update codes

Author: wu-clan

backend/app/admin/crud/crud_role.py

@@ -6,8 +6,8 @@
 from sqlalchemy.orm import selectinload
 from sqlalchemy_crud_plus import CRUDPlus
 
-from backend.app.admin.model import Menu, Role, User
-from backend.app.admin.schema.role import CreateRoleParam, UpdateRoleMenuParam, UpdateRoleParam
+from backend.app.admin.model import Dept, Menu, Role, User
+from backend.app.admin.schema.role import CreateRoleParam, UpdateRoleDeptParam, UpdateRoleMenuParam, UpdateRoleParam
 
 
 class CRUDRole(CRUDPlus[Role]):
@@ -122,6 +122,21 @@ async def update_menus(self, db, role_id: int, menu_ids: UpdateRoleMenuParam) ->
         current_role.menus = menus.scalars().all()
         return len(current_role.menus)
 
+    async def update_depts(self, db, role_id: int, dept_ids: UpdateRoleDeptParam) -> int:
+        """
+        更新角色部门
+
+        :param db:
+        :param role_id:
+        :param dept_ids:
+        :return:
+        """
+        stmt = select(Dept).where(Dept.id.in_(dept_ids.depts))
+        depts = await db.execute(stmt)
+        current_role = await self.get_with_relation(db, role_id)
+        current_role.depts = depts.scalars().all()
+        return len(current_role.depts)
+
     async def delete(self, db, role_id: list[int]) -> int:
         """
         删除角色

backend/app/admin/crud/crud_user.py

@@ -183,8 +183,10 @@ async def get_list(self, dept: int = None, username: str = None, phone: str = No
         """
         stmt = (
             select(self.model)
-            .options(selectinload(self.model.dept))
-            .options(selectinload(self.model.roles).selectinload(Role.menus))
+            .options(
+                selectinload(self.model.dept),
+                selectinload(self.model.roles).selectinload(Role.menus),
+            )
             .order_by(desc(self.model.join_time))
         )
         where_list = []
@@ -297,10 +299,10 @@ async def get_with_relation(self, db: AsyncSession, *, user_id: int = None, user
         :param username:
         :return:
         """
-        stmt = (
-            select(self.model)
-            .options(selectinload(self.model.dept))
-            .options(selectinload(self.model.roles).joinedload(Role.menus))
+        stmt = select(self.model).options(
+            selectinload(self.model.dept),
+            selectinload(self.model.roles).joinedload(Role.menus),
+            selectinload(self.model.roles).joinedload(Role.depts),
         )
         filters = []
         if user_id:

backend/app/admin/model/sys_dept.py

@@ -32,3 +32,6 @@ class Dept(Base):
 
     # 部门用户一对多
     users: Mapped[list['User']] = relationship(init=False, back_populates='dept')  # noqa: F821
+
+    # 部门角色多对多
+    roles: Mapped[list['Role']] = relationship(init=False, back_populates='dept')  # noqa: F821

backend/app/admin/model/sys_role.py

@@ -4,7 +4,7 @@
 from sqlalchemy.dialects.mysql import LONGTEXT
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
-from backend.app.admin.model.m2m import sys_role_menu, sys_user_role
+from backend.app.admin.model.m2m import sys_role_dept, sys_role_menu, sys_user_role
 from backend.common.model import Base, id_key
 
 
@@ -16,7 +16,8 @@ class Role(Base):
     id: Mapped[id_key] = mapped_column(init=False)
     name: Mapped[str] = mapped_column(String(20), unique=True, comment='角色名称')
     data_scope: Mapped[int | None] = mapped_column(
-        default=2, comment='权限范围（0: 全部数据，1: 本人数据，2: 所在部门数据，3: 所在部门及以下数据，4: 自定义数据）'
+        default=0,
+        comment='权限范围（0: 全部数据，1: 自定义数据，2: 所在部门及以下数据，3: 所在部门数据，4: 仅本人数据）',
     )
     status: Mapped[int] = mapped_column(default=1, comment='角色状态（0停用 1正常）')
     remark: Mapped[str | None] = mapped_column(LONGTEXT, default=None, comment='备注')
@@ -26,3 +27,6 @@ class Role(Base):
 
     # 角色菜单多对多
     menus: Mapped[list['Menu']] = relationship(init=False, secondary=sys_role_menu, back_populates='roles')  # noqa: F821
+
+    # 角色部门多对多
+    depts: Mapped[list['Dept']] = relationship(init=False, secondary=sys_role_dept, back_populates='roles')  # noqa: F821

backend/app/admin/schema/role.py

@@ -30,6 +30,10 @@ class UpdateRoleMenuParam(SchemaBase):
     menus: list[int]
 
