feat: 增加插件系统权限管理

3 years ago · 2e179c4588
parent 8fd124265c
commit 2e179c4588
17 changed files with 472 additions and 29 deletions
--- a/client/shared/utils/role-helper.ts
+++ b/client/shared/utils/role-helper.ts
@ -6,11 +6,27 @@ import { model, t } from '..';
 */
 export const AllPermission = Symbol('AllPermission');
-interface PermissionItem {
+export interface PermissionItemType {
  /**
   * 权限唯一key, 用于写入数据库
   * 如果为插件则权限点应当符合命名规范, 如: plugin.com.msgbyte.github.manage
   */
  key: string;
  /**
   * 权限点显示名称
   */
  title: string;
  /**
   * 权限描述
   */
  desc: string;
  /**
   * 是否默认开启
   */
  default: boolean;
  /**
   * 是否依赖其他权限点
   */
  required?: string[];
 }
@ -29,10 +45,7 @@ export const PERMISSION = {
  },
 };
-/**
+export const permissionList: PermissionItemType[] = [
 * TODO: 后端校验还没做
 */
 export const permissionList: PermissionItem[] = [
  {
    key: PERMISSION.core.message,
    title: t('发送消息'),
--- a/client/web/package.json
+++ b/client/web/package.json
@ -70,6 +70,7 @@
    "@types/copy-webpack-plugin": "^8.0.0",
    "@types/dts-generator": "^2.1.6",
    "@types/emoji-mart": "^3.0.8",
    "@types/fs-extra": "^9.0.13",
    "@types/is-hotkey": "^0.1.5",
    "@types/jest": "^27.0.3",
    "@types/loadable__component": "^5.13.4",
@ -100,6 +101,7 @@
    "esbuild-loader": "^2.13.1",
    "execa": "^5.1.1",
    "file-loader": "^6.2.0",
    "fs-extra": "^10.0.0",
    "glob": "^7.2.0",
    "html-webpack-plugin": "^5.3.2",
    "jest": "^27.4.5",
--- a/client/web/src/components/modals/GroupDetail/Role/tabs/permission.tsx
+++ b/client/web/src/components/modals/GroupDetail/Role/tabs/permission.tsx
@ -1,9 +1,10 @@
 import { AllPermission, permissionList } from 'tailchat-shared';
-import { Button } from 'antd';
+import { Button, Divider } from 'antd';
 import React, { useCallback, useMemo } from 'react';
 import { model, t } from 'tailchat-shared';
 import { PermissionItem } from '../PermissionItem';
 import { useModifyPermission } from '../useModifyPermission';
 import { pluginPermission } from '@/plugin/common';
 interface RolePermissionProps {
  roleId: typeof AllPermission | string;
@ -63,6 +64,28 @@ export const RolePermission: React.FC<RolePermissionProps> = React.memo(
            onChange={(checked) => handleSwitchPermission(p.key, checked)}
          />
        ))}
        {pluginPermission.length > 0 && (
          <>
            <Divider>{t('以下为插件权限')}</Divider>
            {/* 权限详情 */}
            {pluginPermission.map((p) => (
              <PermissionItem
                key={p.key}
                title={p.title}
                desc={p.desc}
                disabled={
                  p.required
                    ? !p.required.every((r) => editingPermission.includes(r))
                    : undefined
                }
                checked={editingPermission.includes(p.key)}
                onChange={(checked) => handleSwitchPermission(p.key, checked)}
              />
            ))}
          </>
        )}
      </div>
    );
  }
--- a/client/web/src/components/modals/GroupDetail/Role/useRoleActions.ts
+++ b/client/web/src/components/modals/GroupDetail/Role/useRoleActions.ts
@ -1,4 +1,8 @@
-import { AllPermission, getDefaultPermissionList } from 'tailchat-shared';
+import {
  AllPermission,
  getDefaultPermissionList,
  showSuccessToasts,
 } from 'tailchat-shared';
 import { model, t, useAsyncRequest } from 'tailchat-shared';
 export function useRoleActions(
@ -12,6 +16,7 @@ export function useRoleActions(
        t('新身份组'),
        getDefaultPermissionList()
      );
      showSuccessToasts();
    }, [groupId]);
  const [{ loading: loading2 }, handleSavePermission] = useAsyncRequest(
@ -31,6 +36,8 @@ export function useRoleActions(
          permissions
        );
      }
      showSuccessToasts();
    },
    [groupId, roleId]
