Optimize role menu authorization logic (#221)

wu-clan · web-flow · commit 44844698ae46 · 2023-09-26T18:13:08.000+08:00
diff --git a/backend/app/common/rbac.py b/backend/app/common/rbac.py
@@ -55,16 +55,20 @@ async def rbac_verify(self, request: Request, _: dict = DependsJwtAuth) -> None:
         data_scope = any(role.data_scope == 1 for role in user_roles)
         if data_scope:
             return
+        method = request.method
         if settings.MENU_PERMISSION:
             # 菜单权限校验
-            path_auth = request.url.path.replace(f'{settings.API_V1_STR}', '').replace('/', ':')
+            # TODO: 改用流行方案，自定义接口权限字段标识
+            path_auth = path.split(f'{settings.API_V1_STR}/')[-1].replace('/', ':') + f':{method}'
             menu_perms = []
             forbid_menu_perms = []
             for role in user_roles:
-                for menu in role.menus:
-                    menu_perms.append(menu.perms) if menu.status == StatusType.enable else forbid_menu_perms.append(
-                        menu.perms
-                    )
+                if role.menus:
+                    for menu in role.menus:
+                        if menu.status == StatusType.enable:
+                            menu_perms.append(menu.perms)
+                        else:
+                            forbid_menu_perms.append(menu.perms)
             if path_auth in set(settings.MENU_EXCLUDE):
                 return
             if path_auth in set([perm for perms_str in forbid_menu_perms for perm in perms_str.split(',')]):
@@ -73,10 +77,12 @@ async def rbac_verify(self, request: Request, _: dict = DependsJwtAuth) -> None:
                 raise AuthorizationError
         else:
             # casbin 权限校验
-            method = request.method
-            forbid_menu_path = [
-                menu.path for role in user_roles for menu in role.menus if menu.status == StatusType.disable
-            ]
+            forbid_menu_path = []
+            for role in user_roles:
+                if role.menus:
+                    for menu in role.menus:
+                        if menu.status == StatusType.disable:
+                            forbid_menu_path.append(menu.path)
             if path.split('/')[-1] in forbid_menu_path:
                 raise AuthorizationError(msg='菜单已禁用，授权失败')
             if (method, path) in settings.CASBIN_EXCLUDE:
diff --git a/backend/app/core/conf.py b/backend/app/core/conf.py
@@ -129,11 +129,11 @@ def validator_api_url(cls, values):
     # Menu
     MENU_PERMISSION: bool = False  # 危险行为，开启此功能, Casbin 鉴权将失效，并将使用角色菜单鉴权 (默认关闭)
     MENU_EXCLUDE: list[str] = [
-        'auth:swagger_login',
-        'auth:login',
-        'auth:logout',
-        'auth:register',
-        'auth:captcha',
+        'auth:swagger_login:post',
+        'auth:login:post',
+        'auth:logout:post',
+        'auth:register:post',
+        'auth:captcha:get',
     ]
 
     # Opera log