 
+class UpdateRoleDeptParam(SchemaBase):
+    depts: list[int]
+
+
 class GetRoleListDetails(RoleSchemaBase):
     model_config = ConfigDict(from_attributes=True)
 

backend/app/admin/service/role_service.py

@@ -5,10 +5,11 @@
 from fastapi import Request
 from sqlalchemy import Select
 
+from backend.app.admin.crud.crud_dept import dept_dao
 from backend.app.admin.crud.crud_menu import menu_dao
 from backend.app.admin.crud.crud_role import role_dao
 from backend.app.admin.model import Role
-from backend.app.admin.schema.role import CreateRoleParam, UpdateRoleMenuParam, UpdateRoleParam
+from backend.app.admin.schema.role import CreateRoleParam, UpdateRoleDeptParam, UpdateRoleMenuParam, UpdateRoleParam
 from backend.common.exception import errors
 from backend.core.conf import settings
 from backend.database.db_mysql import async_db_session
@@ -77,6 +78,21 @@ async def update_role_menu(*, request: Request, pk: int, menu_ids: UpdateRoleMen
                 await redis_client.delete(f'{settings.JWT_USER_REDIS_PREFIX}:{request.user.id}')
             return count
 
+    @staticmethod
+    async def update_role_dept(*, request: Request, pk: int, dept_ids: UpdateRoleDeptParam) -> int:
+        async with async_db_session.begin() as db:
+            role = await role_dao.get(db, pk)
+            if not role:
+                raise errors.NotFoundError(msg='角色不存在')
+            for dept_id in dept_ids.depts:
+                dept = await dept_dao.get(db, dept_id)
+                if not dept:
+                    raise errors.NotFoundError(msg='部门不存在')
+            count = await role_dao.update_depts(db, pk, dept_ids)
+            if pk in [role.id for role in request.user.roles]:
+                await redis_client.delete(f'{settings.JWT_USER_REDIS_PREFIX}:{request.user.id}')
+            return count
+
     @staticmethod
     async def delete(*, pk: list[int]) -> int:
         async with async_db_session.begin() as db:

backend/common/security/jwt.py

@@ -183,13 +183,13 @@ async def get_current_user(db: AsyncSession, pk: int) -> User:
         raise AuthorizationError(msg='用户已被锁定，请联系系统管理员')
     if user.dept_id:
         if not user.dept.status:
-            raise AuthorizationError(msg='用户所属部门已锁定')
+            raise AuthorizationError(msg='用户所属部门已被锁定，请联系系统管理员')
         if user.dept.del_flag:
-            raise AuthorizationError(msg='用户所属部门已删除')
+            raise AuthorizationError(msg='用户所属部门已被删除，请联系系统管理员')
     if user.roles:
         role_status = [role.status for role in user.roles]
         if all(status == 0 for status in role_status):
-            raise AuthorizationError(msg='用户所属角色已锁定')
+            raise AuthorizationError(msg='用户所属角色已被锁定，请联系系统管理员')
     return user
 
 

backend/common/security/permission.py

@@ -1,7 +1,12 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
+from typing import Any
+
 from fastapi import Request
+from sqlalchemy import Select, select
 
+from backend.app.admin.model import User
+from backend.app.admin.model.m2m import sys_role_dept
 from backend.common.exception.errors import ServerError
 from backend.core.conf import settings
 
@@ -24,3 +29,45 @@ async def __call__(self, request: Request):
                 raise ServerError
             # 附加权限标识
             request.state.permission = self.value
+
+
+def filter_user_data_scope(request: Request, model: Any, stmt: Select) -> Select:
+    """
+    获取用户数据范围
+
+    使用场景：对于非后台管理数据，需要在前端界面向用户进行展示的数据
+
+    :param request:
+    :param model:
+    :param stmt:
+    :return:
+    """
+    user_roles = request.user.roles
+    dept_roles = request.user.dept.roles
+    user_roles.extend(dept_roles)
+    data_scope = min(role.data_scope for role in set(user_roles))
+
+    # 全部数据
+    if data_scope == 0:
+        stmt = stmt
+    # 自定义数据
+    elif data_scope == 1:
+        stmt = stmt.where(
+            model.create_user.in_(
+                select(User.id)
+                .select_from(sys_role_dept)
+                .join(User, User.dept_id == sys_role_dept.c.dept_id)
+                .where(sys_role_dept.c.role_id.in_(user_roles))
+            )
+        )
+    # 所在部门及以下数据
+    elif data_scope == 2:
+        ...  # TODO
+    # 所在部门数据
+    elif data_scope == 3:
+        stmt = stmt.where(select(User.id).where(User.dept_id == request.user.dept_id))
+    # 仅本人数据
+    elif data_scope == 4:
+        stmt = stmt.where(model.create_user == request.user.id)
+
+    return stmt

backend/common/security/rbac.py

@@ -81,10 +81,6 @@ async def rbac_verify(self, request: Request, _token: str = DependsJwtAuth) -> N
             if not request.user.is_staff:
                 raise AuthorizationError(msg='用户已被禁止后台管理操作，请联系系统管理员')
 
-        # 数据权限范围
-        if any(role.data_scope == 1 for role in user_roles):
-            return
-
         # RBAC 鉴权
         if settings.PERMISSION_MODE == 'role-menu':
             path_auth_perm = getattr(request.state, 'permission', None)