|
||
pub fn require_permission(ctx: &TenantContext, permission: &str) -> Result<(), AppError> {
|
||
if ctx.permissions.iter().any(|p| p == permission) {
|
||
Ok(())
|
||
} else {
|
||
Err(AppError::Forbidden("权限不足".to_string()))
|
||
}
|
||
}
|
||
|
||
/// Check whether the `TenantContext` includes at least one of the specified permission codes.
|
||
///
|
||
/// Useful when multiple permissions can grant access to the same resource.
|
||
pub fn require_any_permission(ctx: &TenantContext, permissions: &[&str]) -> Result<(), AppError> {
|
||
let has_any = permissions
|
||
.iter()
|
||
.any(|p| ctx.permissions.iter().any(|up| up == *p));
|
||
|
||
if has_any {
|
||
Ok(())
|
||
} else {
|
||
Err(AppError::Forbidden("权限不足".to_string()))
|
||
}
|
||
}
|
||
|
||
/// Check whether the `TenantContext` includes the specified role code.
|
||
///
|
||
/// Returns `Ok(())` if the role is present, or `AppError::Forbidden` otherwise.
|
||
pub fn require_role(ctx: &TenantContext, role: &str) -> Result<(), AppError> {
|
||
if ctx.roles.iter().any(|r| r == role) {
|
||
Ok(())
|
||
} else {
|
||
Err(AppError::Forbidden("权限不足".to_string()))
|
||
}
|
||
}
|
||
|
||
/// 获取指定权限的数据范围。默认 All(向后兼容)。
|
||
///
|
||
/// Service 层根据返回值追加对应的查询过滤条件。
|
||
pub fn get_data_scope(ctx: &TenantContext, permission: &str) -> DataScope {
|
||
ctx.permission_data_scopes
|
||
.get(permission)
|
||
.cloned()
|
||
.unwrap_or(DataScope::All)
|
||
}
|
||
|
||
#[cfg(test)]
|
||
mod tests {
|
||
use super::*;
|
||
use uuid::Uuid;
|
||
|
||
fn test_ctx(roles: Vec<&str>, permissions: Vec<&str>) -> TenantContext {
|
||
TenantContext {
|
||
tenant_id: Uuid::now_v7(),
|
||
user_id: Uuid::now_v7(),
|
||
roles: roles.into_iter().map(String::from).collect(),
|
||
permissions: permissions.into_iter().map(String::from).collect(),
|
||
department_ids: vec![],
|
||
permission_data_scopes: std::collections::HashMap::new(),
|
||
}
|
||
}
|
||
|
||
#[test]
|
||
fn require_permission_succeeds_when_present() {
|
||
let ctx = test_ctx(vec![], vec!["user.read", "user.write"]);
|
||
assert!(require_permission(&ctx, "user.read").is_ok());
|
||
}
|
||
|
||
#[test]
|
||
fn require_permission_fails_when_missing() {
|
||
let ctx = test_ctx(vec![], vec!["user.read"]);
|
||
assert!(require_permission(&ctx, "user.delete").is_err());
|
||
}
|
||
|
||
#[test]
|
||
fn require_any_permission_succeeds_with_match() {
|
||
let ctx = test_ctx(vec![], vec!["user.read"]);
|
||
assert!(require_any_permission(&ctx, &["user.delete", "user.read"]).is_ok());
|
||
}
|
||
|
||
#[test]
|
||
fn require_any_permission_fails_with_no_match() {
|
||
let ctx = test_ctx(vec![], vec!["user.read"]);
|
||
assert!(require_any_permission(&ctx, &["user.delete", "user.admin"]).is_err());
|
||
}
|
||
|
||
#[test]
|
||
fn require_role_succeeds_when_present() {
|
||
let ctx = test_ctx(vec!["admin", "user"], vec![]);
|
||
assert!(require_role(&ctx, "admin").is_ok());
|
||
}
|
||
|
||
#[test]
|
||
fn require_role_fails_when_missing() {
|
||
let ctx = test_ctx(vec!["user"], vec![]);
|
||
assert!(require_role(&ctx, "admin").is_err());
|
||
}
|
||
}
|