From 6e70f0fc58039a0156eb5eb32e62cf17086bc073 Mon Sep 17 00:00:00 2001 From: Gucheng Wang Date: Wed, 13 Jul 2022 00:50:32 +0800 Subject: [PATCH] Refactor CheckAccessPermission(). --- controllers/auth.go | 2 +- object/check.go | 29 +++++++++++++++++++---------- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/controllers/auth.go b/controllers/auth.go index d0db8a98..e498cbfc 100644 --- a/controllers/auth.go +++ b/controllers/auth.go @@ -51,7 +51,7 @@ func tokenToResponse(token *object.Token) *Response { func (c *ApiController) HandleLoggedIn(application *object.Application, user *object.User, form *RequestForm) (resp *Response) { userId := user.GetId() - allowed, err := object.CheckPermission(userId, application) + allowed, err := object.CheckAccessPermission(userId, application) if err != nil { c.ResponseError(err.Error(), nil) return diff --git a/object/check.go b/object/check.go index 230f9cec..dd2b3b45 100644 --- a/object/check.go +++ b/object/check.go @@ -231,19 +231,28 @@ func CheckUserPermission(requestUserId, userId string, strict bool) (bool, error return hasPermission, fmt.Errorf("you don't have the permission to do this") } -func CheckPermission(userId string, application *Application) (bool, error) { +func CheckAccessPermission(userId string, application *Application) (bool, error) { permissions := GetPermissions(application.Organization) - allow := true + allowed := true var err error for _, permission := range permissions { - if permission.IsEnabled { - for _, resource := range permission.Resources { - if resource == application.Name { - enforcer := getEnforcer(permission) - allow, err = enforcer.Enforce(userId, application.Name, "read") - } + if !permission.IsEnabled { + continue + } + + isHit := false + for _, resource := range permission.Resources { + if application.Name == resource { + isHit = true + break } } + + if isHit { + enforcer := getEnforcer(permission) + allowed, err = enforcer.Enforce(userId, application.Name, "read") + break + } } - return allow, err -} \ No newline at end of file + return allowed, err +}