From 4e4fbb8ba9da377cdb1f866b5ab5933b7da142e1 Mon Sep 17 00:00:00 2001
From: LittleSheep <littlesheep.code@hotmail.com>
Date: Fri, 17 May 2024 19:24:14 +0800
Subject: [PATCH] :sparkles: Permission check

---
 .idea/workspace.xml      | 55 +++++++++++++++++++---------------------
 pkg/server/realms_api.go |  4 +--
 pkg/services/accounts.go |  2 +-
 pkg/services/perms.go    |  9 ++++++-
 pkg/utils/request.go     | 13 ++++++++++
 5 files changed, 50 insertions(+), 33 deletions(-)

diff --git a/.idea/workspace.xml b/.idea/workspace.xml
index 82c913b..b53f1dd 100644
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@@ -4,10 +4,7 @@
     <option name="autoReloadType" value="ALL" />
   </component>
   <component name="ChangeListManager">
-    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Basis perm nodes feature">
-      <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/server/ws.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/server/ws.go" afterDir="false" />
-    </list>
+    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Permission check" />
     <option name="SHOW_DIALOG" value="false" />
     <option name="HIGHLIGHT_CONFLICTS" value="true" />
     <option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
@@ -41,32 +38,32 @@
     <option name="hideEmptyMiddlePackages" value="true" />
     <option name="showLibraryContents" value="true" />
   </component>
-  <component name="PropertiesComponent">{
-  &quot;keyToString&quot;: {
-    &quot;DefaultGoTemplateProperty&quot;: &quot;Go File&quot;,
-    &quot;Go 构建.Backend.executor&quot;: &quot;Run&quot;,
-    &quot;RunOnceActivity.ShowReadmeOnStart&quot;: &quot;true&quot;,
-    &quot;RunOnceActivity.go.formatter.settings.were.checked&quot;: &quot;true&quot;,
-    &quot;RunOnceActivity.go.migrated.go.modules.settings&quot;: &quot;true&quot;,
-    &quot;RunOnceActivity.go.modules.automatic.dependencies.download&quot;: &quot;true&quot;,
-    &quot;RunOnceActivity.go.modules.go.list.on.any.changes.was.set&quot;: &quot;true&quot;,
-    &quot;git-widget-placeholder&quot;: &quot;master&quot;,
-    &quot;go.import.settings.migrated&quot;: &quot;true&quot;,
-    &quot;go.sdk.automatically.set&quot;: &quot;true&quot;,
-    &quot;last_opened_file_path&quot;: &quot;/Users/littlesheep/Documents/Projects/Hydrogen/Passport/pkg/server/ui&quot;,
-    &quot;node.js.detected.package.eslint&quot;: &quot;true&quot;,
-    &quot;node.js.selected.package.eslint&quot;: &quot;(autodetect)&quot;,
-    &quot;nodejs_package_manager_path&quot;: &quot;npm&quot;,
-    &quot;run.code.analysis.last.selected.profile&quot;: &quot;pProject Default&quot;,
-    &quot;settings.editor.selected.configurable&quot;: &quot;preferences.lookFeel&quot;,
-    &quot;vue.rearranger.settings.migration&quot;: &quot;true&quot;
+  <component name="PropertiesComponent"><![CDATA[{
+  "keyToString": {
+    "DefaultGoTemplateProperty": "Go File",
+    "Go 构建.Backend.executor": "Run",
+    "RunOnceActivity.ShowReadmeOnStart": "true",
+    "RunOnceActivity.go.formatter.settings.were.checked": "true",
+    "RunOnceActivity.go.migrated.go.modules.settings": "true",
+    "RunOnceActivity.go.modules.automatic.dependencies.download": "true",
+    "RunOnceActivity.go.modules.go.list.on.any.changes.was.set": "true",
+    "git-widget-placeholder": "master",
+    "go.import.settings.migrated": "true",
+    "go.sdk.automatically.set": "true",
+    "last_opened_file_path": "/Users/littlesheep/Documents/Projects/Hydrogen/Passport/pkg/server/ui",
+    "node.js.detected.package.eslint": "true",
+    "node.js.selected.package.eslint": "(autodetect)",
+    "nodejs_package_manager_path": "npm",
+    "run.code.analysis.last.selected.profile": "pProject Default",
+    "settings.editor.selected.configurable": "preferences.lookFeel",
+    "vue.rearranger.settings.migration": "true"
   },
-  &quot;keyToStringList&quot;: {
-    &quot;DatabaseDriversLRU&quot;: [
-      &quot;postgresql&quot;
+  "keyToStringList": {
+    "DatabaseDriversLRU": [
+      "postgresql"
     ]
   }
-}</component>
+}]]></component>
   <component name="RecentsManager">
     <key name="CopyFile.RECENT_KEYS">
       <recent name="$PROJECT_DIR$/pkg/server/ui" />
@@ -139,7 +136,6 @@
     </option>
   </component>
   <component name="VcsManagerConfiguration">
-    <MESSAGE value=":sparkles: User center page" />
     <MESSAGE value=":sparkles: Personalize" />
     <MESSAGE value=":sparkles: OAuth" />
     <MESSAGE value=":truck: Update well known" />
@@ -164,7 +160,8 @@
     <MESSAGE value=":bug: Fix key exchange cause echo" />
     <MESSAGE value=":bug: Fix notification push issue" />
     <MESSAGE value=":sparkles: Basis perm nodes feature" />
-    <option name="LAST_COMMIT_MESSAGE" value=":sparkles: Basis perm nodes feature" />
+    <MESSAGE value=":sparkles: Permission check" />
+    <option name="LAST_COMMIT_MESSAGE" value=":sparkles: Permission check" />
   </component>
   <component name="VgoProject">
     <settings-migrated>true</settings-migrated>
diff --git a/pkg/server/realms_api.go b/pkg/server/realms_api.go
index a14a1ca..8944d02 100644
--- a/pkg/server/realms_api.go
+++ b/pkg/server/realms_api.go
@@ -46,8 +46,8 @@ func listAvailableRealm(c *fiber.Ctx) error {
 
