2025-12-08 19:12:30 +08:00
|
|
|
|
package middleware
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
|
"net/http"
|
|
|
|
|
|
|
2026-06-15 16:40:36 +08:00
|
|
|
|
"carrotskin/internal/model"
|
2025-12-08 19:12:30 +08:00
|
|
|
|
"carrotskin/pkg/auth"
|
|
|
|
|
|
|
|
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
// CasbinMiddleware Casbin权限中间件
|
|
|
|
|
|
// 需要先经过AuthMiddleware获取用户信息
|
|
|
|
|
|
func CasbinMiddleware(casbinService *auth.CasbinService, resource, action string) gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
|
// 从上下文获取用户角色(由AuthMiddleware设置)
|
|
|
|
|
|
role, exists := c.Get("user_role")
|
|
|
|
|
|
if !exists {
|
2026-06-15 16:40:36 +08:00
|
|
|
|
c.JSON(http.StatusUnauthorized, model.NewErrorResponse(
|
|
|
|
|
|
model.CodeUnauthorized,
|
|
|
|
|
|
model.MsgUnauthorized,
|
|
|
|
|
|
nil,
|
|
|
|
|
|
))
|
2025-12-08 19:12:30 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
roleStr, ok := role.(string)
|
|
|
|
|
|
if !ok || roleStr == "" {
|
|
|
|
|
|
roleStr = "user" // 默认角色
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 检查权限
|
|
|
|
|
|
if !casbinService.CheckPermission(roleStr, resource, action) {
|
2026-06-15 16:40:36 +08:00
|
|
|
|
c.JSON(http.StatusForbidden, model.NewErrorResponse(
|
|
|
|
|
|
model.CodeForbidden,
|
|
|
|
|
|
model.MsgForbidden,
|
|
|
|
|
|
nil,
|
|
|
|
|
|
))
|
2025-12-08 19:12:30 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// RequireAdmin 要求管理员权限的中间件
|
|
|
|
|
|
func RequireAdmin() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
|
role, exists := c.Get("user_role")
|
|
|
|
|
|
if !exists {
|
2026-06-15 16:40:36 +08:00
|
|
|
|
c.JSON(http.StatusUnauthorized, model.NewErrorResponse(
|
|
|
|
|
|
model.CodeUnauthorized,
|
|
|
|
|
|
model.MsgUnauthorized,
|
|
|
|
|
|
nil,
|
|
|
|
|
|
))
|
2025-12-08 19:12:30 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
roleStr, ok := role.(string)
|
|
|
|
|
|
if !ok || roleStr != "admin" {
|
2026-06-15 16:40:36 +08:00
|
|
|
|
c.JSON(http.StatusForbidden, model.NewErrorResponse(
|
|
|
|
|
|
model.CodeForbidden,
|
|
|
|
|
|
"需要管理员权限",
|
|
|
|
|
|
nil,
|
|
|
|
|
|
))
|
2025-12-08 19:12:30 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// RequireRole 要求指定角色的中间件
|
|
|
|
|
|
func RequireRole(allowedRoles ...string) gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
|
role, exists := c.Get("user_role")
|
|
|
|
|
|
if !exists {
|
2026-06-15 16:40:36 +08:00
|
|
|
|
c.JSON(http.StatusUnauthorized, model.NewErrorResponse(
|
|
|
|
|
|
model.CodeUnauthorized,
|
|
|
|
|
|
model.MsgUnauthorized,
|
|
|
|
|
|
nil,
|
|
|
|
|
|
))
|
2025-12-08 19:12:30 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
roleStr, ok := role.(string)
|
|
|
|
|
|
if !ok {
|
2026-06-15 16:40:36 +08:00
|
|
|
|
c.JSON(http.StatusForbidden, model.NewErrorResponse(
|
|
|
|
|
|
model.CodeForbidden,
|
|
|
|
|
|
model.MsgForbidden,
|
|
|
|
|
|
nil,
|
|
|
|
|
|
))
|
2025-12-08 19:12:30 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 检查是否在允许的角色列表中
|
|
|
|
|
|
for _, allowed := range allowedRoles {
|
|
|
|
|
|
if roleStr == allowed {
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-06-15 16:40:36 +08:00
|
|
|
|
c.JSON(http.StatusForbidden, model.NewErrorResponse(
|
|
|
|
|
|
model.CodeForbidden,
|
|
|
|
|
|
model.MsgForbidden,
|
|
|
|
|
|
nil,
|
|
|
|
|
|
))
|
2025-12-08 19:12:30 +08:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|