perf: org permission check (#3500)
This commit is contained in:
Archer
@@ -22,7 +22,7 @@ import { MemberGroupSchemaType } from '@fastgpt/global/support/permission/member
|
||||
import { TeamMemberSchema } from '@fastgpt/global/support/user/team/type';
|
||||
import { UserModelSchema } from '@fastgpt/global/support/user/type';
|
||||
import { OrgSchemaType } from '@fastgpt/global/support/user/team/org/type';
|
||||
import { getOrgsWithParentByTmbId } from './org/controllers';
|
||||
import { getOrgIdSetWithParentByTmbId } from './org/controllers';
|
||||
|
||||
/** get resource permission for a team member
|
||||
* If there is no permission for the team member, it will return undefined
|
||||
@@ -41,15 +41,15 @@ export const getResourcePermission = async ({
|
||||
teamId: string;
|
||||
tmbId: string;
|
||||
} & (
|
||||
| {
|
||||
| {
|
||||
resourceType: 'team';
|
||||
resourceId?: undefined;
|
||||
}
|
||||
| {
|
||||
| {
|
||||
resourceType: Omit<PerResourceTypeEnum, 'team'>;
|
||||
resourceId: string;
|
||||
}
|
||||
)): Promise<PermissionValueType | undefined> => {
|
||||
)): Promise<PermissionValueType | undefined> => {
|
||||
// Personal permission has the highest priority
|
||||
const tmbPer = (
|
||||
await MongoResourcePermission.findOne(
|
||||
@@ -69,61 +69,42 @@ export const getResourcePermission = async ({
|
||||
}
|
||||
|
||||
// If there is no personal permission, get the group permission
|
||||
const groupPer = await (async () => {
|
||||
const groupIdList = (await getGroupsByTmbId({ tmbId, teamId })).map((item) => item._id);
|
||||
|
||||
if (groupIdList.length === 0) {
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// get the maximum permission of the group
|
||||
const pers = (
|
||||
await MongoResourcePermission.find(
|
||||
{
|
||||
teamId,
|
||||
resourceType,
|
||||
groupId: {
|
||||
$in: groupIdList
|
||||
const [groupPers, orgPers] = await Promise.all([
|
||||
getGroupsByTmbId({ tmbId, teamId })
|
||||
.then((res) => res.map((item) => item._id))
|
||||
.then((groupIdList) =>
|
||||
MongoResourcePermission.find(
|
||||
{
|
||||
teamId,
|
||||
resourceType,
|
||||
groupId: {
|
||||
$in: groupIdList
|
||||
},
|
||||
resourceId
|
||||
},
|
||||
resourceId
|
||||
},
|
||||
'permission'
|
||||
).lean()
|
||||
).map((item) => item.permission);
|
||||
'permission'
|
||||
).lean()
|
||||
)
|
||||
.then((perList) => perList.map((item) => item.permission)),
|
||||
getOrgIdSetWithParentByTmbId({ tmbId, teamId })
|
||||
.then((item) => Array.from(item))
|
||||
.then((orgIds) =>
|
||||
MongoResourcePermission.find(
|
||||
{
|
||||
teamId,
|
||||
resourceType,
|
||||
orgId: {
|
||||
$in: Array.from(orgIds)
|
||||
},
|
||||
resourceId
|
||||
},
|
||||
'permission'
|
||||
).lean()
|
||||
)
|
||||
.then((perList) => perList.map((item) => item.permission))
|
||||
]);
|
||||
|
||||
return getGroupPer(pers);
|
||||
})();
|
||||
|
||||
const orgIds = await getOrgsWithParentByTmbId({ tmbId, teamId }).then((item) => Array.from(item));
|
||||
|
||||
if (orgIds.length === 0) {
|
||||
return groupPer;
|
||||
}
|
||||
|
||||
// get the maximum permission of the org
|
||||
const orgPers = (
|
||||
