RBAC

❗ 权限只控制“是否能做”，不控制“怎么做”

{domain}:{resource}:{action}

requirePermission

type Permission = {
  key: string
  name: string
  module?: string
}

export const Permissions = {
  USER_CREATE: {
    key: "user:create",
    name: "创建用户",
    module: "user",
  },
}

requirePermission(Permissions.USER_CREATE)


type Permission struct {
    Key  string
    Name string
}

var (
    UserCreate = Permission{"user:create", "创建用户"}
    UserDelete = Permission{"user:delete", "删除用户"}
)
 
RequirePermission(UserCreate)


func RequirePermission(p Permission) gin.HandlerFunc {
    return func(c *gin.Context) {
        user := c.MustGet("user").(User)

        if !contains(user.Permissions, p.Key) {
            c.JSON(403, gin.H{"msg": "forbidden"})
            c.Abort()
            return
        }

        c.Next()
    }
}

scope

const scopeHandlers = {
  self: (query, user) =>
    query.where("creator_id", user.id),

  dept: (query, user) =>
    query.where("dept_id", user.deptId),

  all: (query) =>
    query
}

function applyScope(query, permission, user) {
  const scope = getScope(user, permission)

  const handler = scopeHandlers[scope]

  return handler ? handler(query, user) : query
}

RBAC ​

requirePermission ​

scope ​

RBAC

requirePermission

scope