casdoor/object/role.go

// Copyright 2021 The Casdoor Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package object

import (
	"fmt"
	"strings"

	"github.com/casdoor/casdoor/util"
	"github.com/xorm-io/core"
)

type Role struct {
	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
	DisplayName string `xorm:"varchar(100)" json:"displayName"`

	Users     []string `xorm:"mediumtext" json:"users"`
	Roles     []string `xorm:"mediumtext" json:"roles"`
	Domains   []string `xorm:"mediumtext" json:"domains"`
	IsEnabled bool     `json:"isEnabled"`
}

func GetRoleCount(owner, field, value string) int {
	session := GetSession(owner, -1, -1, field, value, "", "")
	count, err := session.Count(&Role{})
	if err != nil {
		panic(err)
	}

	return int(count)
}

func GetRoles(owner string) []*Role {
	roles := []*Role{}
	err := adapter.Engine.Desc("created_time").Find(&roles, &Role{Owner: owner})
	if err != nil {
		panic(err)
	}

	return roles
}

func GetPaginationRoles(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Role {
	roles := []*Role{}
	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
	err := session.Find(&roles)
	if err != nil {
		panic(err)
	}

	return roles
}

func getRole(owner string, name string) *Role {
	if owner == "" || name == "" {
		return nil
	}

	role := Role{Owner: owner, Name: name}
	existed, err := adapter.Engine.Get(&role)
	if err != nil {
		panic(err)
	}

	if existed {
		return &role
	} else {
		return nil
	}
}

func GetRole(id string) *Role {
	owner, name := util.GetOwnerAndNameFromId(id)
	return getRole(owner, name)
}

func UpdateRole(id string, role *Role) bool {
	owner, name := util.GetOwnerAndNameFromId(id)
	oldRole := getRole(owner, name)
	if oldRole == nil {
		return false
	}

	permissions := GetPermissionsByRole(id)
	for _, permission := range permissions {
		removeGroupingPolicies(permission)
		removePolicies(permission)
	}

	if name != role.Name {
		err := roleChangeTrigger(name, role.Name)
		if err != nil {
			return false
		}
	}

	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(role)
	if err != nil {
		panic(err)
	}

	newRoleID := role.GetId()
	permissions = GetPermissionsByRole(newRoleID)
	for _, permission := range permissions {
		addGroupingPolicies(permission)
		addPolicies(permission)
	}

	return affected != 0
}

func AddRole(role *Role) bool {
	affected, err := adapter.Engine.Insert(role)
	if err != nil {
		panic(err)
	}

	return affected != 0
}

func DeleteRole(role *Role) bool {
	roleId := role.GetId()
	permissions := GetPermissionsByRole(roleId)
	for _, permission := range permissions {
		permission.Roles = util.DeleteVal(permission.Roles, roleId)
		UpdatePermission(permission.GetId(), permission)
	}

	affected, err := adapter.Engine.ID(core.PK{role.Owner, role.Name}).Delete(&Role{})
	if err != nil {
		panic(err)
	}

	return affected != 0
}

func (role *Role) GetId() string {
	return fmt.Sprintf("%s/%s", role.Owner, role.Name)
}

func GetRolesByUser(userId string) []*Role {
	roles := []*Role{}
	err := adapter.Engine.Where("users like ?", "%"+userId+"%").Find(&roles)
	if err != nil {
		panic(err)
	}

	for i := range roles {
		roles[i].Users = nil
	}

	return roles
}

func roleChangeTrigger(oldName string, newName string) error {
	session := adapter.Engine.NewSession()
	defer session.Close()

	err := session.Begin()
	if err != nil {
		return err
	}

	var roles []*Role
	err = adapter.Engine.Find(&roles)
	if err != nil {
		return err
	}
	for _, role := range roles {
		for j, u := range role.Roles {
			split := strings.Split(u, "/")
			if split[1] == oldName {
				split[1] = newName
				role.Roles[j] = split[0] + "/" + split[1]
			}
		}
		_, err = session.Where("name=?", role.Name).Update(role)
		if err != nil {
			return err
		}
	}

	var permissions []*Permission
	err = adapter.Engine.Find(&permissions)
	if err != nil {
		return err
	}
	for _, permission := range permissions {
		for j, u := range permission.Roles {
			// u = organization/username
			split := strings.Split(u, "/")
			if split[1] == oldName {
				split[1] = newName
				permission.Roles[j] = split[0] + "/" + split[1]
			}
		}
		_, err = session.Where("name=?", permission.Name).Update(permission)
		if err != nil {
			return err
		}
	}

	return session.Commit()
}

func GetMaskedRoles(roles []*Role) []*Role {
	for _, role := range roles {
		role.Users = nil
	}

	return roles
}
Update license headers. 2022-02-13 23:39:27 +08:00			`// Copyright 2021 The Casdoor Authors. All Rights Reserved.`
Add role page. 2022-01-01 15:11:16 +08:00			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package object`

