feat: user roles (#852)

* [WIP] feat: user roles * update * update * admin handler * update * feat: user-specific connection secret * simplify some logics * cleanup * update waf * update user api error handling * update waf api * fix codeql * update waf table * fix several problems * add pagination for waf api * update permission checks * switch to runtime check * 1 * cover? * some changes
2026-03-22 11:01:52 +00:00 · 2024-12-22 00:05:41 +08:00
parent 50ee62172f
commit 653d0cf2e9
35 changed files with 841 additions and 180 deletions
--- a/cmd/dashboard/controller/notification.go
+++ b/cmd/dashboard/controller/notification.go
@@ -48,6 +48,7 @@ func createNotification(c *gin.Context) (uint64, error) {
 	}

 	var n model.Notification
+	n.UserID = getUid(c)
 	n.Name = nf.Name
 	n.RequestMethod = nf.RequestMethod
 	n.RequestType = nf.RequestType
@@ -106,6 +107,10 @@ func updateNotification(c *gin.Context) (any, error) {
 		return nil, singleton.Localizer.ErrorT("notification id %d does not exist", id)
 	}

+	if !n.HasPermission(c) {
+		return nil, singleton.Localizer.ErrorT("permission denied")
+	}
+
 	n.Name = nf.Name
 	n.RequestMethod = nf.RequestMethod
 	n.RequestType = nf.RequestType
@@ -149,11 +154,20 @@ func updateNotification(c *gin.Context) (any, error) {
 // @Router /batch-delete/notification [post]
 func batchDeleteNotification(c *gin.Context) (any, error) {
 	var n []uint64
-
 	if err := c.ShouldBindJSON(&n); err != nil {
 		return nil, err
 	}

+	singleton.NotificationsLock.RLock()
+	for _, nid := range n {
+		if ns, ok := singleton.NotificationMap[nid]; ok {
+			if !ns.HasPermission(c) {
+				return nil, singleton.Localizer.ErrorT("permission denied")
+			}
+		}
+	}
+	singleton.NotificationsLock.RUnlock()
+
 	err := singleton.DB.Transaction(func(tx *gorm.DB) error {
 		if err := tx.Unscoped().Delete(&model.Notification{}, "id in (?)", n).Error; err != nil {
 			return err