Implement data filtering

Author: wu-clan

backend/app/admin/api/v1/sys/data_rule.py

@@ -16,15 +16,21 @@
 router = APIRouter()
 
 
-@router.get('/{pk}', summary='获取数据规则详情', dependencies=[DependsJwtAuth])
+@router.get('/{pk}', summary='获取数据权限规则详情', dependencies=[DependsJwtAuth])
 async def get_data_rule(pk: Annotated[int, Path(...)]) -> ResponseModel:
     data_rule = await data_rule_service.get(pk=pk)
     return response_base.success(data=data_rule)
 
 
+@router.get('/models', summary='获取支持过滤的数据库模型', dependencies=[DependsJwtAuth])
+async def get_data_rule_models() -> ResponseModel:
+    models = await data_rule_service.get_models()
+    return response_base.success(data=models)
+
+
 @router.get(
     '',
-    summary='（模糊条件）分页获取所有数据规则',
+    summary='（模糊条件）分页获取所有数据权限规则',
     dependencies=[
         DependsJwtAuth,
         DependsPagination,
@@ -38,7 +44,7 @@ async def get_pagination_data_rule(db: CurrentSession, name: Annotated[str | Non
 
 @router.post(
     '',
-    summary='创建数据规则',
+    summary='创建数据权限规则',
     dependencies=[
         Depends(RequestPermission('data:rule:add')),
         DependsRBAC,
@@ -51,7 +57,7 @@ async def create_data_rule(obj: CreateDataRuleParam) -> ResponseModel:
 
 @router.put(
     '/{pk}',
-    summary='更新数据规则',
+    summary='更新数据权限规则',
     dependencies=[
         Depends(RequestPermission('data:rule:edit')),
         DependsRBAC,
@@ -66,7 +72,7 @@ async def update_data_rule(pk: Annotated[int, Path(...)], obj: UpdateDataRulePar
 
 @router.delete(
     '',
-    summary='（批量）删除数据规则',
+    summary='（批量）删除数据权限规则',
     dependencies=[
         Depends(RequestPermission('data:rule:del')),
         DependsRBAC,

backend/app/admin/api/v1/sys/data_rule_type.py

@@ -20,15 +20,15 @@
 router = APIRouter()
 
 
-@router.get('/{pk}', summary='获取数据规则类型详情', dependencies=[DependsJwtAuth])
+@router.get('/{pk}', summary='获取数据权限规则类型详情', dependencies=[DependsJwtAuth])
 async def get_data_rule_type(pk: Annotated[int, Path(...)]) -> ResponseModel:
     data_rule_type = await data_rule_type_service.get(pk=pk)
     return response_base.success(data=data_rule_type)
 
 
 @router.get(
     '',
-    summary='（模糊条件）分页获取所有数据规则类型',
+    summary='（模糊条件）分页获取所有数据权限规则类型',
     dependencies=[
         DependsJwtAuth,
         DependsPagination,
@@ -42,7 +42,7 @@ async def get_pagination_data_rule_type(db: CurrentSession) -> ResponseModel:
 
 @router.post(
     '',
-    summary='创建数据规则类型',
+    summary='创建数据权限规则类型',
     dependencies=[
         Depends(RequestPermission('data:rule:type:add')),
         DependsRBAC,
@@ -55,7 +55,7 @@ async def create_data_rule_type(obj: CreateDataRuleTypeParam) -> ResponseModel:
 
 @router.put(
     '/{pk}',
-    summary='更新数据规则类型',
+    summary='更新数据权限规则类型',
     dependencies=[
         Depends(RequestPermission('data:rule:type:edit')),
         DependsRBAC,
@@ -70,7 +70,7 @@ async def update_data_rule_type(pk: Annotated[int, Path(...)], obj: UpdateDataRu
 
 @router.delete(
     '',
-    summary='（批量）删除数据规则类型',
+    summary='（批量）删除数据权限规则类型',
     dependencies=[
         Depends(RequestPermission('data:rule:type:del')),
         DependsRBAC,

backend/app/admin/crud/crud_role.py

@@ -33,7 +33,11 @@ async def get_with_relation(self, db, role_id: int) -> Role | None:
         :param role_id:
         :return:
         """
-        stmt = select(self.model).options(selectinload(self.model.menus), selectinload(self.model.rules)).where(self.model.id == role_id)
+        stmt = (
+            select(self.model)
+            .options(selectinload(self.model.menus), selectinload(self.model.rules))
+            .where(self.model.id == role_id)
+        )
         role = await db.execute(stmt)
         return role.scalars().first()
 

backend/app/admin/model/data_rule.py

@@ -20,6 +20,7 @@ class DataRule(Base):
     expression: Mapped[int] = mapped_column(
         comment='表达式（0：>、1：>=、2：<、3：<=、4：==、5：!=、6：in、7：not_in）'
     )
+    value: Mapped[str] = mapped_column(String(255), comment='规则值')
 
     # 数据权限规则类型一对多
     type_id: Mapped[int] = mapped_column(

backend/app/admin/schema/data_rule.py

@@ -15,6 +15,7 @@ class DataRuleSchemaBase(SchemaBase):
     column: str
     operator: RoleDataRuleOperatorType = Field(RoleDataRuleOperatorType.OR)
     expression: RoleDataRuleExpressionType = Field(RoleDataRuleExpressionType.eq)
+    value: str
 
 
 class CreateDataRuleParam(DataRuleSchemaBase):

backend/app/admin/service/data_rule_service.py

@@ -21,6 +21,10 @@ async def get(*, pk: int) -> DataRule:
                 raise errors.NotFoundError(msg='数据规则不存在')
             return data_rule
 
+    @staticmethod
+    async def get_models():
+        return
+
     @staticmethod
     async def get_select(*, name: str = None) -> Select:
         return await data_rule_dao.get_list(name=name)

backend/common/enums.py

@@ -45,12 +45,12 @@ class RoleDataRuleOperatorType(IntEnum):
 class RoleDataRuleExpressionType(IntEnum):
     """数据权限规则表达式"""
 
-    gt = 0
-    ge = 1
-    lt = 2
-    le = 3
-    eq = 4
-    ne = 5
+    eq = 0
+    ne = 1
+    gt = 2
+    ge = 3
+    lt = 4
+    le = 5
     in_ = 6
     not_in = 7
 

backend/common/security/permission.py

@@ -1,10 +1,18 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
+from typing import TYPE_CHECKING
+
 from fastapi import Request
-from sqlalchemy import ColumnElement
+from sqlalchemy import ColumnElement, and_, or_
 
+from backend.common.enums import RoleDataRuleExpressionType, RoleDataRuleOperatorType
+from backend.common.exception import errors
 from backend.common.exception.errors import ServerError
 from backend.core.conf import settings
+from backend.utils.import_parse import dynamic_import
+
+if TYPE_CHECKING:
+    from backend.app.admin.schema.data_rule import GetDataRuleListDetails
 
 
 class RequestPermission:
@@ -27,4 +35,75 @@ async def __call__(self, request: Request):
             request.state.permission = self.value
 
 
-def filter_data_scope() -> ColumnElement[bool]: ...
+def filter_data_permission(request: Request) -> ColumnElement[bool]:
+    """
+    过滤数据权限
+
+    使用场景：用户登录前台后，控制其能看到哪些数据
+
+    :param request:
+    :return:
+    """
+    user_data_rules: list[GetDataRuleListDetails] = request.user.roles.rules
+
+    # 超级管理员和无规则用户不做过滤
+    if request.user.is_superuser or not user_data_rules:
+        return or_(1 == 1)
+
+    where_and_list = []
+    where_or_list = []
+    allowed_models = frozenset(m.split('.')[-1] for m in settings.ALLOWED_MODELS)
+
+    for rule in user_data_rules:
+        rule_model = rule.model
+        if rule_model not in allowed_models:
+            raise errors.NotFoundError(msg='数据模型不存在')
+        try:
+            model_ins = dynamic_import(rule_model)
+        except Exception:
+            raise errors.ServerError(msg='数据模型动态调用失败，请联系系统超级管理员')
+        model_columns = model_ins.__table__.columns.keys()
+        column = rule.column
+        if column not in model_columns:
+            raise errors.NotFoundError(msg='数据模型列不存在')
+
+        # 获取模型的列对象
+        column_obj = getattr(model_ins, column)
+        rule_expression = rule.expression
+
+        # 根据表达式类型构建条件
+        condition = None
+        if rule_expression == RoleDataRuleExpressionType.eq:
+            condition = column_obj == rule.value
+        elif rule_expression == RoleDataRuleExpressionType.ne:
+            condition = column_obj != rule.value
+        elif rule_expression == RoleDataRuleExpressionType.gt:
+            condition = column_obj > rule.value
+        elif rule_expression == RoleDataRuleExpressionType.ge:
+            condition = column_obj >= rule.value
+        elif rule_expression == RoleDataRuleExpressionType.lt:
+            condition = column_obj < rule.value
+        elif rule_expression == RoleDataRuleExpressionType.le:
+            condition = column_obj <= rule.value
+        elif rule_expression == RoleDataRuleExpressionType.in_:
+            values = rule.value.split(',') if isinstance(rule.value, str) else rule.value
+            condition = column_obj.in_(values)
+        elif rule.expression == RoleDataRuleExpressionType.not_in:
+            values = rule.value.split(',') if isinstance(rule.value, str) else rule.value
+            condition = ~column_obj.in_(values)
+
+        if condition is not None:
+            rule_operator = rule.operator
+            if rule_operator == RoleDataRuleOperatorType.AND:
+                where_and_list.append(condition)
+            elif rule_operator == RoleDataRuleOperatorType.OR:
+                where_or_list.append(condition)
+
+    # 组合条件
+    where_list = []
+    if where_and_list:
+        where_list.append(and_(*where_and_list))
+    if where_or_list:
+        where_list.append(or_(*where_or_list))
+
+    return or_(*where_list) if where_list else or_(1 == 1)

backend/core/conf.py

@@ -167,6 +167,13 @@ def validate_openapi_url(cls, values):
         'confirm_password',
     ]
 
+    # Data Perms
+    ALLOWED_MODELS: list[
+        str
+    ] = [  # 允许进行数据过滤的 SQLA 模型，它必须以模块字符串的方式定义（它应该只用于前台数据，这里只是为了演示）
+        'backend.app.admin.model.Api'
+    ]
+
 
 @lru_cache
 def get_settings() -> Settings:

backend/utils/import_parse.py

@@ -0,0 +1,29 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+import importlib
+
+from typing import Any
+
+
+def parse_module_str(module_path: str) -> tuple:
+    """
+    Parse a module string into a Python module and class/function.
+
+    :param module_path:
+    :return:
+    """
+    module_name, class_or_func = module_path.rsplit('.', 1)
+    return module_name, class_or_func
+
+
+def dynamic_import(module_path: str) -> Any:
+    """
+    动态导入
+
+    :param module_path:
+    :return:
+    """
+    module_name, object_name = parse_module_str(module_path)
+    module = importlib.import_module(module_name)
+    class_or_func = getattr(module, object_name)
+    return class_or_func