""" 路由层装饰器 提供权限检查、参数验证等装饰器 注意:基础的 login_required 和 admin_required 使用 app.services.auth.decorators """ from functools import wraps from flask import jsonify, g, request from app.models.database.models import CategoryAdmin, Role def category_permission_required(min_role='viewer'): """ 方向权限装饰器 - 支持三级权限 权限级别: - viewer: 只读权限,可查看配置 - editor: 编辑权限,可修改配置 - owner: 管理权限,可管理权限和删除 Args: min_role: 最低要求的权限级别 Usage: @category_permission_required('editor') def update_category(category_id): pass """ def decorator(f): @wraps(f) def decorated_function(*args, **kwargs): # 获取当前用户 if not hasattr(g, 'user') or not g.user: return jsonify({'success': False, 'error': '请先登录'}), 401 user = g.user # 系统管理员拥有所有权限 if user.role == Role.ADMIN: return f(*args, **kwargs) # 获取 category_id(从路径参数或请求参数) category_id = kwargs.get('category_id') or request.view_args.get('category_id') if not category_id: # 如果没有 category_id,说明不是方向相关的路由,直接放行 return f(*args, **kwargs) # 获取用户在该方向的角色 admin_record = CategoryAdmin.query.filter_by( category_id=category_id, user_id=user.id ).first() if not admin_record: return jsonify({'success': False, 'error': '没有该方向的访问权限'}), 403 # 权限级别映射 role_levels = {'viewer': 1, 'editor': 2, 'owner': 3} user_level = role_levels.get(admin_record.role, 0) required_level = role_levels.get(min_role, 1) if user_level < required_level: role_names = {'viewer': '查看', 'editor': '编辑', 'owner': '管理'} return jsonify({ 'success': False, 'error': f'需要{role_names.get(min_role, min_role)}权限' }), 403 return f(*args, **kwargs) return decorated_function return decorator def challenge_owner_required(f): """ 题目所有者权限装饰器 检查当前用户是否是题目的创建者或管理员 Usage: @challenge_owner_required def delete_challenge(challenge_id): pass """ @wraps(f) def decorated_function(*args, **kwargs): # 获取当前用户 if not hasattr(g, 'user') or not g.user: return jsonify({'success': False, 'error': '请先登录'}), 401 user = g.user # 管理员拥有所有权限 if user.role == Role.ADMIN: return f(*args, **kwargs) # 获取 challenge_id challenge_id = kwargs.get('challenge_id') or request.view_args.get('challenge_id') if not challenge_id: return jsonify({'success': False, 'error': '缺少题目ID'}), 400 # 检查题目所有权 try: from app.models.database.operations import get_challenge_record challenge = get_challenge_record(int(challenge_id)) if not challenge: return jsonify({'success': False, 'error': '题目不存在'}), 404 if challenge.get('user_id') != user.id: return jsonify({'success': False, 'error': '您没有权限操作此题目'}), 403 except Exception as e: return jsonify({'success': False, 'error': f'权限检查失败: {str(e)}'}), 500 return f(*args, **kwargs) return decorated_function def validate_json(*required_fields): """ JSON 数据验证装饰器 Args: *required_fields: 必需的字段名 Usage: @validate_json('name', 'email') def create_user(): data = request.get_json() # data 已经验证包含 name 和 email """ def decorator(f): @wraps(f) def decorated_function(*args, **kwargs): if not request.is_json: return jsonify({ 'success': False, 'error': '请求必须是 JSON 格式' }), 400 data = request.get_json() if not data: return jsonify({ 'success': False, 'error': '请求数据不能为空' }), 400 # 检查必需字段 missing_fields = [field for field in required_fields if field not in data] if missing_fields: return jsonify({ 'success': False, 'error': f'缺少必需字段: {", ".join(missing_fields)}' }), 400 return f(*args, **kwargs) return decorated_function return decorator