107 lines
3.5 KiB
Python
107 lines
3.5 KiB
Python
|
"""简化的权限检查系统."""
|
|||
|
|
|
|||
|
|
from functools import wraps
|
|||
|
|
from typing import Optional
|
|||
|
|
from fastapi import HTTPException, Depends
|
|||
|
|
from loguru import logger
|
|||
|
|
from sqlalchemy.orm import Session
|
|||
|
|
|
|||
|
|
from ..db.database import get_session
|
|||
|
|
from ..models.user import User
|
|||
|
|
from ..models.permission import Role
|
|||
|
|
from ..services.auth import AuthService
|
|||
|
|
|
|||
|
|
|
|||
|
|
async def is_super_admin(user: User, session: Session) -> bool:
|
|||
|
|
"""检查用户是否为超级管理员."""
|
|||
|
|
session.desc = f"检查用户 {user.id} 是否为超级管理员"
|
|||
|
|
if not user or not user.is_active:
|
|||
|
|
session.desc = f"用户 {user.id} 不是活跃状态"
|
|||
|
|
return False
|
|||
|
|
|
|||
|
|
try:
|
|||
|
|
# 直接使用提供的session查询,避免MissingGreenlet错误
|
|||
|
|
from sqlalchemy import select
|
|||
|
|
from ..models.permission import UserRole, Role
|
|||
|
|
|
|||
|
|
stmt = select(UserRole).join(Role).filter(
|
|||
|
|
UserRole.user_id == user.id,
|
|||
|
|
Role.code == 'SUPER_ADMIN',
|
|||
|
|
Role.is_active == True
|
|||
|
|
)
|
|||
|
|
user_role = await session.execute(stmt)
|
|||
|
|
result = user_role.scalar_one_or_none() is not None
|
|||
|
|
session.desc = f"用户 {user.id} 超级管理员角色查询结果: {result}"
|
|||
|
|
return result
|
|||
|
|
except Exception as e:
|
|||
|
|
# 如果调用失败,记录错误并返回False
|
|||
|
|
session.desc = f"EXCEPTION: 用户 {user.id} 超级管理员角色查询失败: {str(e)}"
|
|||
|
|
logger.error(f"检查用户 {user.id} 超级管理员角色失败: {str(e)}")
|
|||
|
|
return False
|
|||
|
|
|
|||
|
|
|
|||
|
|
async def require_super_admin(
|
|||
|
|
current_user: User = Depends(AuthService.get_current_user),
|
|||
|
|
session: Session = Depends(get_session)
|
|||
|
|
) -> User:
|
|||
|
|
"""要求超级管理员权限的依赖项."""
|
|||
|
|
if not await is_super_admin(current_user, session):
|
|||
|
|
raise HTTPException(
|
|||
|
|
status_code=403,
|
|||
|
|
detail="需要超级管理员权限"
|
|||
|
|
)
|
|||
|
|
return current_user
|
|||
|
|
|
|||
|
|
|
|||
|
|
def require_authenticated_user(
|
|||
|
|
current_user: User = Depends(AuthService.get_current_user)
|
|||
|
|
) -> User:
|
|||
|
|
"""要求已认证用户的依赖项."""
|
|||
|
|
if not current_user or not current_user.is_active:
|
|||
|
|
raise HTTPException(
|
|||
|
|
status_code=401,
|
|||
|
|
detail="需要登录"
|
|||
|
|
)
|
|||
|
|
return current_user
|
|||
|
|
|
|||
|
|
|
|||
|
|
class SimplePermissionChecker:
|
|||
|
|
"""简化的权限检查器."""
|
|||
|
|
|
|||
|
|
def __init__(self, db: Session):
|
|||
|
|
self.db = db
|
|||
|
|
|
|||
|
|
async def check_super_admin(self, user: User) -> bool:
|
|||
|
|
"""检查是否为超级管理员."""
|
|||
|
|
return await is_super_admin(user, self.db)
|
|||
|
|
|
|||
|
|
async def check_user_access(self, user: User, target_user_id: int) -> bool:
|
|||
|
|
"""检查用户访问权限(自己或超级管理员)."""
|
|||
|
|
if not user or not user.is_active:
|
|||
|
|
return False
|
|||
|
|
|
|||
|
|
# 超级管理员可以访问所有用户
|
|||
|
|
if await self.check_super_admin(user):
|
|||
|
|
return True
|
|||
|
|
|
|||
|
|
# 用户只能访问自己的信息
|
|||
|
|
return user.id == target_user_id
|
|||
|
|
|
|||
|
|
|
|||
|
|
# 权限装饰器
|
|||
|
|
def super_admin_required(func):
|
|||
|
|
"""超级管理员权限装饰器."""
|
|||
|
|
@wraps(func)
|
|||
|
|
def wrapper(*args, **kwargs):
|
|||
|
|
# 这个装饰器主要用于服务层,实际的FastAPI依赖项检查在路由层
|
|||
|
|
return func(*args, **kwargs)
|
|||
|
|
return wrapper
|
|||
|
|
|
|||
|
|
|
|||
|
|
def authenticated_required(func):
|
|||
|
|
"""认证用户权限装饰器."""
|
|||
|
|
@wraps(func)
|
|||
|
|
def wrapper(*args, **kwargs):
|
|||
|
|
# 这个装饰器主要用于服务层,实际的FastAPI依赖项检查在路由层
|
|||
|
|
return func(*args, **kwargs)
|
|||
|
|
return wrapper
|