| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173 |
- <?php
- namespace App\Module\OpenAPI\Validators;
- use App\Module\OpenAPI\Enums\SCOPE_TYPE;
- use UCore\Validator;
- /**
- * 权限列表验证器
- */
- class ScopeListValidator extends Validator
- {
- /**
- * 验证权限列表是否有效
- *
- * @param mixed $value 权限列表数组
- * @param array $data 验证数据
- * @return bool 验证是否通过
- */
- public function validate(mixed $value, array $data): bool
- {
- // 从 args 获取参数
- $processedKey = $this->args[0] ?? 'processedScopes';
- // 如果没有提供权限列表,使用默认权限
- if (empty($value)) {
- $value = ['USER_READ', 'GAME_READ'];
- }
- // 确保是数组
- if (!is_array($value)) {
- $this->addError('权限范围必须是数组格式');
- return false;
- }
- // 验证权限范围数量
- if (count($value) > 20) {
- $this->addError('权限范围数量不能超过20个');
- return false;
- }
- // 获取所有有效权限
- $validScopes = $this->getAllValidScopes();
- $processedScopes = [];
- foreach ($value as $scope) {
- if (!is_string($scope)) {
- $this->addError('权限范围必须是字符串');
- return false;
- }
- $scope = trim($scope);
- if (empty($scope)) {
- continue;
- }
- // 验证权限是否有效
- if (!in_array($scope, $validScopes)) {
- $this->addError("无效的权限范围: {$scope}");
- return false;
- }
- $processedScopes[] = $scope;
- }
- // 去重
- $processedScopes = array_unique($processedScopes);
- if (empty($processedScopes)) {
- $this->addError('至少需要配置一个权限范围');
- return false;
- }
- // 验证权限依赖关系
- if (!$this->validateScopeDependencies($processedScopes)) {
- return false;
- }
- // 验证危险权限
- if (!$this->validateDangerousScopes($processedScopes)) {
- return false;
- }
- // 将处理后的权限保存到验证对象中
- $this->validation->$processedKey = array_values($processedScopes);
- return true;
- }
- /**
- * 获取所有有效的权限范围
- *
- * @return array
- */
- protected function getAllValidScopes(): array
- {
- $scopes = array_column(SCOPE_TYPE::cases(), 'value');
-
- // 添加特殊权限
- $scopes[] = '*'; // 通配符权限
- $scopes[] = 'ADMIN'; // 管理员权限
- return $scopes;
- }
- /**
- * 验证权限依赖关系
- *
- * @param array $scopes
- * @return bool
- */
- protected function validateScopeDependencies(array $scopes): bool
- {
- // 权限依赖关系
- $dependencies = [
- 'USER_WRITE' => ['USER_READ'],
- 'USER_DELETE' => ['USER_READ', 'USER_WRITE'],
- 'GAME_WRITE' => ['GAME_READ'],
- 'GAME_ADMIN' => ['GAME_READ', 'GAME_WRITE'],
- 'ITEM_WRITE' => ['ITEM_READ'],
- 'ITEM_TRANSFER' => ['ITEM_READ', 'ITEM_WRITE'],
- 'FUND_WRITE' => ['FUND_READ'],
- 'FUND_TRANSFER' => ['FUND_READ', 'FUND_WRITE'],
- 'TRADE_WRITE' => ['TRADE_READ'],
- 'TRADE_CANCEL' => ['TRADE_READ', 'TRADE_WRITE'],
- 'STATS_EXPORT' => ['STATS_READ'],
- 'SYSTEM_ADMIN' => ['SYSTEM_READ'],
- ];
- foreach ($scopes as $scope) {
- if (isset($dependencies[$scope])) {
- foreach ($dependencies[$scope] as $dependency) {
- if (!in_array($dependency, $scopes)) {
- $this->addError("权限 {$scope} 需要依赖权限 {$dependency}");
- return false;
- }
- }
- }
- }
- return true;
- }
- /**
- * 验证危险权限
- *
- * @param array $scopes
- * @return bool
- */
- protected function validateDangerousScopes(array $scopes): bool
- {
- $dangerousScopes = [
- 'USER_DELETE',
- 'FUND_TRANSFER',
- 'TRADE_CANCEL',
- 'SYSTEM_ADMIN',
- 'ADMIN',
- '*'
- ];
- $foundDangerous = array_intersect($scopes, $dangerousScopes);
- if (!empty($foundDangerous)) {
- // 这里可以添加额外的验证逻辑,比如需要管理员审批等
- // 目前只是记录警告,不阻止创建
- foreach ($foundDangerous as $dangerous) {
- $this->addWarning("权限 {$dangerous} 是高风险权限,请谨慎使用");
- }
- }
- return true;
- }
- }
|
