cadmin/server/config/permissions.go

package config

import (
	"encoding/json"
	"errors"
	"fmt"
	"gadmin/internal/gorm/query"
	"gadmin/utility/character"
	"github.com/sirupsen/logrus"
	"net/http"
)

const AuthSuperRoleId = 1 // 超管角色ID

// 权限分组
const (
	AuthGMUpdate   = 1  // GM玩家属性修改
	AuthBanPlayer  = 2  // 玩家封禁
	AuthMail       = 3  // 邮件操作
	AuthNotice     = 4  // 广播操作
	AuthRedeemCode = 5  // 兑换码
	AuthClearRank  = 6  // 清除排行榜排名
	AuthServConfig = 7  // 服务配置修改权限
	AuthDelPlayer  = 8  // 玩家删除
	AuthVerifyMail = 9  //邮件审核、确认发送
	AuthChatLog    = 10 //客服聊天记录
)

// AuthNameMap 权限分组名称映射
var AuthNameMap = map[int]string{
	AuthGMUpdate:   "GM玩家属性修改",
	AuthBanPlayer:  "玩家封禁",
	AuthMail:       "邮件操作",
	AuthNotice:     "广播操作",
	AuthRedeemCode: "兑换码",
	AuthClearRank:  "清除排行榜排名",
	AuthServConfig: "服务配置修改",
	AuthDelPlayer:  "玩家删除",
	AuthVerifyMail: "邮件审核发送",
	AuthChatLog:    "客服聊天记录",
}

// AuthMenuMap 权限分组菜单映射
// key 对应路由分组 value对应菜单name
var AuthMenuMap = map[int]string{
	AuthChatLog: "ChatLog",
}

var (
	authVerifyMethods []string         // 需要验证的请求方式
	permissions       map[int][]string // 权限分组
	authWhitelist     []string         // 白名单，免验证
)

// GM玩家属性修改权限、玩家封禁权限、发送邮件权限、发送广播权限、兑换码创建权限、排行榜删榜权限、服务配置修改权限
func init() {
	authVerifyMethods = append(authVerifyMethods, []string{http.MethodPost}...)
	permissions = make(map[int][]string)
	permissions[AuthGMUpdate] = append(permissions[AuthGMUpdate], []string{
		"/api/gm/userRoles",
		"/api/gm/updatePlayerBase",
		"/api/gm/updateChapter",
		"/api/gm/updateTalents",
		"/api/gm/updateGuides",
		"/api/gm/addEquipment",
		"/api/gm/addMaterial",
		"/api/gm/addExp",
		"/api/gm/addStamina",
		"/api/gm/upgradeRole",
		"/api/gm/addCoin",
		"/api/gm/add_equipment",
		"/api/gm/add_material",
		"/api/gm/upgrade_role",
		"/api/gm/openAccount",
		"/api/gm/retrofitGroup/edit",
		"/api/gm/retrofitGroup/delete",
		"/api/gm/retrofit/edit",
		"/api/gm/retrofit/delete",
		"/api/grandmaster/setDanScore",
	}...)

	permissions[AuthBanPlayer] = append(permissions[AuthBanPlayer], []string{
		"/api/userAccount/userBan",
		"/api/userAccount/singleBanUser",
		"/api/userAccount/banUserChat",
	}...)

	permissions[AuthMail] = append(permissions[AuthMail], []string{
		"/api/gm/letters/add",
		"/api/gm/letters/del",
		"/api/email/list",
		"/api/email/add",
	}...)

	permissions[AuthVerifyMail] = append(permissions[AuthVerifyMail], []string{
		"/api/email/verify",
	}...)

	permissions[AuthNotice] = append(permissions[AuthNotice], []string{
		"/api/gm/notices",
		"/api/gm/del_notice",
		"/api/notice/add",
		"/api/notice/cancel",
	}...)

	permissions[AuthRedeemCode] = append(permissions[AuthRedeemCode], []string{
		"/api/cdk/add",
		"/api/cdk/del",
	}...)

	permissions[AuthClearRank] = append(permissions[AuthClearRank], []string{
		"/api/gm/update_el_rank",
		"/api/gm/delRank",
	}...)

	permissions[AuthServConfig] = append(permissions[AuthServConfig], []string{
		"/api/gm/set_conf_path",
		"/api/gm/updateSwitchers",
		"/api/drainageServer/edit",
		"/api/drainageServer/editDisplay",
		"/api/drainageServer/editWhiteList",
		"/api/gm/getServerDate",
		"/api/gm/releaseVersion",

		// 服务部署
		"/api/deploy/task",
		"/api/deploy/stop",
		"/api/deploy/edit",
		"/api/deploy/edit",
		"/api/deploy/delete",
	}...)

	permissions[AuthDelPlayer] = append(permissions[AuthDelPlayer], []string{
		"/api/gm/delete_player",
	}...)

	permissions[AuthChatLog] = append(permissions[AuthChatLog], []string{
		"/api/gm/chatLog/playerList",
		"/api/gm/chatLog/info",
	}...)

	authWhitelist = append(authWhitelist, []string{
		"/api/user/logout",
		"/api/gm/userRoles",
		"/api/gm/tools/restart",
		"/api/channel/statEdit",
		"/api/admin/updatePassword",

		// 配装
		"/api/retrofitGroup/edit",
		"/api/retrofit/edit",
		"/api/retrofit/delete",
		"/api/retrofitGroup/delete",
	}...)
}

// IsSuperRole 是否是超管角色
func IsSuperRole(roleId int64) bool {
	return roleId == AuthSuperRoleId
}

// ValidityAuth 验证权限
func ValidityAuth(roleId int64, method, path string) (err error) {
	// 超管无需验证
	if IsSuperRole(roleId) {
		return nil
	}

	// 无需验证的请求方式
	if !character.InSlice(authVerifyMethods, method) {
		return nil
	}

	// 免验证的白名单
	if character.InSlice(authWhitelist, path) {
		return nil
	}

	if roleId <= 0 {
		return errors.New("当前登录用户角色信息异常，请退出重新登录")
	}

	rdb := query.Use(AdminDB).AdminRole
	result, err := rdb.Where(rdb.ID.Eq(roleId)).First()
	if err != nil {
		logrus.Warnf("AdminRole... err:%+v", err)
		return
	}

	if result == nil {
		return errors.New("获取角色信息失败")
	}

	if result.Status != 1 {
		return errors.New("角色权限已被禁用")
	}

	var possess []int
	err = json.Unmarshal([]byte(result.Permissions), &possess)
	if err != nil {
		return fmt.Errorf("权限解析时发生错误:%v，请联系管理员", err.Error())
	}

	if len(possess) == 0 {
		return errors.New("角色没有分配权限")
	}

	// 拥有的全部权限
	var allPermission []string
	for _, v := range possess {
		p, ok := permissions[v]
		if !ok {
			continue
		}
		allPermission = append(allPermission, p...)
	}

	// 检查分配的权限中包含当前请求的权限
	if !character.InSlice(allPermission, path) {
		return errors.New("你还没有获得该操作权限")
	}
	return nil
}