后台资源权限细化校验，防止用户模拟登陆修改资源

app/__init__.py

@@ -5,10 +5,43 @@ from config import config
 from flask_login import LoginManager
 import flask_excel as excel
 
-
 from flask import json
 from datetime import datetime, date
 
+from flask_login import current_user
+from flask import jsonify
+from functools import wraps
+
+def permission(permission_id):
+    def need_permission(func):
+        @wraps(func)
+        def inner(*args, **kargs):
+            if not current_user.ID:
+                return jsonify(401, {"msg": "认证失败，无法访问系统资源"})
+            else:
+                resources = []
+                resourceTree = []
+
+                resources += [res for org in current_user.organizations for res in org.resources if org.resources]
+                resources += [res for role in current_user.roles for res in role.resources if role.resources]
+                
+                # remove repeat
+                new_dict = dict()
+                for obj in resources:
+                    if obj.ID not in new_dict:
+                        new_dict[obj.ID] = obj
+
+                for resource in new_dict.values():
+                    resourceTree.append(resource.PERMS)
+                if permission_id in resourceTree:
+                    return func(*args, **kargs)
+                else:
+                    return jsonify({'msg': '当前操作没有权限', 'code': 403})
+        return inner
+    return need_permission
+        
+
+
 JSONEncoder = json.JSONEncoder
 
 class CustomJSONEncoder(JSONEncoder):

app/routes/config.py

@@ -10,6 +10,7 @@ from sqlalchemy import desc
 from .. import  db
 from flask_login import login_required
 import flask_excel as excel
+from .. import permission
 
 @base.route('/system/config/configKey/<configKey>', methods=['GET'])
 @login_required
@@ -21,6 +22,7 @@ def sysconfig_get_value(configKey):
 
 @base.route('/system/config/list', methods=['GET'])
 @login_required
+@permission('system:config:list')
 def sys_config_list():
     filters = []
     if 'configName' in request.args:
@@ -44,6 +46,7 @@ def sys_config_list():
 
 @base.route('/system/config/<id>', methods=['GET'])
 @login_required
+@permission('system:config:query')
 def sysconfig_get_by_id(id):
     config = Config.query.get(id)
 
@@ -51,6 +54,7 @@ def sysconfig_get_by_id(id):
 
 @base.route('/system/config', methods=['POST'])
 @login_required
+@permission('system:config:add')
 def sysconfig_add():
     config = Config()
 
@@ -69,6 +73,7 @@ def sysconfig_add():
 
 @base.route('/system/config', methods=['PUT'])
 @login_required
+@permission('system:config:edit')
 def sysconfig_update():
     config = Config.query.get(request.json['configId'])
 
@@ -87,6 +92,7 @@ def sysconfig_update():
 
 @base.route('/system/config/<string:ids>', methods=['DELETE'])
 @login_required
+@permission('system:config:remove')
 def syconfig_delete(ids):
     idList = ids.split(',')
     for id in idList:
@@ -98,6 +104,7 @@ def syconfig_delete(ids):
 
 @base.route('/system/config/export', methods=['POST'])
 @login_required
+@permission('system:config:export')
 def config_export():
     rows = []
     rows.append(['参数主键', '参数名称', '参数键名', '参数键值', '系统内置', '备注', '创建时间'])

app/routes/dictdata.py

@@ -8,6 +8,7 @@ from sqlalchemy import asc
 from sqlalchemy import desc
 from .. import  db
 from flask_login import login_required
+from .. import permission
 
 @base.route('/system/dict/data/type/<dictType>', methods=['GET'])
 @login_required
@@ -19,6 +20,7 @@ def sysdictdata_get_by_type(dictType):
 
 @base.route('/system/dict/data/list', methods=['GET'])
 @login_required
+@permission('system:dict:list')
 def sysdict_data_list():
     filters = []
     if 'dictLabel' in request.args:
@@ -39,6 +41,7 @@ def sysdict_data_list():
 
 @base.route('/system/dict/data/<id>', methods=['GET'])
 @login_required
+@permission('system:dict:query')
 def sysdict_data_get_by_id(id):
     data = DictData.query.get(id)
 
@@ -46,6 +49,7 @@ def sysdict_data_get_by_id(id):
 
