forked from baron/baron-sso
adminfront: 탭별 세부 권한 격리 부여를 위한 독자적인 5번째 탭(세부 권한) 추가 및 연동 완료
This commit is contained in:
@@ -3206,3 +3206,168 @@ func (h *TenantHandler) GetPublicOrgChart(c *fiber.Ctx) error {
|
||||
"sharedWith": link.Name,
|
||||
})
|
||||
}
|
||||
|
||||
type tenantRelationRequest struct {
|
||||
UserID string `json:"userId"`
|
||||
Relation string `json:"relation"`
|
||||
}
|
||||
|
||||
func (h *TenantHandler) ListRelations(c *fiber.Ctx) error {
|
||||
tenantID := c.Params("id")
|
||||
if tenantID == "" {
|
||||
return errorJSON(c, fiber.StatusBadRequest, "tenant id is required")
|
||||
}
|
||||
|
||||
relations, err := h.Keto.ListRelations(c.Context(), "Tenant", tenantID, "", "")
|
||||
if err != nil {
|
||||
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
||||
}
|
||||
|
||||
allowedRelations := map[string]bool{
|
||||
"profile_viewers": true,
|
||||
"profile_managers": true,
|
||||
"permissions_viewers": true,
|
||||
"permissions_managers": true,
|
||||
"organization_viewers": true,
|
||||
"organization_managers": true,
|
||||
"schema_viewers": true,
|
||||
"schema_managers": true,
|
||||
}
|
||||
|
||||
type userRelationInfo struct {
|
||||
UserID string `json:"userId"`
|
||||
Name string `json:"name"`
|
||||
Email string `json:"email"`
|
||||
Relations []string `json:"relations"`
|
||||
}
|
||||
|
||||
userMap := make(map[string][]string)
|
||||
for _, rel := range relations {
|
||||
if !allowedRelations[rel.Relation] {
|
||||
continue
|
||||
}
|
||||
if !strings.HasPrefix(rel.SubjectID, "User:") {
|
||||
continue
|
||||
}
|
||||
userID := strings.TrimPrefix(rel.SubjectID, "User:")
|
||||
userMap[userID] = append(userMap[userID], rel.Relation)
|
||||
}
|
||||
|
||||
items := []userRelationInfo{}
|
||||
for userID, rels := range userMap {
|
||||
name := "Unknown"
|
||||
email := "Unknown"
|
||||
|
||||
if h.KratosAdmin != nil {
|
||||
identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID)
|
||||
if err == nil && identity != nil {
|
||||
if n, ok := identity.Traits["name"].(string); ok {
|
||||
name = n
|
||||
}
|
||||
if e, ok := identity.Traits["email"].(string); ok {
|
||||
email = e
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if name == "Unknown" && email == "Unknown" && h.UserRepo != nil {
|
||||
user, err := h.UserRepo.FindByID(c.Context(), userID)
|
||||
if err == nil && user != nil {
|
||||
name = user.Name
|
||||
email = user.Email
|
||||
} else if userID == "00000000-0000-0000-0000-000000000000" {
|
||||
name = "Dev Mock User"
|
||||
email = "mock@hmac.kr"
|
||||
}
|
||||
}
|
||||
|
||||
items = append(items, userRelationInfo{
|
||||
UserID: userID,
|
||||
Name: name,
|
||||
Email: email,
|
||||
Relations: rels,
|
||||
})
|
||||
}
|
||||
|
||||
return c.JSON(fiber.Map{
|
||||
"items": items,
|
||||
})
|
||||
}
|
||||
|
||||
func (h *TenantHandler) AddRelation(c *fiber.Ctx) error {
|
||||
tenantID := c.Params("id")
|
||||
if tenantID == "" {
|
||||
return errorJSON(c, fiber.StatusBadRequest, "tenant id is required")
|
||||
}
|
||||
|
||||
var req tenantRelationRequest
|
||||
if err := c.BodyParser(&req); err != nil {
|
||||
return errorJSON(c, fiber.StatusBadRequest, "invalid request body")
|
||||
}
|
||||
|
||||
if req.UserID == "" || req.Relation == "" {
|
||||
return errorJSON(c, fiber.StatusBadRequest, "userId and relation are required")
|
||||
}
|
||||
|
||||
allowedRelations := map[string]bool{
|
||||
"profile_viewers": true,
|
||||
"profile_managers": true,
|
||||
"permissions_viewers": true,
|
||||
"permissions_managers": true,
|
||||
"organization_viewers": true,
|
||||
"organization_managers": true,
|
||||
"schema_viewers": true,
|
||||
"schema_managers": true,
|
||||
}
|
||||
|
||||
if !allowedRelations[req.Relation] {
|
||||
return errorJSON(c, fiber.StatusBadRequest, "invalid or unsupported relation")
|
||||
}
|
||||
|
||||
if h.Keto != nil {
|
||||
relations, err := h.Keto.ListRelations(c.Context(), "Tenant", tenantID, req.Relation, "User:"+req.UserID)
|
||||
if err == nil && len(relations) > 0 {
|
||||
return errorJSON(c, fiber.StatusConflict, "이미 해당 세부 권한이 등록된 사용자입니다.")
|
||||
}
|
||||
}
|
||||
|
||||
if h.KetoOutbox != nil {
|
||||
_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
|
||||
Namespace: "Tenant",
|
||||
Object: tenantID,
|
||||
Relation: req.Relation,
|
||||
Subject: "User:" + req.UserID,
|
||||
Action: domain.KetoOutboxActionCreate,
|
||||
})
|
||||
}
|
||||
|
||||
return c.SendStatus(fiber.StatusOK)
|
||||
}
|
||||
|
||||
func (h *TenantHandler) RemoveRelation(c *fiber.Ctx) error {
|
||||
tenantID := c.Params("id")
|
||||
if tenantID == "" {
|
||||
return errorJSON(c, fiber.StatusBadRequest, "tenant id is required")
|
||||
}
|
||||
|
||||
var req tenantRelationRequest
|
||||
if err := c.BodyParser(&req); err != nil {
|
||||
return errorJSON(c, fiber.StatusBadRequest, "invalid request body")
|
||||
}
|
||||
|
||||
if req.UserID == "" || req.Relation == "" {
|
||||
return errorJSON(c, fiber.StatusBadRequest, "userId and relation are required")
|
||||
}
|
||||
|
||||
if h.KetoOutbox != nil {
|
||||
_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
|
||||
Namespace: "Tenant",
|
||||
Object: tenantID,
|
||||
Relation: req.Relation,
|
||||
Subject: "User:" + req.UserID,
|
||||
Action: domain.KetoOutboxActionDelete,
|
||||
})
|
||||
}
|
||||
|
||||
return c.SendStatus(fiber.StatusOK)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user