Merge pull request #57 from import-ai/refactor/resources

ycdzj · web-flow · commit 275f44333ec2 · 2025-05-23T15:24:53.000+08:00
fix(resources): check edit permission level
diff --git a/src/permissions/permission-level.enum.ts b/src/permissions/permission-level.enum.ts
@@ -5,3 +5,18 @@ export enum PermissionLevel {
   CAN_EDIT = 'can_edit',
   FULL_ACCESS = 'full_access',
 }
+
+const order = [
+  PermissionLevel.NO_ACCESS,
+  PermissionLevel.CAN_VIEW,
+  PermissionLevel.CAN_COMMENT,
+  PermissionLevel.CAN_EDIT,
+  PermissionLevel.FULL_ACCESS,
+];
+
+export function comparePermissionLevel(
+  a: PermissionLevel,
+  b: PermissionLevel,
+): number {
+  return order.indexOf(a) - order.indexOf(b);
+}
diff --git a/src/permissions/permissions.service.ts b/src/permissions/permissions.service.ts
@@ -4,7 +4,10 @@ import { DataSource, EntityManager, IsNull, Repository } from 'typeorm';
 import { PermissionDto } from './dto/permission.dto';
 import { ListRespDto, UserPermissionDto } from './dto/list-resp.dto';
 import { plainToInstance } from 'class-transformer';
-import { PermissionLevel } from './permission-level.enum';
+import {
+  comparePermissionLevel,
+  PermissionLevel,
+} from './permission-level.enum';
 import { UserPermission } from './entities/user-permission.entity';
 import { GroupPermission } from './entities/group-permission.entity';
 import { Resource } from 'src/resources/resources.entity';
@@ -334,20 +337,21 @@ export class PermissionsService {
     namespaceId: string,
     resourceId: string,
     userId: string,
+    level: PermissionLevel = PermissionLevel.CAN_VIEW,
   ) {
     const globalLevel = await this.getGlobalPermissionLevel(
       namespaceId,
       resourceId,
     );
-    if (globalLevel != PermissionLevel.NO_ACCESS) {
+    if (comparePermissionLevel(globalLevel, level) >= 0) {
       return true;
     }
     const userPermi = await this.getUserPermission(
       namespaceId,
       resourceId,
       userId,
     );
-    if (userPermi.level != PermissionLevel.NO_ACCESS) {
+    if (comparePermissionLevel(userPermi.level, level) >= 0) {
       return true;
     }
     const groups = await this.groupUserRepository.find({
@@ -363,13 +367,54 @@ export class PermissionsService {
         resourceId,
         group.group.id,
       );
-      if (groupLevel != PermissionLevel.NO_ACCESS) {
+      if (comparePermissionLevel(groupLevel, level) >= 0) {
         return true;
       }
     }
     return false;
   }
 
+  async getCurrentLevel(
+    namespaceId: string,
+    resourceId: string,
+    userId: string,
+  ): Promise<PermissionLevel> {
+    let level = PermissionLevel.NO_ACCESS;
+    const globalLevel = await this.getGlobalPermissionLevel(
+      namespaceId,
+      resourceId,
+    );
+    if (comparePermissionLevel(globalLevel, level) >= 0) {
+      level = globalLevel;
+    }
+    const userPermi = await this.getUserPermission(
+      namespaceId,
+      resourceId,
+      userId,
+    );
+    if (comparePermissionLevel(userPermi.level, level) >= 0) {
+      level = userPermi.level;
+    }
+    const groups = await this.groupUserRepository.find({
+      where: {
+        namespace: { id: namespaceId },
+        user: { id: userId },
+      },
+      relations: ['group'],
+    });
+    for (const group of groups) {
+      const groupLevel = await this.getGroupPermissionLevel(
+        namespaceId,
+        resourceId,
+        group.group.id,
+      );
+      if (comparePermissionLevel(groupLevel, level) >= 0) {
+        level = groupLevel;
+      }
+    }
+    return level;
+  }
+
   async getParentId(
     namespaceId: string,
     resourceId: string,
diff --git a/src/resources/resources.controller.ts b/src/resources/resources.controller.ts
@@ -84,7 +84,13 @@ export class ResourcesController {
     if (!hasPermission) {
       throw new ForbiddenException('Not authorized');
     }
-    return await this.resourcesService.get(resourceId);
+    const currentLevel = await this.permissionsService.getCurrentLevel(
+      namespaceId,
+      resourceId,
+      req.user.id,
+    );
+    const resource = await this.resourcesService.get(resourceId);
+    return { ...resource, currentLevel };
   }
 
   @Patch(':resourceId')
@@ -98,6 +104,7 @@ export class ResourcesController {
       namespaceId,
       resourceId,
       req.user.id,
+      PermissionLevel.CAN_EDIT,
     );
     if (!hasPermission) {
       throw new ForbiddenException('Not authorized');
@@ -115,6 +122,7 @@ export class ResourcesController {
       namespaceId,
       resourceId,
       req.user.id,
+      PermissionLevel.CAN_EDIT,
     );
     if (!hasPermission) {
       throw new ForbiddenException('Not authorized');