  );
@ -41,6 +48,7 @@ export function useRoleActions(
        throw new Error(t('无法修改所有人权限组的显示名称'));
      }
      await model.group.updateGroupRoleName(groupId, roleId, newRoleName);
      showSuccessToasts();
    },
    [groupId, roleId]
  );
--- a/client/web/src/plugin/common/reg.ts
+++ b/client/web/src/plugin/common/reg.ts
@ -5,6 +5,7 @@ import {
  ChatMessage,
  GroupPanel,
  regSocketEventListener,
  PermissionItemType,
 } from 'tailchat-shared';
 import type { MetaFormFieldMeta } from 'tailchat-design';
@ -205,3 +206,9 @@ export interface DMPluginPanelActionProps extends BasePluginPanelActionProps {
 export const [pluginPanelActions, regPluginPanelAction] = buildRegList<
  GroupPluginPanelActionProps | DMPluginPanelActionProps
 >();
 /**
 * 注册插件权限
 */
 export const [pluginPermission, regPluginPermission] =
  buildRegList<PermissionItemType>();
--- a/client/web/tailchat.d.ts
+++ b/client/web/tailchat.d.ts
@ -179,6 +179,32 @@ declare module '@capital/common' {
  export const pluginPanelActions: any;
  export const regPluginPanelAction: any;
  export const pluginPermission: any;
  export const regPluginPermission: (permission: {
    /**
     * 权限唯一key, 用于写入数据库
     * 如果为插件则权限点应当符合命名规范, 如: plugin.com.msgbyte.github.manage
     */
    key: string;
    /**
     * 权限点显示名称
     */
    title: string;
    /**
     * 权限描述
     */
    desc: string;
    /**
     * 是否默认开启
     */
    default: boolean;
    /**
     * 是否依赖其他权限点
     */
    required?: string[];
  }) => void;
 }
 /**
--- a/package.json
+++ b/package.json
@ -12,6 +12,9 @@
    "build:web": "cd client/web && pnpm run build",
    "build:server": "cd server && pnpm run build && echo \"Install server side plugin:\" && pnpm run plugin:install com.msgbyte.tasks com.msgbyte.linkmeta com.msgbyte.github com.msgbyte.simplenotify && mkdir -p ./dist/public && cp -r ./public/plugins ./dist/public && cp ./public/registry.json ./dist/public",
    "postbuild": "cp -r client/web/dist/* server/dist/public",
    "check:type": "concurrently npm:check:type:client npm:check:type:server",
    "check:type:client": "cd client/web && tsc --noEmit",
    "check:type:server": "cd server && tsc --noEmit",
    "preinstall": "npx only-allow pnpm",
    "lint:fix": "eslint --fix './**/*.{ts,tsx}'",
    "prepare": "husky install"
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -195,6 +195,7 @@ importers:
      '@types/copy-webpack-plugin': ^8.0.0
      '@types/dts-generator': ^2.1.6
      '@types/emoji-mart': ^3.0.8
      '@types/fs-extra': ^9.0.13
      '@types/is-hotkey': ^0.1.5
      '@types/jest': ^27.0.3
      '@types/loadable__component': ^5.13.4
@ -231,6 +232,7 @@ importers:
      esbuild-loader: ^2.13.1
      execa: ^5.1.1
      file-loader: ^6.2.0
      fs-extra: ^10.0.0
      glob: ^7.2.0
      html-webpack-plugin: ^5.3.2
      is-electron: ^2.2.1
@ -335,6 +337,7 @@ importers:
      '@types/copy-webpack-plugin': 8.0.1_webpack-cli@4.10.0
      '@types/dts-generator': 2.1.7
      '@types/emoji-mart': 3.0.9
      '@types/fs-extra': 9.0.13
      '@types/is-hotkey': 0.1.7
      '@types/jest': 27.5.2
      '@types/loadable__component': 5.13.4
@ -365,6 +368,7 @@ importers:
      esbuild-loader: 2.19.0_webpack@5.73.0
      execa: 5.1.1
      file-loader: 6.2.0_webpack@5.73.0
      fs-extra: 10.1.0
      glob: 7.2.3
      html-webpack-plugin: 5.5.0_webpack@5.73.0
      jest: 27.5.1_ts-node@10.9.1
--- a/server/models/group/group.ts
+++ b/server/models/group/group.ts
@ -10,7 +10,7 @@ import {
 import { Base, TimeStamps } from '@typegoose/typegoose/lib/defaultClasses';
 import _ from 'lodash';
 import { Types } from 'mongoose';
-import { allPermission } from '../../lib/role';
+import { allPermission } from 'tailchat-server-sdk';
 import { User } from '../user/user';
 export enum GroupPanelType {