 @base.route('/system/dict/data', methods=['POST'])
 @login_required
+@permission('system:dict:add')
 def sysdict_data_add():
     dictData = DictData()
 
@@ -65,6 +69,7 @@ def sysdict_data_add():
 
 @base.route('/system/dict/data', methods=['PUT'])
 @login_required
+@permission('system:dict:edit')
 def sysdict_data_update():
     dictData = DictData.query.get(request.json['dictCode'])
 
@@ -86,6 +91,7 @@ def sysdict_data_update():
 
 @base.route('/system/dict/data/<string:ids>', methods=['DELETE'])
 @login_required
+@permission('system:dict:remove')
 def sydata_delete(ids):
     idList = ids.split(',')
     for id in idList:

app/routes/dicttype.py

@@ -8,9 +8,11 @@ from sqlalchemy import asc
 from sqlalchemy import desc
 from .. import  db
 from flask_login import login_required
+from .. import permission
 
 @base.route('/system/dict/type/list', methods=['GET'])
 @login_required
+@permission('system:dict:list')
 def sysdict_type_list():
     filters = []
     if 'dictName' in request.args:
@@ -36,6 +38,7 @@ def sysdict_type_list():
 
 @base.route('/system/dict/type/<id>', methods=['GET'])
 @login_required
+@permission('system:dict:query')
 def sysdict_type_get_by_id(id):
     type = DictType.query.get(id)
 
@@ -43,6 +46,7 @@ def sysdict_type_get_by_id(id):
 
 @base.route('/system/dict/type', methods=['POST'])
 @login_required
+@permission('system:dict:add')
 def sysdict_type_add():
     dictType = DictType()
 
@@ -62,6 +66,7 @@ def sysdict_type_add():
 
 @base.route('/system/dict/type', methods=['PUT'])
 @login_required
+@permission('system:dict:edit')
 def sysdict_type_update():
     dictType = DictType.query.get(request.json['dictId'])
 
@@ -79,6 +84,7 @@ def sysdict_type_update():
 
 @base.route('/system/dict/type/<string:ids>', methods=['DELETE'])
 @login_required
+@permission('system:dict:remove')
 def sytype_delete(ids):
     idList = ids.split(',')
     for id in idList:

app/routes/online.py

@@ -5,9 +5,11 @@ from sqlalchemy import asc
 from sqlalchemy import desc
 import flask_excel as excel
 from flask_login import login_required
+from .. import permission
 
 @base.route('/monitor/logininfor/list', methods=['GET'])
 @login_required
+@permission('monitor:logininfor:list')
 def grid_online():
     filters = []
     if request.args.get('userName'):

app/routes/organization.py

@@ -10,9 +10,11 @@ from .. import db
 from flask import render_template
 from datetime import datetime
 import uuid
+from .. import permission
 
 @base.route('/system/dept/list', methods=['GET'])
 @login_required
+@permission('system:dept:list')
 def syorganization_treeGrid():
     filters = []
     if 'deptName' in request.args:
@@ -38,6 +40,7 @@ def syorganization_dept_list_exclude(id):
 
 @base.route('/system/dept/<string:id>', methods=['GET'])
 @login_required
+@permission('system:dept:query')
 def syorganization_getById(id):
     org = Organization.query.get(id)
 
@@ -48,6 +51,7 @@ def syorganization_getById(id):
 
 @base.route('/system/dept', methods=['PUT'])
 @login_required
+@permission('system:dept:edit')
 def syorganization_update():
     org = Organization.query.get(request.json['deptId'])
 
@@ -66,6 +70,7 @@ def syorganization_update():
 
 @base.route('/system/dept', methods=['POST'])
 @login_required
+@permission('system:dept:add')
 def syorganization_save():
     org = Organization()
     org.ID = str(uuid.uuid4())

app/routes/resource.py

@@ -13,9 +13,11 @@ from datetime import datetime
 from sqlalchemy import desc
 from sqlalchemy import asc
 from flask_login import login_required  
+from .. import permission
 
 @base.route('/system/menu/list', methods=['GET'])
 @login_required
+@permission('system:menu:list')
 def syresource_treeGrid():
     filters = []
     if 'menuName' in request.args:
@@ -31,6 +33,7 @@ def syresource_treeGrid():
 
 @base.route('/system/menu/<id>', methods=['GET'])
 @login_required
+@permission('system:menu:query')
 def syresource_getById(id):
     res = Resource.query.get(id)
 
