From cbdeb91ee81a43f570e620e7c6fbec5cb28b70cb Mon Sep 17 00:00:00 2001
From: aiden <allaher@icloud.com>
Date: Tue, 17 Oct 2023 01:35:13 -0500
Subject: [PATCH] feat: support groups in app login permissions (#2413)

* fix(permission): fix CheckLoginPermission() logic

* style: fix code format

---------

Co-authored-by: aidenlu <aiden_lu@wochacha.com>
---
 object/check.go      |  2 +-
 object/permission.go | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/object/check.go b/object/check.go
index 7c8889f8..f10bf9a2 100644
--- a/object/check.go
+++ b/object/check.go
@@ -370,7 +370,7 @@ func CheckLoginPermission(userId string, application *Application) (bool, error)
 			continue
 		}
 
-		if !permission.isUserHit(userId) {
+		if !permission.isUserHit(userId) && !permission.isRoleHit(userId) {
 			if permission.Effect == "Allow" {
 				allowPermissionCount += 1
 			} else {
diff --git a/object/permission.go b/object/permission.go
index 9e193f38..d926de06 100644
--- a/object/permission.go
+++ b/object/permission.go
@@ -434,6 +434,21 @@ func (p *Permission) isUserHit(name string) bool {
 	return false
 }
 
+func (p *Permission) isRoleHit(userId string) bool {
+	targetRoles, err := getRolesByUser(userId)
+	if err != nil {
+		return false
+	}
+	for _, role := range p.Roles {
+		for _, targetRole := range targetRoles {
+			if targetRole.GetId() == role {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func (p *Permission) isResourceHit(name string) bool {
 	for _, resource := range p.Resources {
 		if resource == "*" || resource == name {