@ -253,11 +253,6 @@ export class Group extends TimeStamps implements Base {
      throw new Error('Not Found Group');
    }
    if (String(group.owner) === userId) {
      // 群组管理者有所有权限
      return [...allPermission];
    }
    const member = group.members.find(
      (member) => String(member.userId) === userId
    );
@ -271,7 +266,24 @@ export class Group extends TimeStamps implements Base {
      return p?.permissions ?? [];
    });
-    return _.union(...allRolesPermission, group.fallbackPermissions); // 权限取并集
+
    if (String(group.owner) === userId) {
      /**
       * 群组管理者有所有权限
       * 这里是为了避免插件权限无法预先感知到的问题
       */
      return _.uniq([
        ...allPermission,
        ..._.flatten(allRolesPermission),
        ...group.fallbackPermissions,
      ]);
    } else {
      return _.uniq([
        ..._.flatten(allRolesPermission),
        ...group.fallbackPermissions,
      ]);
    }
  }
  /**
--- a/server/packages/sdk/src/index.ts
+++ b/server/packages/sdk/src/index.ts
@ -13,6 +13,7 @@ export type {
 export { parseLanguageFromHead } from './services/lib/i18n/parser';
 export { t } from './services/lib/i18n';
 export * from './services/lib/errors';
 export { PERMISSION, allPermission } from './services/lib/role';
 export { call } from './services/lib/call';
 export {
  config,
--- a/server/packages/sdk/src/services/lib/call.ts
+++ b/server/packages/sdk/src/services/lib/call.ts
@ -1,4 +1,10 @@
-import { GroupStruct, UserStruct, SYSTEM_USERID, TcContext } from '../../index';
+import {
  GroupStruct,
  UserStruct,
  SYSTEM_USERID,
  TcContext,
  PERMISSION,
 } from '../../index';
 export function call(ctx: TcContext) {
  return {
@ -87,7 +93,15 @@ export function call(ctx: TcContext) {
        }
      );
-      return permissions.map((p) => (userAllPermissions ?? []).includes(p));
+      const hasOwnerPermission = userAllPermissions.includes(
        PERMISSION.core.owner
      );
      return permissions.map((p) =>
        hasOwnerPermission
          ? true // 如果有管理员权限。直接返回true
          : (userAllPermissions ?? []).includes(p)
      );
    },
  };
 }
--- a/server/packages/sdk/src/services/lib/role.ts
+++ b/server/packages/sdk/src/services/lib/role.ts
--- a/server/plugins/com.msgbyte.github/services/subscribe.service.ts
+++ b/server/plugins/com.msgbyte.github/services/subscribe.service.ts
@ -3,10 +3,14 @@ import {
  TcPureContext,
  TcContext,
  TcDbService,
  call,
  NoPermissionError,
 } from 'tailchat-server-sdk';
 import type { WebhookEvent } from '@octokit/webhooks-types';
 import type { SubscribeDocument, SubscribeModel } from '../models/subscribe';
 const PERMISSION_MANAGE = 'plugin.com.msgbyte.github.subscribe.manage';
 /**
 * Github订阅服务
 */
@ -79,16 +83,19 @@ class GithubSubscribeService extends TcService {
    }>
  ) {
    const { groupId, textPanelId, repoName } = ctx.params;
    const { userId, t } = ctx.meta;
    if (!groupId || !textPanelId || !repoName) {
      throw new Error('参数不全');
    }
-    const isGroupOwner = await ctx.call('group.isGroupOwner', {
+    const [hasPermission] = await call(ctx).checkUserPermissions(
      groupId,
-    });
+      userId,
-    if (isGroupOwner !== true) {
+      [PERMISSION_MANAGE]
-      throw new Error('没有操作权限');
+    );
    if (!hasPermission) {
      throw new NoPermissionError(t('没有操作权限'));
    }
    // TODO: 需要检查textPanelId是否合法
@ -109,6 +116,16 @@ class GithubSubscribeService extends TcService {
    }>
  ) {
    const groupId = ctx.params.groupId;
    const { userId, t } = ctx.meta;
    const [hasPermission] = await call(ctx).checkUserPermissions(
      groupId,
      userId,
      [PERMISSION_MANAGE]
    );
    if (!hasPermission) {
      throw new NoPermissionError(t('没有查看权限'));
    }
    const docs = await this.adapter.model
      .find({
@ -129,11 +146,15 @@ class GithubSubscribeService extends TcService {
