builder.go 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179
  1. package role
  2. import (
  3. "net/http"
  4. "time"
  5. "github.com/ory/ladon"
  6. "github.com/qor5/admin/presets"
  7. "github.com/qor5/admin/presets/gorm2op"
  8. "github.com/qor5/ui/vuetify"
  9. "github.com/qor5/web"
  10. "github.com/qor5/x/perm"
  11. h "github.com/theplant/htmlgo"
  12. "gorm.io/gorm"
  13. )
  14. type Builder struct {
  15. db *gorm.DB
  16. actions []*vuetify.DefaultOptionItem
  17. resources []*vuetify.DefaultOptionItem
  18. // editorSubject is the subject that has permission to edit roles
  19. // empty value means anyone can edit roles
  20. editorSubject string
  21. }
  22. func New(db *gorm.DB) *Builder {
  23. return &Builder{
  24. db: db,
  25. actions: []*vuetify.DefaultOptionItem{
  26. {Text: "All", Value: "*"},
  27. {Text: "List", Value: presets.PermList},
  28. {Text: "Get", Value: presets.PermGet},
  29. {Text: "Create", Value: presets.PermCreate},
  30. {Text: "Update", Value: presets.PermUpdate},
  31. {Text: "Delete", Value: presets.PermDelete},
  32. },
  33. }
  34. }
  35. func (b *Builder) Actions(vs []*vuetify.DefaultOptionItem) *Builder {
  36. b.actions = vs
  37. return b
  38. }
  39. func (b *Builder) Resources(vs []*vuetify.DefaultOptionItem) *Builder {
  40. b.resources = vs
  41. return b
  42. }
  43. func (b *Builder) EditorSubject(v string) *Builder {
  44. b.editorSubject = v
  45. return b
  46. }
  47. func (b *Builder) Configure(pb *presets.Builder) *presets.ModelBuilder {
  48. if b.editorSubject != "" {
  49. permB := pb.GetPermission()
  50. if permB == nil {
  51. panic("pb does not have a permission builder")
  52. }
  53. ctxf := permB.GetContextFunc()
  54. ssf := permB.GetSubjectsFunc()
  55. permB.ContextFunc(func(r *http.Request, objs []interface{}) perm.Context {
  56. c := make(perm.Context)
  57. if ctxf != nil {
  58. c = ctxf(r, objs)
  59. }
  60. ss := ssf(r)
  61. hasRoleEditorSubject := false
  62. for _, s := range ss {
  63. if s == b.editorSubject {
  64. hasRoleEditorSubject = true
  65. break
  66. }
  67. }
  68. c["has_role_editor_subject"] = hasRoleEditorSubject
  69. return c
  70. })
  71. permB.CreatePolicies(
  72. perm.PolicyFor(perm.Anybody).WhoAre(perm.Denied).ToDo(perm.Anything).On("*:roles:*").Given(perm.Conditions{
  73. "has_role_editor_subject": &ladon.BooleanCondition{
  74. BooleanValue: false,
  75. },
  76. }),
  77. perm.PolicyFor(b.editorSubject).WhoAre(perm.Allowed).ToDo(perm.Anything).On("*:roles:*"),
  78. )
  79. }
  80. role := pb.Model(&Role{})
  81. ed := role.Editing(
  82. "Name",
  83. "Permissions",
  84. )
  85. permFb := pb.NewFieldsBuilder(presets.WRITE).Model(&perm.DefaultDBPolicy{}).Only("Effect", "Actions", "Resources")
  86. ed.Field("Permissions").Nested(permFb)
  87. permFb.Field("Effect").ComponentFunc(func(obj interface{}, field *presets.FieldContext, ctx *web.EventContext) h.HTMLComponent {
  88. return vuetify.VSelect().
  89. Items([]string{perm.Allowed, perm.Denied}).
  90. Value(field.StringValue(obj)).
  91. Label(field.Label).
  92. FieldName(field.FormKey)
  93. }).SetterFunc(func(obj interface{}, field *presets.FieldContext, ctx *web.EventContext) (err error) {
  94. p := obj.(*perm.DefaultDBPolicy)
  95. p.Effect = ctx.R.FormValue(field.FormKey)
  96. return
  97. })
  98. permFb.Field("Actions").ComponentFunc(func(obj interface{}, field *presets.FieldContext, ctx *web.EventContext) h.HTMLComponent {
  99. return vuetify.VAutocomplete().
  100. Value(field.Value(obj)).
  101. Label(field.Label).
  102. FieldName(field.FormKey).
  103. Multiple(true).Chips(true).DeletableChips(true).
  104. Items(b.actions)
  105. })
  106. permFb.Field("Resources").ComponentFunc(func(obj interface{}, field *presets.FieldContext, ctx *web.EventContext) h.HTMLComponent {
  107. return vuetify.VAutocomplete().
  108. Value(field.Value(obj)).
  109. Label(field.Label).
  110. FieldName(field.FormKey).
  111. Multiple(true).Chips(true).DeletableChips(true).
  112. Items(b.resources)
  113. }).SetterFunc(func(obj interface{}, field *presets.FieldContext, ctx *web.EventContext) (err error) {
  114. p := obj.(*perm.DefaultDBPolicy)
  115. p.Resources = ctx.R.Form[field.FormKey]
  116. return
  117. })
  118. ed.FetchFunc(func(obj interface{}, id string, ctx *web.EventContext) (r interface{}, err error) {
  119. return gorm2op.DataOperator(b.db.Preload("Permissions")).Fetch(obj, id, ctx)
  120. })
  121. ed.ValidateFunc(func(obj interface{}, ctx *web.EventContext) (err web.ValidationErrors) {
  122. u := obj.(*Role)
  123. if u.Name == "" {
  124. err.FieldError("Name", "Name is required")
  125. return
  126. }
  127. for _, p := range u.Permissions {
  128. p.Subject = u.Name
  129. }
  130. return
  131. })
  132. ed.SaveFunc(func(obj interface{}, id string, ctx *web.EventContext) (err error) {
  133. r := obj.(*Role)
  134. if r.ID != 0 {
  135. if err = b.db.Delete(&perm.DefaultDBPolicy{}, "refer_id = ?", r.ID).Error; err != nil {
  136. return
  137. }
  138. }
  139. if err = gorm2op.DataOperator(b.db.Session(&gorm.Session{FullSaveAssociations: true})).Save(obj, id, ctx); err != nil {
  140. return
  141. }
  142. startFrom := time.Now().Add(-1 * time.Second)
  143. pb.GetPermission().LoadDBPoliciesToMemory(b.db, &startFrom)
  144. return
  145. })
  146. ed.DeleteFunc(func(obj interface{}, id string, ctx *web.EventContext) (err error) {
  147. err = b.db.Transaction(func(tx *gorm.DB) error {
  148. if err := tx.Delete(&perm.DefaultDBPolicy{}, "refer_id = ?", id).Error; err != nil {
  149. return err
  150. }
  151. if err := tx.Delete(&Role{}, "id = ?", id).Error; err != nil {
  152. return err
  153. }
  154. return nil
  155. })
  156. return
  157. })
  158. return role
  159. }