midway-fatcms 0.0.10 → 0.0.11

package/dist/controller/gateway/AsyncTaskController.d.ts

@@ -6,6 +6,7 @@ import { BaseApiController } from '../base/BaseApiController';
 export declare class AsyncTaskController extends BaseApiController {
     protected ctx: Context;
     private asyncTaskService;
+    private crudStdService;
     getMyTasks(): Promise<import("../../libs/crud-pro/models/ExecuteContext").ExecuteContext>;
     createTask(): Promise<import("../../libs/crud-pro/models/ExecuteContext").ExecuteContext>;
     cancelTask(id: number): Promise<{

package/dist/controller/gateway/AsyncTaskController.js

@@ -15,6 +15,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.AsyncTaskController = void 0;
 const fs = require("fs");
 const fs2 = require("node:fs/promises");
+const md5 = require("md5");
 const core_1 = require("@midwayjs/core");
 const BaseApiController_1 = require("../base/BaseApiController");
 const AsyncTaskService_1 = require("../../service/asyncTask/AsyncTaskService");
@@ -24,6 +25,8 @@ const SystemTables_1 = require("../../models/SystemTables");
 const exceptions_1 = require("../../libs/crud-pro/exceptions");
 const permission_middleware_1 = require("../../middleware/permission.middleware");
 const functions_1 = require("../../libs/utils/functions");
+const CrudStdService_1 = require("../../service/crudstd/CrudStdService");
+const devops_1 = require("../../models/devops");
 function fixMyTasksCondition(body, ctx) {
     if (!body.condition) {
         throw new exceptions_1.CommonException('参数不正确');
@@ -43,6 +46,27 @@ function fixCancelBodyData(body, id) {
     dataObj.task_status = AsyncTaskModel_1.SysAsyncTaskStatus.CANCELLED;
     body.data = dataObj;
 }
+/**
+ * 验证 STD_CRUD 类型的异步任务权限
+ * 根据 settingKey 配置的权限项进行鉴权
+ */
+async function validateStdCrudTaskPermission(crudStdService, inputParams) {
+    var _a;
+    if (inputParams.appType !== 'STD_CRUD' || !inputParams.settingKey) {
+        return; // 非 STD_CRUD 类型或无 settingKey，无需鉴权
+    }
+    const stdAction = {
+        appCode: inputParams.appCode,
+        settingKey: inputParams.settingKey,
+    };
+    const appInfo = await crudStdService.getParsedCrudStdAppForSettingKey(stdAction);
+    if (!appInfo || appInfo.status !== 1) {
+        throw new devops_1.BizException('应用不存在或已下线：' + inputParams.appCode);
+    }
+    if (!((_a = appInfo.settingKeyActionCfg) === null || _a === void 0 ? void 0 : _a.hasOperationPerm)) {
+        throw new devops_1.BizException('没有操作权限：settingKey=' + inputParams.settingKey);
+    }
+}
 function fixCreateBodyData(body, ctx) {
     if (!body.data) {
         throw new exceptions_1.CommonException('参数不正确');
@@ -57,6 +81,11 @@ function fixCreateBodyData(body, ctx) {
         host: headers.host,
         origin: headers.origin,
     };
+    dataObj.task_uuid = md5(JSON.stringify({
+        input_params: input_params,
+        created_by: sessionInfo.accountId,
+        created_time: Date.now(),
+    }));
     dataObj.task_status = AsyncTaskModel_1.SysAsyncTaskStatus.PENDING;
     dataObj.created_by = sessionInfo.accountId;
     dataObj.created_user_session = JSON.stringify(sessionInfo); // 创建人的session信息。用于执行时的鉴权。
@@ -73,9 +102,14 @@ let AsyncTaskController = class AsyncTaskController extends BaseApiController_1.
     }
     // 创建任务
     async createTask() {
-        //每个用户：5秒内只能创建1次任务
+        var _a;
+        // 每个用户：5秒内只能创建1次任务
         await this.checkUserActionTimeLimit('AsyncTaskController_createTask', 5);
-        fixCreateBodyData(this.ctx.request.body, this.ctx);
+        // 解析 input_params 并进行权限鉴权
+        const body = this.ctx.request.body;
+        const inputParams = (0, functions_1.parseJsonObject)((_a = body.data) === null || _a === void 0 ? void 0 : _a.input_params) || {};
+        await validateStdCrudTaskPermission(this.crudStdService, inputParams);
+        fixCreateBodyData(body, this.ctx);
         const res = await this.executeSysSimpleSQL(SystemTables_1.SystemTables.sys_async_tasks, keys_1.KeysOfSimpleSQL.SIMPLE_INSERT);
         await this.asyncTaskService.startTask();
         return res;
@@ -148,6 +182,10 @@ __decorate([
     (0, core_1.Inject)(),
     __metadata("design:type", AsyncTaskService_1.AsyncTaskService)
 ], AsyncTaskController.prototype, "asyncTaskService", void 0);
+__decorate([
+    (0, core_1.Inject)(),
+    __metadata("design:type", CrudStdService_1.CrudStdService)
+], AsyncTaskController.prototype, "crudStdService", void 0);
 __decorate([
     (0, core_1.Post)('/getMyTasks'),
     __metadata("design:type", Function),