await MongoResourcePermission.find(
|
||||
{
|
||||
teamId,
|
||||
resourceType,
|
||||
orgId: {
|
||||
$in: Array.from(orgIds)
|
||||
},
|
||||
resourceId
|
||||
},
|
||||
'permission'
|
||||
).lean()
|
||||
).map((item) => item.permission);
|
||||
|
||||
const orgPer = getGroupPer(orgPers);
|
||||
|
||||
if (groupPer === undefined) {
|
||||
return orgPer;
|
||||
} else if (orgPer === undefined) {
|
||||
return groupPer;
|
||||
}
|
||||
|
||||
return new Permission().addPer(groupPer, orgPer).value;
|
||||
return concatPer([...groupPers, ...orgPers]);
|
||||
};
|
||||
|
||||
/* 仅取 members 不取 groups */
|
||||
@@ -136,15 +117,15 @@ export async function getResourceAllClbs({
|
||||
teamId: string;
|
||||
session?: ClientSession;
|
||||
} & (
|
||||
| {
|
||||
| {
|
||||
resourceType: 'team';
|
||||
resourceId?: undefined;
|
||||
}
|
||||
| {
|
||||
| {
|
||||
resourceType: Omit<PerResourceTypeEnum, 'team'>;
|
||||
resourceId?: string | null;
|
||||
}
|
||||
)): Promise<ResourcePermissionType[]> {
|
||||
)): Promise<ResourcePermissionType[]> {
|
||||
return MongoResourcePermission.find(
|
||||
{
|
||||
resourceType: resourceType,
|
||||
@@ -497,10 +478,10 @@ export const authFileToken = (token?: string) =>
|
||||
});
|
||||
});
|
||||
|
||||
export const getGroupPer = (groups: PermissionValueType[] = []) => {
|
||||
if (groups.length === 0) {
|
||||
export const concatPer = (perList: PermissionValueType[] = []) => {
|
||||
if (perList.length === 0) {
|
||||
return undefined;
|
||||
}
|
||||
|
||||
return new Permission().addPer(...groups).value;
|
||||
return new Permission().addPer(...perList).value;
|
||||
};
|
||||
|
||||
@@ -1,9 +1,6 @@
|
||||
import { MemberGroupSchemaType } from '@fastgpt/global/support/permission/memberGroup/type';
|
||||
import { MongoGroupMemberModel } from './groupMemberSchema';
|
||||
import { TeamMemberSchema } from '@fastgpt/global/support/user/team/type';
|
||||
import { PerResourceTypeEnum } from '@fastgpt/global/support/permission/constant';
|
||||
import { MongoResourcePermission } from '../schema';
|
||||
import { getGroupPer, parseHeaderCert } from '../controller';
|
||||
import { parseHeaderCert } from '../controller';
|
||||
import { MongoMemberGroupModel } from './memberGroupSchema';
|
||||
import { DefaultGroupName } from '@fastgpt/global/support/user/team/group/constant';
|
||||
import { ClientSession } from 'mongoose';
|
||||
@@ -79,46 +76,6 @@ export const getGroupMembersByGroupId = async (groupId: string) => {
|
||||
}).lean();
|
||||
};
|
||||
|
||||
/**
|
||||
* Get tmb's group permission: the maximum permission of the group
|
||||
* @param tmbId
|
||||
* @param resourceId
|
||||
* @param resourceType
|
||||
* @returns the maximum permission of the group
|
||||
*/
|
||||
export const getGroupPermission = async ({
|
||||
tmbId,
|
||||
resourceId,
|
||||
teamId,
|
||||
resourceType
|
||||
}: {
|
||||
tmbId: string;
|
||||
teamId: string;
|
||||
} & (
|
||||
| {
|
||||
resourceId?: undefined;
|
||||
resourceType: 'team';
|
||||
}
|
||||
| {
|
||||
resourceId: string;
|
||||
resourceType: Omit<PerResourceTypeEnum, 'team'>;
|
||||
}
|
||||
)) => {
|
||||