    }>
  ) {
    const { groupId, subscribeId } = ctx.params;
-    const isGroupOwner = await ctx.call('group.isGroupOwner', {
+    const { userId, t } = ctx.meta;
    const [hasPermission] = await call(ctx).checkUserPermissions(
      groupId,
-    });
+      userId,
-    if (isGroupOwner !== true) {
+      [PERMISSION_MANAGE]
-      throw new Error('没有操作权限');
+    );
    if (!hasPermission) {
      throw new NoPermissionError(t('没有删除权限'));
    }
    await this.adapter.model.deleteOne({
--- a/server/plugins/com.msgbyte.github/web/plugins/com.msgbyte.github/src/index.tsx
+++ b/server/plugins/com.msgbyte.github/web/plugins/com.msgbyte.github/src/index.tsx
@ -1,4 +1,9 @@
-import { regCustomPanel, Loadable, regInspectService } from '@capital/common';
+import {
  regCustomPanel,
  Loadable,
  regInspectService,
  regPluginPermission,
 } from '@capital/common';
 import { Translate } from './translate';
 regCustomPanel({
@ -12,3 +17,10 @@ regInspectService({
  name: 'plugin:com.msgbyte.github.subscribe',
  label: Translate.githubService,
 });
 regPluginPermission({
  key: 'plugin.com.msgbyte.github.subscribe.manage',
  title: 'Github 订阅管理',
  desc: '允许管理Github订阅列表',
  default: false,
 });
--- a/server/plugins/com.msgbyte.github/web/plugins/com.msgbyte.github/types/tailchat.d.ts
+++ b/server/plugins/com.msgbyte.github/web/plugins/com.msgbyte.github/types/tailchat.d.ts
@ -1,2 +1,299 @@
-declare module '@capital/common';
+/* eslint-disable @typescript-eslint/no-explicit-any */
-declare module '@capital/component';
+
 /**
 * 该文件由 Tailchat 自动生成
 * 用于插件的类型声明
 * 生成命令: pnpm run plugins:declaration:generate
 */
 /**
 * Tailchat 通用
 */
 declare module '@capital/common' {
  export const useGroupPanelParams: any;
  /**
   * 打开模态框
   */
  export const openModal: (
    content: React.ReactNode,
    props?: {
      /**
       * 是否显示右上角的关闭按钮
       * @default false
       */
      closable?: boolean;
      /**
       * 遮罩层是否可关闭
       */
      maskClosable?: boolean;
      /**
       * 关闭modal的回调
       */
      onCloseModal?: () => void;
    }
  ) => number;
  export const closeModal: any;
  export const ModalWrapper: any;
  export const useModalContext: any;
  export const openConfirmModal: any;
  export const openReconfirmModal: any;
  export const Loadable: any;
  export const getGlobalState: any;
  export const getJWTUserInfo: () => Promise<{
    _id?: string;
    nickname?: string;
    email?: string;
    avatar?: string;
  }>;
  export const dataUrlToFile: any;
  export const urlSearchStringify: any;
  export const urlSearchParse: any;
  export const appendUrlSearch: any;
  export const useGroupIdContext: any;
  export const getServiceUrl: () => string;
  export const getCachedUserInfo: (
    userId: string,
    refetch?: boolean
  ) => Promise<{
    _id: string;
    email: string;
    nickname: string;
    discriminator: string;
    avatar: string | null;
    temporary: boolean;
  }>;
  export const getCachedConverseInfo: any;
  export const localTrans: any;
  export const getLanguage: any;
  export const sharedEvent: any;
  export const useAsync: any;
  export const useAsyncFn: any;
  export const useAsyncRefresh: any;
  export const useAsyncRequest: any;
  export const uploadFile: any;
  export const showToasts: any;
  export const showErrorToasts: any;
  export const fetchAvailableServices: any;
  export const isValidStr: any;
  export const useGroupPanelInfo: any;
  export const sendMessage: any;
  export const useLocation: any;
  export const useHistory: any;
  export const createFastFormSchema: any;
  export const fieldSchema: any;
  export const useCurrentUserInfo: any;
  export const createPluginRequest: (pluginName: string) => {
    get: (actionName: string, config?: any) => Promise<any>;