			`import (`
			`"fmt"`
feat: change all occurrences when a object name is changed (#1252) 2022-11-02 00:17:38 +08:00			`"strings"`
Add role page. 2022-01-01 15:11:16 +08:00
Update import path. 2022-01-20 14:11:46 +08:00			`"github.com/casdoor/casdoor/util"`
feat: app session control and db migrate (#1539) * feat: integrate application session management into Casdoor's session management (#774) && standardized the database migration process (#1533) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) * feat: integrate application session management into Casdoor's session management (#774) && standardized the database migration process * feat: integrate application session management into Casdoor's session management (#774) && standardized the database migration process * feat: integrate application session management into Casdoor's session management (#774) && standardized the database migration process --------- Co-authored-by: Zayn Xie <84443886+xiaoniuren99@users.noreply.github.com> * fix: migrate err * fix: migrate err * feat: app session control and db migrate * feat: app session control and db migrate * feat: app session control and db migrate --------- Co-authored-by: Zayn Xie <84443886+xiaoniuren99@users.noreply.github.com> 2023-02-12 09:33:24 +08:00			`"github.com/xorm-io/core"`
Add role page. 2022-01-01 15:11:16 +08:00			`)`

			`type Role struct {`
			Owner string `xorm:"varchar(100) notnull pk" json:"owner"`
			Name string `xorm:"varchar(100) notnull pk" json:"name"`
			CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
			DisplayName string `xorm:"varchar(100)" json:"displayName"`

			Users []string `xorm:"mediumtext" json:"users"`
			Roles []string `xorm:"mediumtext" json:"roles"`
feat: support RBAC model in permission (#1006) Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2022-08-15 10:24:26 +08:00			Domains []string `xorm:"mediumtext" json:"domains"`
Add role page. 2022-01-01 15:11:16 +08:00			IsEnabled bool `json:"isEnabled"`
			`}`

			`func GetRoleCount(owner, field, value string) int {`
fix: fix the SQL injection vulnerability in field filter (#442) Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2022-01-26 19:36:36 +08:00			`session := GetSession(owner, -1, -1, field, value, "", "")`
Add role page. 2022-01-01 15:11:16 +08:00			`count, err := session.Count(&Role{})`
			`if err != nil {`
			`panic(err)`
			`}`

			`return int(count)`
			`}`

			`func GetRoles(owner string) []*Role {`
			`roles := []*Role{}`
			`err := adapter.Engine.Desc("created_time").Find(&roles, &Role{Owner: owner})`
			`if err != nil {`
			`panic(err)`
			`}`

			`return roles`
			`}`

			`func GetPaginationRoles(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Role {`
			`roles := []*Role{}`
			`session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)`
			`err := session.Find(&roles)`
			`if err != nil {`
			`panic(err)`
			`}`

			`return roles`
			`}`

			`func getRole(owner string, name string) *Role {`
			`if owner == "" \|\| name == "" {`
			`return nil`
			`}`

			`role := Role{Owner: owner, Name: name}`
			`existed, err := adapter.Engine.Get(&role)`
			`if err != nil {`
			`panic(err)`
			`}`

			`if existed {`
			`return &role`
			`} else {`
			`return nil`
			`}`
			`}`

			`func GetRole(id string) *Role {`
			`owner, name := util.GetOwnerAndNameFromId(id)`
			`return getRole(owner, name)`
			`}`

			`func UpdateRole(id string, role *Role) bool {`
			`owner, name := util.GetOwnerAndNameFromId(id)`
feat: support RBAC model in permission (#1006) Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2022-08-15 10:24:26 +08:00			`oldRole := getRole(owner, name)`
			`if oldRole == nil {`
Add role page. 2022-01-01 15:11:16 +08:00			`return false`
			`}`

feat: update permission rule when role updated (#1477) 2023-01-17 09:27:02 +07:00			`permissions := GetPermissionsByRole(id)`
			`for _, permission := range permissions {`
			`removeGroupingPolicies(permission)`
			`removePolicies(permission)`
			`}`

feat: change all occurrences when a object name is changed (#1252) 2022-11-02 00:17:38 +08:00			`if name != role.Name {`
			`err := roleChangeTrigger(name, role.Name)`
			`if err != nil {`
			`return false`
			`}`
			`}`