 func createRealm(c *fiber.Ctx) error {
 	user := c.Locals("principal").(models.Account)
-	if user.PowerLevel < 10 {
-		return fiber.NewError(fiber.StatusForbidden, "require power level 10 to create realms")
+	if err := utils.CheckPermissions(c, "CreateRealms", true); err != nil {
+		return err
 	}
 
 	var data struct {
diff --git a/pkg/services/accounts.go b/pkg/services/accounts.go
index 7739a8a..d734edc 100644
--- a/pkg/services/accounts.go
+++ b/pkg/services/accounts.go
@@ -104,7 +104,7 @@ func ConfirmAccount(code string) error {
 		for k, v := range viper.GetStringMap("permissions.verified") {
 			if val, ok := user.PermNodes[k]; !ok {
 				user.PermNodes[k] = v
-			} else if !HasPermNode(val, v) {
+			} else if !ComparePermNode(val, v) {
 				user.PermNodes[k] = v
 			}
 		}
diff --git a/pkg/services/perms.go b/pkg/services/perms.go
index 9a6914d..438a6e1 100644
--- a/pkg/services/perms.go
+++ b/pkg/services/perms.go
@@ -6,7 +6,14 @@ import (
 	"strings"
 )
 
-func HasPermNode(held any, required any) bool {
+func HasPermNode(perms map[string]any, requiredKey string, requiredValue any) bool {
+	if heldValue, ok := perms[requiredKey]; ok {
+		return ComparePermNode(heldValue, requiredValue)
+	}
+	return false
+}
+
+func ComparePermNode(held any, required any) bool {
 	heldValue := reflect.ValueOf(held)
 	requiredValue := reflect.ValueOf(required)
 
diff --git a/pkg/utils/request.go b/pkg/utils/request.go
index 4a15493..e82d7bc 100644
--- a/pkg/utils/request.go
+++ b/pkg/utils/request.go
@@ -1,6 +1,8 @@
 package utils
 
 import (
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
 	"github.com/go-playground/validator/v10"
 	"github.com/gofiber/fiber/v2"
 	"github.com/samber/lo"
@@ -19,6 +21,17 @@ func BindAndValidate(c *fiber.Ctx, out any) error {
 	return nil
 }
 
+func GetPermissions(c *fiber.Ctx) map[string]any {
+	return c.Locals("permissions").(map[string]any)
+}
+
+func CheckPermissions(c *fiber.Ctx, key string, val any) error {
+	if !services.HasPermNode(GetPermissions(c), key, val) {
+		return fiber.NewError(fiber.StatusForbidden, fmt.Sprintf("requires permission: %s = %v", key, val))
+	}
+	return nil
+}
+
 func GetRedirectUri(c *fiber.Ctx, fallback ...string) *string {
 	if len(c.Query("redirect_uri")) > 0 {
 		return lo.ToPtr(c.Query("redirect_uri"))