RBAC

❗ 权限只控制“是否能做”，不控制“怎么做”

{domain}:{resource}:{action}

sync

sync 是“持续对齐机制”

permission 的修改应该视作 migration

permission 不应该被删除！
直接删除是对数据的破坏！

role_permissions 悬空 ❌
历史权限丢失 ❌
审计不可追溯 ❌

sync 只负责 “对齐” 和 “补齐”

可以通过 .status = deprecated 让其实效，然后

permission

requirePermission

type Permission = {
  key: string;
  name: string;
  module?: string;
};

export const Permissions = {
  USER_CREATE: {
    key: "user:create",
    name: "创建用户",
    module: "user",
  },
};

requirePermission(Permissions.USER_CREATE);


type Permission struct {
    Key  string
    Name string
}

var (
    UserCreate = Permission{"user:create", "创建用户"}
    UserDelete = Permission{"user:delete", "删除用户"}
)

RequirePermission(UserCreate)


func RequirePermission(p Permission) gin.HandlerFunc {
    return func(c *gin.Context) {
        user := c.MustGet("user").(User)

        if !contains(user.Permissions, p.Key) {
            c.JSON(403, gin.H{"msg": "forbidden"})
            c.Abort()
            return
        }

        c.Next()
    }
}

scope

const scopeHandlers = {
  self: (query, user) => query.where("creator_id", user.id),

  dept: (query, user) => query.where("dept_id", user.deptId),

  all: (query) => query,
};

function applyScope(query, permission, user) {
  const scope = getScope(user, permission);

  const handler = scopeHandlers[scope];

  return handler ? handler(query, user) : query;
}

RBAC ​

sync ​

requirePermission ​

scope ​

RBAC

sync

requirePermission

scope