978d9a8309
Some checks failed
Security / deep-security-scan (push) Failing after 20m5s
DR Drill / dr-drill (push) Failing after 1m31s
CI / scheduled-backup (push) Failing after 1m31s
CI / backup-verify (push) Has been skipped
CI / weekly-dr-drill (push) Failing after 0s
CI / build-deploy (push) Has been cancelled
CI / security-scan (push) Has been cancelled
主要变更: - 新增 lesson-preparation 模块: 备课编辑器、节点编辑、AI 建议、知识点选择、版本历史、作业发布 - 新增 shared 通用组件: charts/question-bank-filters/schedule-list/ui (chip-nav/filter-bar/page-header/stat-card/stat-item) - 新增 student/admin 端 loading.tsx 与 error.tsx, 优化加载与错误态体验 - 新增 teacher/lesson-plans 页面 (列表/新建/编辑) - 新增 drizzle 迁移 0002_tiny_lionheart 及 snapshot - 新增 textbooks/schema.ts 与 exams/utils/normalize-structure.ts - 修复 Tiptap v3 SSR hydration 崩溃 (rich-text-block immediatelyRender: false) - 重构多模块 data-access/actions/组件, 修复权限校验与类型规范 - 同步架构文档 004/005 反映新增模块、导出、依赖关系 - 归档 bugs/* 测试报告与 e2e 测试脚本 (admin/parent/student/teacher web_test)
151 lines
4.6 KiB
TypeScript
151 lines
4.6 KiB
TypeScript
import type { Permission, DataScope, AuthContext, Role } from "@/shared/types/permissions"
|
|
import { db } from "@/shared/db"
|
|
import {
|
|
classes,
|
|
classEnrollments,
|
|
classSubjectTeachers,
|
|
grades,
|
|
parentStudentRelations,
|
|
} from "@/shared/db/schema"
|
|
import { eq, or } from "drizzle-orm"
|
|
import { getSession } from "@/shared/lib/session"
|
|
|
|
export class PermissionDeniedError extends Error {
|
|
constructor(permission: string) {
|
|
super(
|
|
`权限不足:需要 ${permission} 权限。请联系管理员授权或切换账号后重试。`
|
|
)
|
|
this.name = "PermissionDeniedError"
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Get the full authentication context for the current user.
|
|
* Throws if not authenticated.
|
|
*/
|
|
export async function getAuthContext(): Promise<AuthContext> {
|
|
const session = await getSession()
|
|
const userId = session?.user?.id
|
|
if (!userId) throw new PermissionDeniedError("auth_required")
|
|
|
|
// Prefer session data (already resolved in JWT callback)
|
|
const roleNames = (session.user.roles ?? []) as Role[]
|
|
const permissions = (session.user.permissions ?? []) as Permission[]
|
|
|
|
// Resolve data scope from DB (not cached in JWT since it can change)
|
|
const dataScope = await resolveDataScope(userId, roleNames)
|
|
|
|
return { userId, roles: roleNames, permissions, dataScope }
|
|
}
|
|
|
|
/**
|
|
* Assert the current user has the specified permission.
|
|
* Returns AuthContext on success, throws PermissionDeniedError on failure.
|
|
*/
|
|
export async function requirePermission(permission: Permission): Promise<AuthContext> {
|
|
const ctx = await getAuthContext()
|
|
if (!ctx.permissions.includes(permission)) {
|
|
throw new PermissionDeniedError(permission)
|
|
}
|
|
return ctx
|
|
}
|
|
|
|
/**
|
|
* Check permission without throwing. Useful for conditional logic.
|
|
*/
|
|
export async function checkPermission(
|
|
permission: Permission
|
|
): Promise<{ allowed: boolean; ctx: AuthContext }> {
|
|
const ctx = await getAuthContext()
|
|
return { allowed: ctx.permissions.includes(permission), ctx }
|
|
}
|
|
|
|
/**
|
|
* Resolve the data scope for a user based on their roles.
|
|
* Queries the DB for resource ownership information.
|
|
*/
|
|
async function resolveDataScope(userId: string, roleNames: Role[]): Promise<DataScope> {
|
|
// Admin sees everything
|
|
if (roleNames.includes("admin")) {
|
|
return { type: "all" }
|
|
}
|
|
|
|
// Grade head / teaching head: can manage their grades
|
|
if (roleNames.includes("grade_head") || roleNames.includes("teaching_head")) {
|
|
const managedGrades = await db
|
|
.select({ id: grades.id })
|
|
.from(grades)
|
|
.where(or(eq(grades.gradeHeadId, userId), eq(grades.teachingHeadId, userId)))
|
|
|
|
if (managedGrades.length > 0) {
|
|
return { type: "grade_managed", gradeIds: managedGrades.map((g) => g.id) }
|
|
}
|
|
}
|
|
|
|
// Teacher: can see their own classes
|
|
if (roleNames.includes("teacher")) {
|
|
// Classes where user is the homeroom teacher
|
|
const homeroomClasses = await db
|
|
.select({ id: classes.id })
|
|
.from(classes)
|
|
.where(eq(classes.teacherId, userId))
|
|
|
|
// Classes where user is a subject teacher
|
|
const subjectClasses = await db
|
|
.selectDistinct({ classId: classSubjectTeachers.classId, subjectId: classSubjectTeachers.subjectId })
|
|
.from(classSubjectTeachers)
|
|
.where(eq(classSubjectTeachers.teacherId, userId))
|
|
|
|
const classIds = [
|
|
...new Set([
|
|
...homeroomClasses.map((c) => c.id),
|
|
...subjectClasses.map((c) => c.classId),
|
|
]),
|
|
]
|
|
const subjectIds = subjectClasses
|
|
.map((c) => c.subjectId)
|
|
.filter((s): s is string => s !== null)
|
|
|
|
return {
|
|
type: "class_taught",
|
|
classIds,
|
|
subjectIds: subjectIds.length > 0 ? subjectIds : undefined,
|
|
}
|
|
}
|
|
|
|
// Student: can see data from their enrolled classes
|
|
// Pre-resolve classIds here to avoid N+1 queries in data-access layer
|
|
if (roleNames.includes("student")) {
|
|
const enrolledClasses = await db
|
|
.select({ classId: classEnrollments.classId })
|
|
.from(classEnrollments)
|
|
.where(eq(classEnrollments.studentId, userId))
|
|
|
|
return {
|
|
type: "class_members",
|
|
classIds: enrolledClasses.map((c) => c.classId),
|
|
}
|
|
}
|
|
|
|
// Parent: can see their children's data
|
|
if (roleNames.includes("parent")) {
|
|
const children = await db
|
|
.select({ studentId: parentStudentRelations.studentId })
|
|
.from(parentStudentRelations)
|
|
.where(eq(parentStudentRelations.parentId, userId))
|
|
|
|
return { type: "children", childrenIds: children.map((c) => c.studentId) }
|
|
}
|
|
|
|
// Fallback: only own data
|
|
return { type: "owned", userId }
|
|
}
|
|
|
|
/**
|
|
* Convenience: assert the user is authenticated (has any role).
|
|
* Returns AuthContext on success.
|
|
*/
|
|
export async function requireAuth(): Promise<AuthContext> {
|
|
return getAuthContext()
|
|
}
|