GithubHelp home page GithubHelp logo

lgcgo / letga-server Goto Github PK

View Code? Open in Web Editor NEW
14.0 3.0 3.0 186 KB

Letga 是一个基于 GoFrame 和 AntDesign 的中后台管理系统。Letga 集成了通用的中后台基础功能组件,是一款规范化、易扩展、体验佳的企业级开源系统。

License: Apache License 2.0

Go 100.00%

letga-server's Introduction

介绍

Letga 是一个基于 GoFrame 和 AntDesign 的中后台管理系统。Letga 集成了通用的中后台基础功能组件,是一款 规范化易扩展体验佳的企业级开源系统。

规范化、易扩展

GoFrame 是 LetgaServer 的底座,具备基础组件丰富、文档全面、通用性强等特性。在此基础上,Letga 针对应用提出更细致的规范与约束方案。

体验佳

得益于AntDesign 的设计价值观,Letga 在整体设计上践行 简洁一致易用 的设计原则,并对通用的功能组件做了进一步封装,开发者可轻易复用或者扩展 体验良好 的功能组件。

Letga 是前后端分离项目,本项目是后端部分,前端请前往:LetgaFrontend

特性

  • 遵循 OpenAPIv3 规范,自动构建Swagger文档
  • 基于 Casbin + JWT 高效的 RBAC 权限认证设计
  • 数据 ID 索引加密,接口层隐藏自增 ID

文档

截图

致谢

版权

遵循Apache-2.0 License,保留系统版权,可免费商用。

letga-server's People

Contributors

lgcgo avatar blankspaceplus avatar

Stargazers

UUTAN avatar Ruibin avatar seymour avatar listenwind avatar avatar avatar avatar weichunshen89 avatar dgtask avatar avatar avatar wwmin avatar avatar Sany avatar

Watchers

vulcangz avatar avatar avatar

Forkers

blankspaceplus yixuqiu alawnchen

letga-server's Issues

鉴权问题

代码片段1:

// 这里为什么是验证前端传来的角色
if len(in.Role) > 0 {
	if role, err = dao.AuthRole.GetByName(ctx, in.Role); err != nil {
		return nil, err
	}
} else {
	if role, err = service.Auth().GetDefaultRole(ctx); err != nil {
		return nil, err
	}
}

if role == nil {
	return nil, gerror.NewCode(biz.AuthRoleNotExists)
}

// 如果 user1 不是超级管理员,通过前端传来Root角色,那么这条判断就不会执行
var isExist = true
if user.Id != consts.RootAdminId && role.Id != consts.RootRoleId && role.Id != consts.DefaultRoleId {
	if isExist, err = dao.AuthAccess.IsExist(ctx, &do.AuthAccess{
		UserId: user.Id,
		RoleId: role.Id,
	}); err != nil {
		return nil, err
	}
}
if !isExist {
	return nil, gerror.NewCode(biz.AuthNotPermission)
}
// 到了这里就会成为 user1 签发了 Root 权限
return s.SigninDrect(ctx, user, role)

代码片段2:

// 到了这里中间件就会从票据里断言出Root角色
if code == biz.CodeOk {
	if claims, err = service.Auth().VerifyToken(ctx, tokenTicket); err == nil {
		// 从签名中获取用户角色
		role = claims["isr"].(string)
		uuid = claims["sub"].(string)
	} else {
		code = gerror.Code(err)
	}
}

// 中间件虽然提交了"Subject: uuid"
if code == biz.CodeOk {
	if err = service.Auth().Verify(ctx, &model.AuthVerifyInput{
		Subject: uuid,
		Path:    r.URL.Path,
		Method:  r.Method,
		Role:    role,
	}); err == nil {
		// 设置上下文用户
		biz.Ctx().SetUser(r.Context(), &biz.ContextUser{
			Uuid: uuid,
			Role: role,
		})
	} else {
		code = gerror.Code(err)
	}
}

// 但是到了casbin这里并没有验证Subject
func Verify(p *VerifyPayload) (bool, error) {
	var (
		ok  bool
		err error
	)

	// 验证角色权限
	if ok, err = enforcer.Enforce(ROLE_NAME_PERFIX+p.Role, p.Path, p.Method); err != nil {
		return false, err
	}
	return ok, nil
}

1.通过上面的问题,似乎如果user1不具备超级管理员,如果在in.Role提交了Root参数,就拥有了Root权限。
2.能否提交一份完整的 config 文件。

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.