From 78e45d07cfd9c25760abb33e061c56d8a57e0889 Mon Sep 17 00:00:00 2001
From: imp2002 <imp07@qq.com>
Date: Mon, 5 Dec 2022 16:08:17 +0800
Subject: [PATCH] fix: support RBAC With Domains/Tenants (#1333)

* feat: support RBAC With Domains/Tenants

* fix: add verify for `UpdatePermission`

* Update permission.go

Co-authored-by: hsluoyz <hsluoyz@qq.com>
---
 object/permission.go          | 20 ++++++++++++++++++++
 object/permission_enforcer.go | 13 +++++++++++--
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/object/permission.go b/object/permission.go
index 08bf5bbb..56f28ed0 100644
--- a/object/permission.go
+++ b/object/permission.go
@@ -111,7 +111,27 @@ func GetPermission(id string) *Permission {
 	return getPermission(owner, name)
 }
 
+// checkPermissionValid verifies if the permission is valid
+func checkPermissionValid(permission *Permission) {
+	enforcer := getEnforcer(permission)
+	enforcer.EnableAutoSave(false)
+	policies, groupingPolicies := getPolicies(permission)
+
+	if len(groupingPolicies) > 0 {
+		_, err := enforcer.AddGroupingPolicies(groupingPolicies)
+		if err != nil {
+			panic(err)
+		}
+	}
+
+	_, err := enforcer.AddPolicies(policies)
+	if err != nil {
+		panic(err)
+	}
+}
+
 func UpdatePermission(id string, permission *Permission) bool {
+	checkPermissionValid(permission)
 	owner, name := util.GetOwnerAndNameFromId(id)
 	oldPermission := getPermission(owner, name)
 	if oldPermission == nil {
diff --git a/object/permission_enforcer.go b/object/permission_enforcer.go
index 3c76a0e5..f443c75b 100644
--- a/object/permission_enforcer.go
+++ b/object/permission_enforcer.go
@@ -157,7 +157,12 @@ func removePolicies(permission *Permission) {
 func Enforce(permissionRule *PermissionRule) bool {
 	permission := GetPermission(permissionRule.Id)
 	enforcer := getEnforcer(permission)
-	allow, err := enforcer.Enforce(permissionRule.V0, permissionRule.V1, permissionRule.V2)
+
+	request := []interface{}{permissionRule.V0, permissionRule.V1, permissionRule.V2}
+	if permissionRule.V3 != "" {
+		request = append(request, permissionRule.V3)
+	}
+	allow, err := enforcer.Enforce(request...)
 	if err != nil {
 		panic(err)
 	}
@@ -167,7 +172,11 @@ func Enforce(permissionRule *PermissionRule) bool {
 func BatchEnforce(permissionRules []PermissionRule) []bool {
 	var requests [][]interface{}
 	for _, permissionRule := range permissionRules {
-		requests = append(requests, []interface{}{permissionRule.V0, permissionRule.V1, permissionRule.V2})
+		if permissionRule.V3 != "" {
+			requests = append(requests, []interface{}{permissionRule.V0, permissionRule.V1, permissionRule.V2, permissionRule.V3})
+		} else {
+			requests = append(requests, []interface{}{permissionRule.V0, permissionRule.V1, permissionRule.V2})
+		}
 	}
 	permission := GetPermission(permissionRules[0].Id)
 	enforcer := getEnforcer(permission)