package/dist/service/crudstd/CrudStdService.d.ts

@@ -2,7 +2,7 @@ import { Context } from '@midwayjs/koa';
 import { CurdMixService } from '../curd/CurdMixService';
 import { IRequestModel } from '../../libs/crud-pro/interfaces';
 import { KeysOfSimpleSQL } from '../../libs/crud-pro/models/keys';
-import { ICrudStdAppInfo } from '../../models/bizmodels';
+import { ICrudStdAppInfo, ICrudStdAppInfoForSettingKey } from '../../models/bizmodels';
 import { ExecuteContext } from '../../libs/crud-pro/models/ExecuteContext';
 import { CrudStdActionService } from './CrudStdActionService';
 import { CrudStdRelationService } from './CrudStdRelationService';
@@ -37,9 +37,8 @@ export declare class CrudStdService extends ApiBaseService {
      * 获取appInfo 并且拿到当前settingKey相关的信息
      * @param appCode
      * @param settingKey
-     * @private
      */
-    private getParsedCrudStdAppForSettingKey;
+    getParsedCrudStdAppForSettingKey(stdAction: ICrudStdActionParams): Promise<ICrudStdAppInfoForSettingKey>;
     /**
      * 执行动作
      * @param stdAction

package/dist/service/crudstd/CrudStdService.js

@@ -152,7 +152,6 @@ let CrudStdService = class CrudStdService extends ApiBaseService_1.ApiBaseServic
      * 获取appInfo 并且拿到当前settingKey相关的信息
      * @param appCode
      * @param settingKey
-     * @private
      */
     async getParsedCrudStdAppForSettingKey(stdAction) {
         const { appCode, settingKey, buttonSettingKey } = stdAction || {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "midway-fatcms",
-  "version": "0.0.10",
+  "version": "0.0.11",
   "description": "This is a midway component sample",
   "main": "dist/index.js",
   "typings": "index.d.ts",

package/src/controller/gateway/AsyncTaskController.ts

@@ -1,5 +1,6 @@
 import * as fs from 'fs';
 import * as fs2 from 'node:fs/promises';
+import * as md5 from 'md5';
 import { Controller, Inject, Post, Query, Get } from '@midwayjs/core';
 import { Context } from '@midwayjs/koa';
 import { BaseApiController } from '../base/BaseApiController';
@@ -10,6 +11,8 @@ import { SystemTables } from '@/models/SystemTables';
 import { CommonException } from '@/libs/crud-pro/exceptions';
 import { checkLogin } from '@/middleware/permission.middleware';
 import { parseJsonObject } from '@/libs/utils/functions';
+import { CrudStdService, ICrudStdActionParams } from '@/service/crudstd/CrudStdService';
+import { BizException } from '@/models/devops';
 
 function fixMyTasksCondition(body: any, ctx: Context) {
   if (!body.condition) {
@@ -34,6 +37,31 @@ function fixCancelBodyData(body: any, id: number) {
   body.data = dataObj;
 }
 