@@ -41,6 +44,7 @@ def syresource_getById(id):
 
 @base.route('/system/menu', methods=['PUT'])
 @login_required
+@permission('system:menu:edit')
 def syresource_update():
     res = Resource.query.get(request.json['menuId'])
 
@@ -61,6 +65,7 @@ def syresource_update():
 
 @base.route('/system/menu', methods=['POST'])
 @login_required
+@permission('system:menu:add')
 def syresource_save():
     res = Resource()
 
@@ -81,6 +86,7 @@ def syresource_save():
 
 @base.route('/system/menu/<id>', methods=['DELETE'])
 @login_required
+@permission('system:menu:remove')
 def syresource_delete(id):
     res = Resource.query.get(id)
     if res:

app/routes/role.py

@@ -15,6 +15,7 @@ from sqlalchemy import desc
 from sqlalchemy import asc
 from sqlalchemy import or_
 from flask_login import login_required
+from .. import permission
 
 
 @base.route('/system/role/authUser/cancelAll', methods=['PUT'])
@@ -48,6 +49,7 @@ def cancel_role():
 
 @base.route('/system/role/list', methods=['GET'])
 @login_required
+@permission('system:role:list')
 def grid():
     filters = []
     if request.args.get('roleName'):
@@ -72,6 +74,7 @@ def grid():
 
 @base.route('/system/role/<string:id>', methods=['GET'])
 @login_required
+@permission('system:role:query')
 def syrole_getById(id):
     role = Role.query.get(id)
 
@@ -82,6 +85,7 @@ def syrole_getById(id):
 
 @base.route('/system/role', methods=['PUT'])
 @login_required
+@permission('system:role:edit')
 def syrole_update():
     role = Role.query.get(request.json['roleId'])
 
@@ -102,6 +106,7 @@ def syrole_update():
 
 @base.route('/system/role', methods=['POST'])
 @login_required
+@permission('system:role:add')
 def syrole_save():
     role = Role()
 
@@ -125,6 +130,7 @@ def syrole_save():
 
 @base.route('/system/role/<string:id>', methods=['DELETE'])
 @login_required
+@permission('system:role:remove')
 def syrole_delete(id):
     role = Role.query.get(id)
     if role:
@@ -194,6 +200,7 @@ def syrole_authUser_selectAll():
 
 @base.route('/system/role/changeStatus', methods=['PUT'])
 @login_required
+@permission('system:role:edit')
 def syrole_status_update():
     role = Role.query.get(request.json['roleId'])
 

app/routes/user.py

@@ -12,9 +12,11 @@ import uuid
 from sqlalchemy import asc, true
 from sqlalchemy import desc
 import flask_excel as excel
+from .. import permission
 
 @base.route('/system/user/authRole', methods=['PUT'])
 @login_required
+@permission('system:role:edit')
 def grant_user_role():
     id = request.args['userId']
     ids = request.args['roleIds']
@@ -65,6 +67,7 @@ def do_login():
 
 @base.route('/system/user/list', methods=['GET'])
 @login_required
+@permission('system:user:list')
 def user_grid():
     filters = []
     if 'userName' in request.args:
@@ -102,6 +105,7 @@ def syuser_get():
 
 @base.route('/system/user/<id>', methods=['GET'])
 @login_required
+@permission('system:user:query')
 def syuser_getById(id):
     user = User.query.get(id)
 
@@ -117,6 +121,7 @@ def syuser_getById(id):
 
 @base.route('/system/user', methods=['PUT'])
 @login_required
+@permission('system:user:edit')
 def syuser_update():
     id = request.json['userId']
     userName = request.json['userName']
@@ -141,6 +146,7 @@ def syuser_update():
 
 @base.route('/system/user', methods=['POST'])
 @login_required
+@permission('system:user:add')
 def syuser_save():
     if User.query.filter_by(LOGINNAME = request.json['userName']).first():
         return jsonify({'success': False, 'msg': '新建用户失败，用户名已存在！'})
@@ -173,6 +179,7 @@ def syuser_save():
 
 @base.route('/system/user/<id>', methods=['DELETE'])
 @login_required
+@permission('system:user:remove')
 def syuser_delete(id):
     user = User.query.get(id)
     if user: