package hr import ( "WiiCITMS/models/hr" "WiiCITMS/process/common" "WiiGenerates/WiiCITMS/generates/v1/go/types" "WiiGoLibrary/apply/middle/process/v1" "errors" ) // PermissionCheckResult 权限检查结果 type PermissionCheckResult struct { HasPermission bool `json:"hasPermission"` // 是否有权限 ErrorMessage string `json:"errorMessage"` // 错误信息 ErrorCode int `json:"errorCode"` // 错误代码 } // 使用common包中定义的常量 // CheckAccessControl 检查访问控制 // staffGuid: 进行操作的员工ID // operation: 操作类型 (create, update, delete, view, approve) // resource: 资源类型 (organization, position, staff, leave, workflow) // resourceId: 资源ID,可选 func CheckAccessControl(staffGuid string, operation string, resource string, resourceId string) *PermissionCheckResult { // 结果默认为无权限 result := &PermissionCheckResult{ HasPermission: false, ErrorMessage: "权限不足", ErrorCode: common.NoPermissionErrorCode, } // 检查是否系统管理员,系统管理员拥有全部权限 isAdmin, proc := IsSystemAdmin(staffGuid) if proc.IsError() { result.ErrorMessage = "权限检查失败: " + proc.Error.Error() return result } if isAdmin { result.HasPermission = true result.ErrorMessage = "" result.ErrorCode = 0 return result } // 根据资源类型和操作类型确定所需权限ID permissionID := getRequiredPermissionID(resource, operation) if permissionID <= 0 { result.ErrorMessage = "未定义的权限操作" return result } // 检查岗位权限 params := CheckPermissionRequest{ StaffGuid: staffGuid, PermissionID: permissionID, } // 如果提供了资源ID,且资源是组织相关的,则添加组织ID限定 if resourceId != "" && (resource == common.ResourceOrganization || resource == common.ResourceStaff) { params.OrganizationGuid = resourceId } hasPermission, proc := CheckStaffPermission(params) if proc.IsError() { result.ErrorMessage = "权限检查失败: " + proc.Error.Error() return result } if hasPermission { result.HasPermission = true result.ErrorMessage = "" result.ErrorCode = 0 } return result } // 根据资源类型和操作类型确定所需的权限ID func getRequiredPermissionID(resource string, operation string) int { switch resource { case common.ResourceOrganization: switch operation { case common.OperationView: return hr.PermOrganizationView case common.OperationCreate: return hr.PermOrganizationCreate case common.OperationUpdate: return hr.PermOrganizationUpdate case common.OperationDelete: return hr.PermOrganizationDelete } case common.ResourcePosition: switch operation { case common.OperationView: return hr.PermPositionView case common.OperationCreate: return hr.PermPositionCreate case common.OperationUpdate: return hr.PermPositionUpdate case common.OperationDelete: return hr.PermPositionDelete } case common.ResourceStaff: switch operation { case common.OperationView: return hr.PermStaffView case common.OperationCreate: return hr.PermStaffCreate case common.OperationUpdate: return hr.PermStaffUpdate case common.OperationDelete: return hr.PermStaffDelete } case common.ResourceLeave: switch operation { case common.OperationView: return hr.PermLeaveView case common.OperationApprove: return hr.PermLeaveApprove } case common.ResourceWorkflow: return hr.PermWorkflowAdmin } return 0 } // RequirePermission 要求权限装饰器 // 用于包装处理函数,确保在执行前进行权限检查 func RequirePermission(staffGuid string, operation string, resource string, resourceId string) *process.Process { result := CheckAccessControl(staffGuid, operation, resource, resourceId) if !result.HasPermission { return process.FailError(types.NoPermissionError, errors.New(result.ErrorMessage)) } return nil }