const groupIds = (await getGroupsByTmbId({ tmbId, teamId })).map((item) => item._id);
|
||||
const groupPermissions = (
|
||||
await MongoResourcePermission.find({
|
||||
groupId: {
|
||||
$in: groupIds
|
||||
},
|
||||
resourceType,
|
||||
resourceId,
|
||||
teamId
|
||||
})
|
||||
).map((item) => item.permission);
|
||||
|
||||
return getGroupPer(groupPermissions);
|
||||
};
|
||||
|
||||
// auth group member role
|
||||
export const authGroupMemberRole = async ({
|
||||
groupId,
|
||||
|
||||
@@ -4,50 +4,34 @@ import type { ClientSession } from 'mongoose';
|
||||
import { MongoOrgModel } from './orgSchema';
|
||||
import { MongoOrgMemberModel } from './orgMemberSchema';
|
||||
|
||||
// if role1 > role2, return 1
|
||||
// if role1 < role2, return -1
|
||||
// else return 0
|
||||
// export const compareRole = (role1: OrgMemberRole, role2: OrgMemberRole) => {
|
||||
// if (role1 === OrgMemberRole.owner) {
|
||||
// if (role2 === OrgMemberRole.owner) {
|
||||
// return 0;
|
||||
// }
|
||||
// return 1;
|
||||
// }
|
||||
// if (role2 === OrgMemberRole.owner) {
|
||||
// return -1;
|
||||
// }
|
||||
// if (role1 === OrgMemberRole.admin) {
|
||||
// if (role2 === OrgMemberRole.admin) {
|
||||
// return 0;
|
||||
// }
|
||||
// return 1;
|
||||
// }
|
||||
// if (role2 === OrgMemberRole.admin) {
|
||||
// return -1;
|
||||
// }
|
||||
// return 0;
|
||||
// };
|
||||
|
||||
// export const checkOrgRole = (role: OrgMemberRole, targetRole: OrgMemberRole) => {
|
||||
// return compareRole(role, targetRole) >= 0;
|
||||
// };
|
||||
|
||||
export const getOrgsByTmbId = async ({ teamId, tmbId }: { teamId: string; tmbId: string }) =>
|
||||
MongoOrgMemberModel.find({ teamId, tmbId }, 'orgId').lean();
|
||||
|
||||
export const getOrgsWithParentByTmbId = async ({ teamId, tmbId }: { teamId: string; tmbId: string }) =>
|
||||
MongoOrgMemberModel.find({ teamId, tmbId }, 'orgId').lean().then((orgs) => {
|
||||
const orgIds = new Set<string>();
|
||||
for (const org of orgs) {
|
||||
const orgId = String(org.orgId);
|
||||
const parentIds = orgId.split('/').filter((id) => id);
|
||||
for (const parentId of parentIds) {
|
||||
orgIds.add(parentId);
|
||||
}
|
||||
export const getOrgIdSetWithParentByTmbId = async ({
|
||||
teamId,
|
||||
tmbId
|
||||
}: {
|
||||
teamId: string;
|
||||
tmbId: string;
|
||||
}) => {
|
||||
const orgMembers = await MongoOrgMemberModel.find({ teamId, tmbId }, 'orgId')
|
||||
.populate<{ org: { path: string } }>('org', 'path')
|
||||
.lean();
|
||||
|
||||
const orgIds = new Set<string>();
|
||||
|
||||
for (const orgMember of orgMembers) {
|
||||
orgIds.add(String(orgMember.orgId));
|
||||
|
||||
// Add parent org
|
||||
const parentIds = orgMember.org.path.split('/').filter(Boolean);
|
||||
for (const parentId of parentIds) {
|
||||
orgIds.add(parentId);
|
||||
}
|
||||
return orgIds;
|
||||
});
|
||||
}
|
||||
|
||||
return orgIds;
|
||||
};
|
||||
|
||||
export const getChildrenByOrg = async ({
|
||||
org,
|
||||
@@ -58,14 +42,9 @@ export const getChildrenByOrg = async ({
|
||||
teamId: string;
|
||||
session?: ClientSession;
|
||||
}) => {
|
||||
const children = await MongoOrgModel.find(
