当前项目采用前端与后端分离架构,前端采用VUE实现,后端采用RAILS。现在我们需要解决前端和后端身份验证逻辑,并希望后端强制每个API的前端身份验证具有访问权限。希望有人能帮忙解答,以下是我的一些实现逻辑:基类控制器逻辑:
def collect_metrics
start_time = (Time.now.to_f.round(3) * 1000).to_i
# ap self.as_json
yield
end_time = (Time.now.to_f.round(3) * 1000).to_i
duration = end_time - start_time
# 日志转储
save_logger(duration: duration, severity: "INFO")
# 刷新用户操作时间
update_user_online
Rails.logger.debug("正在调用 API 接口:#{@api_operation},授权用户为 #{@current_user}")
end
用户关联权限字典:
u.roles = ["log:list", "error:list", "online:list", "log:edit", "log_error:del", "user:offline", "user:list", "menu:list", "job:list", "role:list", "dept:list", "dict:list", "dept:edit", "dept:del", "dept:add", "dict:edit", "dict:del", "dict:add"]
每个ACTION绑定一个类变量:
# 创建部门
def create
@api_operation = "创建部门"
@api_authorize = "dept:add"
pre_authorize
data = dept_params.except(:id, :isTop, :sub_count).as_json
pid = data.delete("pid")
data[:parent] = SysDept.find(pid) if pid.to_i > 0
dept = SysDept.new data
if dept.save
render json: { content: "成功创建部门" }, status: :ok
else
render json: { content: "创建部门异常" }, status: :not_acceptable
end
end
# 更新部门
def update
@api_operation = "更新部门"
@api_authorize = "dept:edit"
pre_authorize
data = dept_params.except(:label, :hasChildren, :leaf, :isTop, :sub_count)
id = data.delete("id")
if id.present? && SysDept.find(id).update!(data)
render json: { message: "更新部门成功" }, status: :ok
else
render json: { message: "更新部门异常" }, status: :not_acceptable
end
end
这是java的解决方案代码,我不知道如何将下面的代码转换成RUBY风格。
@Log("删除部门")
@ApiOperation("删除部门")
@DeleteMapping
@PreAuthorize("@el.check('dept:del')")
public ResponseEntity<Object> deleteDept(@RequestBody Set<Long> ids){
Set<DeptDto> deptDtos = new HashSet<>();
for (Long id : ids) {
List<Dept> deptList = deptService.findByPid(id);
deptDtos.add(deptService.findById(id));
if(CollectionUtil.isNotEmpty(deptList)){
deptDtos = deptService.getDeleteDepts(deptList, deptDtos);
}
}
// 验证是否被角色或用户关联
deptService.verification(deptDtos);
deptService.delete(deptDtos);
return new ResponseEntity<>(HttpStatus.OK);
}
@Log("修改部门")
@ApiOperation("修改部门")
@PutMapping
@PreAuthorize("@el.check('dept:edit')")
public ResponseEntity<Object> updateDept(@Validated(Dept.Update.class) @RequestBody Dept resources){
deptService.update(resources);
return new ResponseEntity<>(HttpStatus.NO_CONTENT);
}
如果我理解你的问题,你可以在你的控制器中添加一个before_action :check_preauth,然后实现方法check_preauth检查用户执行操作的权限。