Add role page. 2022-01-01 15:11:16 +08:00			`affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(role)`
			`if err != nil {`
			`panic(err)`
			`}`

feat: update permission rule when role updated (#1477) 2023-01-17 09:27:02 +07:00			`newRoleID := role.GetId()`
			`permissions = GetPermissionsByRole(newRoleID)`
			`for _, permission := range permissions {`
			`addGroupingPolicies(permission)`
			`addPolicies(permission)`
			`}`

Add role page. 2022-01-01 15:11:16 +08:00			`return affected != 0`
			`}`

			`func AddRole(role *Role) bool {`
			`affected, err := adapter.Engine.Insert(role)`
			`if err != nil {`
			`panic(err)`
			`}`

			`return affected != 0`
			`}`

			`func DeleteRole(role *Role) bool {`
feat: update permission when role deleted (#1480) 2023-01-17 16:04:58 +07:00			`roleId := role.GetId()`
			`permissions := GetPermissionsByRole(roleId)`
			`for _, permission := range permissions {`
			`permission.Roles = util.DeleteVal(permission.Roles, roleId)`
			`UpdatePermission(permission.GetId(), permission)`
			`}`

Add role page. 2022-01-01 15:11:16 +08:00			`affected, err := adapter.Engine.ID(core.PK{role.Owner, role.Name}).Delete(&Role{})`
			`if err != nil {`
			`panic(err)`
			`}`

			`return affected != 0`
			`}`

			`func (role *Role) GetId() string {`
			`return fmt.Sprintf("%s/%s", role.Owner, role.Name)`
			`}`
feat: get user api return roles and permissions (#929) 2022-07-30 17:31:56 +08:00
			`func GetRolesByUser(userId string) []*Role {`
			`roles := []*Role{}`
			`err := adapter.Engine.Where("users like ?", "%"+userId+"%").Find(&roles)`
			`if err != nil {`
			`panic(err)`
			`}`

fix(secure): remove user list from roles and permissions field to avoid leaking userlist (#1614) * fix(secure): remove user list from roles and permissions field to avoid leaking userlist Signed-off-by: fengxsong <fengxsong@outlook.com> * Update permission.go * Update role.go --------- Signed-off-by: fengxsong <fengxsong@outlook.com> Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-03-03 18:18:41 +08:00			`for i := range roles {`
			`roles[i].Users = nil`
			`}`

feat: get user api return roles and permissions (#929) 2022-07-30 17:31:56 +08:00			`return roles`
			`}`
feat: change all occurrences when a object name is changed (#1252) 2022-11-02 00:17:38 +08:00
			`func roleChangeTrigger(oldName string, newName string) error {`
			`session := adapter.Engine.NewSession()`
			`defer session.Close()`

			`err := session.Begin()`
			`if err != nil {`
			`return err`
			`}`

			`var roles []*Role`
			`err = adapter.Engine.Find(&roles)`
			`if err != nil {`
			`return err`
			`}`
			`for _, role := range roles {`
			`for j, u := range role.Roles {`
			`split := strings.Split(u, "/")`
			`if split[1] == oldName {`
			`split[1] = newName`
			`role.Roles[j] = split[0] + "/" + split[1]`
			`}`
			`}`
			`_, err = session.Where("name=?", role.Name).Update(role)`
			`if err != nil {`
			`return err`
			`}`
			`}`

			`var permissions []*Permission`
			`err = adapter.Engine.Find(&permissions)`
			`if err != nil {`
			`return err`
			`}`
			`for _, permission := range permissions {`
			`for j, u := range permission.Roles {`
			`// u = organization/username`
			`split := strings.Split(u, "/")`
			`if split[1] == oldName {`
			`split[1] = newName`
			`permission.Roles[j] = split[0] + "/" + split[1]`
			`}`
			`}`
			`_, err = session.Where("name=?", permission.Name).Update(permission)`
			`if err != nil {`
			`return err`
			`}`
			`}`

			`return session.Commit()`
			`}`
fix: add GetMaskedRoles and GetMaskedPermissions when GetAccount (#1456) 2023-01-05 23:02:52 +07:00
			`func GetMaskedRoles(roles []Role) []Role {`
			`for _, role := range roles {`
			`role.Users = nil`
			`}`

			`return roles`
			`}`