|
||||
{ teamId, path: { $regex: `^${org.path}/${org._id}` } },
|
||||
undefined,
|
||||
{
|
||||
session
|
||||
}
|
||||
).lean();
|
||||
return children;
|
||||
return MongoOrgModel.find({ teamId, path: { $regex: `^${org.path}/${org._id}` } }, undefined, {
|
||||
session
|
||||
}).lean();
|
||||
};
|
||||
|
||||
export const getOrgAndChildren = async ({
|
||||
@@ -92,8 +71,7 @@ export async function createRootOrg({
|
||||
teamId: string;
|
||||
session?: ClientSession;
|
||||
}) {
|
||||
// Create the root org
|
||||
const [org] = await MongoOrgModel.create(
|
||||
return MongoOrgModel.create(
|
||||
[
|
||||
{
|
||||
teamId,
|
||||
@@ -103,72 +81,4 @@ export async function createRootOrg({
|
||||
],
|
||||
{ session }
|
||||
);
|
||||
// Find the team's owner
|
||||
// const owner = await MongoTeamMember.findOne({ teamId, role: 'owner' }, undefined);
|
||||
// if (!owner) {
|
||||
// return Promise.reject(TeamErrEnum.unAuthTeam);
|
||||
// }
|
||||
|
||||
// Set the owner as the org admin
|
||||
// await MongoOrgMemberModel.create(
|
||||
// [
|
||||
// {
|
||||
// orgId: org._id,
|
||||
// tmbId: owner._id
|
||||
|
||||
// }
|
||||
// ],
|
||||
// { session }
|
||||
// );
|
||||
}
|
||||
|
||||
// export const getOrgMemberRole = async ({
|
||||
// orgId,
|
||||
// tmbId
|
||||
// }: {
|
||||
// orgId: string;
|
||||
// tmbId: string;
|
||||
// }): Promise<OrgMemberRole | undefined> => {
|
||||
// let role: OrgMemberRole | undefined;
|
||||
// const orgMember = await MongoOrgMemberModel.findOne({
|
||||
// orgId,
|
||||
// tmbId
|
||||
// })
|
||||
// .populate('orgId')
|
||||
// .lean();
|
||||
// if (orgMember) {
|
||||
// role = OrgMemberRole[orgMember.role];
|
||||
// } else {
|
||||
// return role;
|
||||
// }
|
||||
// if (role === OrgMemberRole.owner) {
|
||||
// return role;
|
||||
// }
|
||||
// // Check the parent orgs
|
||||
// const org = orgMember.orgId as unknown as OrgSchemaType;
|
||||
// if (!org) {
|
||||
// return Promise.reject(TeamErrEnum.orgNotExist);
|
||||
// }
|
||||
// const parentIds = org.path.split('/').filter((id) => id);
|
||||
// if (parentIds.length === 0) {
|
||||
// return role;
|
||||
// }
|
||||
// const parentOrgMembers = await MongoOrgMemberModel.find({
|
||||
// orgId: {
|
||||
// $in: parentIds
|
||||
// },
|
||||
// tmbId
|
||||
// }).lean();
|
||||
// // Update the role to the highest role
|
||||
// for (const parentOrgMember of parentOrgMembers) {
|
||||
// const parentRole = OrgMemberRole[parentOrgMember.role];
|
||||
// if (parentRole === OrgMemberRole.owner) {
|
||||
// role = parentRole;
|
||||
// break;
|
||||
// }
|
||||
// if (parentRole === OrgMemberRole.admin && role === OrgMemberRole.member) {
|
||||
// role = parentRole;
|
||||
// }
|
||||
// }
|
||||
// return role;
|
||||
// };
|
||||
|
||||
@@ -33,6 +33,13 @@ export const OrgMemberSchema = new Schema({
|
||||
// }
|
||||
});
|
||||
|
||||
OrgMemberSchema.virtual('org', {
|
||||
ref: OrgCollectionName,
|
||||
localField: 'orgId',
|
||||
foreignField: '_id',
|
||||
justOne: true
|
||||
});
|
||||
|
||||
try {
|
||||
OrgMemberSchema.index(
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user