fix: 修复普通用户也能获取下属部门的数据

2025-02-24 18:19:04 +08:00
parent df5f2977d4
commit f0c678b8d0
3 changed files with 42 additions and 12 deletions
--- a/annotation/auth.py
+++ b/annotation/auth.py
@@ -40,3 +40,16 @@ class Auth:
            raise PermissionException(message="该用户无此接口权限！")

        return wrapper
+
+
+async def hasAuth(request: Request, permission: str) -> bool:
+    """
+    判断是有拥有某项权限
+    """
+    token = request.headers.get('Authorization')  # 直接使用 request 对象
+    current_user = await LoginController.get_current_user(request, token)
+    permissions = current_user.get('permissions')
+    if permission in permissions:
+        return True
+    else:
+        return False
--- a/api/log.py
+++ b/api/log.py
@@ -12,7 +12,7 @@ from fastapi import APIRouter, Depends, Path, Query, Request
 from fastapi.encoders import jsonable_encoder
 from fastapi.responses import JSONResponse

-from annotation.auth import Auth
+from annotation.auth import Auth, hasAuth
 from annotation.log import Log
 from config.constant import BusinessType, RedisKeyConfig
 from controller.login import LoginController
@@ -41,9 +41,8 @@ async def get_login_log(request: Request,
                        current_user: dict = Depends(LoginController.get_current_user),
                        ):
    sub_departments = current_user.get("sub_departments")
+    user_id = current_user.get("id")
    online_user_list = await LoginController.get_online_user(request, sub_departments)
-    online_user_list = list(
-        filter(lambda x: x["department_id"] in sub_departments, jsonable_encoder(online_user_list)))
    filterArgs = {
        f'{k}__contains': v for k, v in {
            'username': username,
@@ -56,10 +55,18 @@ async def get_login_log(request: Request,
        startTime = datetime.fromtimestamp(float(startTime) / 1000)
        endTime = datetime.fromtimestamp(float(endTime) / 1000)
        filterArgs['login_time__range'] = [startTime, endTime]
+    if await hasAuth(request, "login:btn:admin"):
+        online_user_list = list(
+            filter(lambda x: x["department_id"] in sub_departments, jsonable_encoder(online_user_list)))
        if not department_id:
            filterArgs['user__department__id__in'] = sub_departments
        else:
            filterArgs['user__department__id'] = department_id
+    else:
+        online_user_list = list(
+            filter(lambda x: x["user_id"] == user_id, jsonable_encoder(online_user_list)))
+        if department_id:
+            filterArgs['user__department__id'] = department_id
    result = await LoginLog.filter(**filterArgs, user__del_flag=1, del_flag=1).offset(
        (page - 1) * pageSize).limit(pageSize).values(
        id="id",
@@ -171,6 +178,7 @@ async def get_operation_log(request: Request,
                            current_user: dict = Depends(LoginController.get_current_user),
                            ):
    sub_departments = current_user.get("sub_departments")
+    user_id = current_user.get("id")
    filterArgs = {
        f'{k}__contains': v for k, v in {
            'operation_name': name,
@@ -185,10 +193,15 @@ async def get_operation_log(request: Request,
        startTime = datetime.fromtimestamp(float(startTime) / 1000)
        endTime = datetime.fromtimestamp(float(endTime) / 1000)
        filterArgs['operation_time__range'] = [startTime, endTime]
+    if await hasAuth(request, "operation:btn:admin"):
        if not department_id:
            filterArgs['department__id__in'] = sub_departments
        else:
            filterArgs['department__id'] = department_id
+    else:
+        filterArgs['operator__id'] = user_id
+        if department_id:
+            filterArgs['department__id'] = department_id
    result = await OperationLog.filter(**filterArgs, operator__del_flag=1, del_flag=1).offset(
        (page - 1) * pageSize).limit(
        pageSize).values(
--- a/api/role.py
+++ b/api/role.py
@@ -10,7 +10,7 @@ from typing import Optional
 from fastapi import APIRouter, Depends, Path, Query, Request
 from fastapi.responses import JSONResponse

-from annotation.auth import Auth
+from annotation.auth import Auth, hasAuth
 from annotation.log import Log
 from config.constant import BusinessType, RedisKeyConfig
 from controller.login import LoginController
@@ -194,8 +194,12 @@ async def get_role_list(
            "status": status
        }.items() if v
    }
+    if await hasAuth(request, "role:btn:admin"):
        if not department_id:
            filterArgs["department__id__in"] = current_user.get("sub_departments")
+    else:
+        if department_id:
+            filterArgs["department__id"] = department_id
    total = await Role.filter(**filterArgs, del_flag=1).count()
    data = await Role.filter(**filterArgs, del_flag=1).offset(
        (page - 1) * pageSize).limit(