+/**
+ * 验证 STD_CRUD 类型的异步任务权限
+ * 根据 settingKey 配置的权限项进行鉴权
+ */
+async function validateStdCrudTaskPermission(
+  crudStdService: CrudStdService,
+  inputParams: any
+): Promise<void> {
+  if (inputParams.appType !== 'STD_CRUD' || !inputParams.settingKey) {
+    return; // 非 STD_CRUD 类型或无 settingKey，无需鉴权
+  }
+
+  const stdAction: ICrudStdActionParams = {
+    appCode: inputParams.appCode,
+    settingKey: inputParams.settingKey,
+  }; 
+  const appInfo = await crudStdService.getParsedCrudStdAppForSettingKey(stdAction);
+  if (!appInfo || appInfo.status !== 1) {
+    throw new BizException('应用不存在或已下线：' + inputParams.appCode);
+  }
+  if (!appInfo.settingKeyActionCfg?.hasOperationPerm) {
+    throw new BizException('没有操作权限：settingKey=' + inputParams.settingKey);
+  }
+}
+
 function fixCreateBodyData(body: any, ctx: Context) {
   if (!body.data) {
     throw new CommonException('参数不正确');
@@ -49,6 +77,11 @@ function fixCreateBodyData(body: any, ctx: Context) {
     host: headers.host,
     origin: headers.origin,
   };
+  dataObj.task_uuid = md5(JSON.stringify({
+    input_params: input_params,
+    created_by: sessionInfo.accountId,
+    created_time: Date.now(),
+  }));
   dataObj.task_status = SysAsyncTaskStatus.PENDING;
   dataObj.created_by = sessionInfo.accountId;
   dataObj.created_user_session = JSON.stringify(sessionInfo); // 创建人的session信息。用于执行时的鉴权。
@@ -66,6 +99,9 @@ export class AsyncTaskController extends BaseApiController {
   @Inject()
   private asyncTaskService: AsyncTaskService;
 
+  @Inject()
+  private crudStdService: CrudStdService;
+
   // 获取任务列表
   @Post('/getMyTasks')
   async getMyTasks() {
@@ -76,10 +112,15 @@ export class AsyncTaskController extends BaseApiController {
   // 创建任务
   @Post('/createTask')
   async createTask() {
-    //每个用户：5秒内只能创建1次任务
+    // 每个用户：5秒内只能创建1次任务
     await this.checkUserActionTimeLimit('AsyncTaskController_createTask', 5);
 
-    fixCreateBodyData(this.ctx.request.body, this.ctx);
+    // 解析 input_params 并进行权限鉴权
+    const body = this.ctx.request.body as any;
+    const inputParams = parseJsonObject(body.data?.input_params) || {};
+    await validateStdCrudTaskPermission(this.crudStdService, inputParams);
+
+    fixCreateBodyData(body, this.ctx);
     const res = await this.executeSysSimpleSQL(SystemTables.sys_async_tasks, KeysOfSimpleSQL.SIMPLE_INSERT);
     await this.asyncTaskService.startTask();
     return res;

package/src/service/crudstd/CrudStdService.ts

@@ -216,9 +216,8 @@ export class CrudStdService extends ApiBaseService {
    * 获取appInfo 并且拿到当前settingKey相关的信息
    * @param appCode
    * @param settingKey
-   * @private
    */
-  private async getParsedCrudStdAppForSettingKey(stdAction: ICrudStdActionParams): Promise<ICrudStdAppInfoForSettingKey> {
+  public async getParsedCrudStdAppForSettingKey(stdAction: ICrudStdActionParams): Promise<ICrudStdAppInfoForSettingKey> {
     const { appCode, settingKey, buttonSettingKey } = stdAction || {};
     if (!appCode) {
       throw new BizException('缺少参数:curdStdAppCode');