    post: (actionName: string, data?: any, config?: any) => Promise<any>;
  };
  export const postRequest: any;
  export const pluginCustomPanel: any;
  export const regCustomPanel: any;
  export const pluginGroupPanel: any;
  export const regGroupPanel: any;
  export const messageInterpreter: any;
  export const regMessageInterpreter: any;
  export const getMessageRender: any;
  export const regMessageRender: any;
  export const getMessageTextDecorators: any;
  export const regMessageTextDecorators: any;
  export const ChatInputActionContextProps: any;
  export const pluginChatInputActions: any;
  export const regChatInputAction: any;
  export const regSocketEventListener: (item: {
    eventName: string;
    eventFn: (...args: any[]) => void;
  }) => void;
  export const pluginColorScheme: any;
  export const regPluginColorScheme: any;
  export const pluginInspectServices: any;
  export const regInspectService: any;
  export const pluginMessageExtraParsers: any;
  export const regMessageExtraParser: any;
  export const pluginRootRoute: any;
  export const regPluginRootRoute: any;
  export const pluginPanelActions: any;
  export const regPluginPanelAction: any;
  export const pluginPermission: any;
  export const regPluginPermission: (permission: {
    /**
     * 权限唯一key, 用于写入数据库
     * 如果为插件则权限点应当符合命名规范, 如: plugin.com.msgbyte.github.manage
     */
    key: string;
    /**
     * 权限点显示名称
     */
    title: string;
    /**
     * 权限描述
     */
    desc: string;
    /**
     * 是否默认开启
     */
    default: boolean;
    /**
     * 是否依赖其他权限点
     */
    required?: string[];
  }) => void;
 }
 /**
 * Tailchat 组件
 */
 declare module '@capital/component' {
  export const Button: any;
  export const Checkbox: any;
  export const Input: any;
  export const Divider: any;
  export const Space: any;
  export const Menu: any;
  export const Table: any;
  export const Switch: any;
  export const Tooltip: any;
  /**
   * @link https://ant.design/components/notification-cn/
   */
  export const notification: any;
  export const Avatar: any;
  export const SensitiveText: React.FC<{ className?: string; text: string }>;
  export const TextArea: any;
  export const Image: any;
  export const Icon: any;
  export const IconBtn: any;
  export const PillTabs: any;
  export const PillTabPane: any;
  export const LoadingSpinner: any;
  export const WebFastForm: any;
  export const WebMetaForm: any;
  export const createMetaFormSchema: any;
  export const metaFormFieldSchema: any;
  export const FullModalField: any;
  export const DefaultFullModalInputEditorRender: any;
  export const DefaultFullModalTextAreaEditorRender: any;
  export const openModal: any;
  export const closeModal: any;
  export const ModalWrapper: any;
  export const useModalContext: any;
  export const openConfirmModal: any;
  export const openReconfirmModal: any;
  export const Loading: any;
  export const SidebarView: any;
  export const GroupPanelSelector: any;
  export const Emoji: any;
  export const PortalAdd: any;
  export const PortalRemove: any;
  export const ErrorBoundary: any;
  export const UserName: React.FC<{
    userId: string;
    className?: string;
  }>;
 }
--- a/server/services/core/group/group.service.ts
+++ b/server/services/core/group/group.service.ts
@ -18,9 +18,9 @@ import {
  DataNotFoundError,
  EntityError,
  NoPermissionError,
  PERMISSION,
 } from 'tailchat-server-sdk';
 import moment from 'moment';
 import { PERMISSION } from '../../../lib/role';
 interface GroupService
  extends TcService,
--- a/server/services/core/group/invite.service.ts
+++ b/server/services/core/group/invite.service.ts
@ -11,8 +11,8 @@ import {
  PureContext,
  call,
  NoPermissionError,
  PERMISSION,
 } from 'tailchat-server-sdk';
 import { PERMISSION } from '../../../lib/role';
 interface GroupService
  extends TcService,