Merge remote-tracking branch 'origin/master'
This commit is contained in:
M_Kececi
@@ -62,7 +62,7 @@ func AdminResetPasswordHandler(db *sql.DB) http.HandlerFunc {
|
||||
// ---------------------------------------------------
|
||||
// 4️⃣ UPDATE mk_dfusr
|
||||
// ---------------------------------------------------
|
||||
_, err = db.Exec(`
|
||||
res, err := db.Exec(`
|
||||
UPDATE mk_dfusr
|
||||
SET
|
||||
password_hash = $1,
|
||||
@@ -77,6 +77,24 @@ func AdminResetPasswordHandler(db *sql.DB) http.HandlerFunc {
|
||||
return
|
||||
}
|
||||
|
||||
affected, _ := res.RowsAffected()
|
||||
if affected == 0 {
|
||||
_, err = db.Exec(`
|
||||
UPDATE dfusr
|
||||
SET
|
||||
upass = $1,
|
||||
force_password_change = true,
|
||||
last_updated_date = NOW()
|
||||
WHERE id = $2
|
||||
AND is_active = true
|
||||
`, string(hash), userID)
|
||||
|
||||
if err != nil {
|
||||
http.Error(w, "legacy password reset failed", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------
|
||||
// 5️⃣ REFRESH TOKEN REVOKE
|
||||
// ---------------------------------------------------
|
||||
|
||||
@@ -30,6 +30,12 @@ type LoginRequest struct {
|
||||
Password string `json:"password"`
|
||||
}
|
||||
|
||||
func looksLikeBcryptHash(value string) bool {
|
||||
return strings.HasPrefix(value, "$2a$") ||
|
||||
strings.HasPrefix(value, "$2b$") ||
|
||||
strings.HasPrefix(value, "$2y$")
|
||||
}
|
||||
|
||||
func ensureLegacyUserReadyForSession(db *sql.DB, legacyUser *models.User) (int64, error) {
|
||||
desiredID := int64(legacyUser.ID)
|
||||
|
||||
@@ -148,19 +154,36 @@ func LoginHandler(db *sql.DB) http.HandlerFunc {
|
||||
if err == nil {
|
||||
|
||||
// mk_dfusr authoritative
|
||||
if strings.TrimSpace(mkUser.PasswordHash) != "" {
|
||||
mkHash := strings.TrimSpace(mkUser.PasswordHash)
|
||||
if mkHash != "" {
|
||||
if looksLikeBcryptHash(mkHash) {
|
||||
cmpErr := bcrypt.CompareHashAndPassword(
|
||||
[]byte(mkHash),
|
||||
[]byte(pass),
|
||||
)
|
||||
if cmpErr == nil {
|
||||
_ = mkRepo.TouchLastLogin(mkUser.ID)
|
||||
writeLoginResponse(w, db, mkUser)
|
||||
return
|
||||
}
|
||||
|
||||
if bcrypt.CompareHashAndPassword(
|
||||
[]byte(mkUser.PasswordHash),
|
||||
[]byte(pass),
|
||||
) != nil {
|
||||
http.Error(w, "Kullanıcı adı veya parola hatalı", http.StatusUnauthorized)
|
||||
return
|
||||
if !mkUser.ForcePasswordChange {
|
||||
http.Error(w, "invalid credentials", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
log.Printf(
|
||||
"LOGIN FALLBACK legacy allowed (force_password_change=true) username=%s id=%d",
|
||||
mkUser.Username,
|
||||
mkUser.ID,
|
||||
)
|
||||
} else {
|
||||
log.Printf(
|
||||
"LOGIN FALLBACK legacy allowed (non-bcrypt mk hash) username=%s id=%d",
|
||||
mkUser.Username,
|
||||
mkUser.ID,
|
||||
)
|
||||
}
|
||||
|
||||
_ = mkRepo.TouchLastLogin(mkUser.ID)
|
||||
writeLoginResponse(w, db, mkUser)
|
||||
return
|
||||
}
|
||||
// password_hash boşsa legacy fallback
|
||||
} else if err != repository.ErrMkUserNotFound {
|
||||
|
||||
@@ -14,6 +14,7 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/gorilla/mux"
|
||||
"github.com/lib/pq"
|
||||
)
|
||||
|
||||
type IdTitleOption struct {
|
||||
@@ -57,7 +58,7 @@ type RoleDepartmentPermissionHandler struct {
|
||||
func NewRoleDepartmentPermissionHandler(db *sql.DB) *RoleDepartmentPermissionHandler {
|
||||
|
||||
return &RoleDepartmentPermissionHandler{
|
||||
DB: db, // ✅ EKLENDİ
|
||||
DB: db, // Added
|
||||
Repo: permissions.NewRoleDepartmentPermissionRepo(db),
|
||||
}
|
||||
}
|
||||
@@ -417,7 +418,7 @@ func (h *PermissionHandler) GetUserOverrides(w http.ResponseWriter, r *http.Requ
|
||||
|
||||
list, err := h.Repo.GetUserOverridesByUserID(userID)
|
||||
if err != nil {
|
||||
log.Println("❌ USER OVERRIDE LOAD ERROR:", err)
|
||||
log.Println("USER OVERRIDE LOAD ERROR:", err)
|
||||
http.Error(w, "db error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
@@ -425,6 +426,138 @@ func (h *PermissionHandler) GetUserOverrides(w http.ResponseWriter, r *http.Requ
|
||||
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
||||
_ = json.NewEncoder(w).Encode(list)
|
||||
}
|
||||
|
||||
type routePermissionSeed struct {
|
||||
Module string
|
||||
Action string
|
||||
Path string
|
||||
}
|
||||
|
||||
type moduleActionSeed struct {
|
||||
Module string
|
||||
Action string
|
||||
}
|
||||
|
||||
type permissionSnapshot struct {
|
||||
user map[string]bool
|
||||
roleDept map[string]bool
|
||||
role map[string]bool
|
||||
}
|
||||
|
||||
func permissionKey(module, action string) string {
|
||||
return module + "|" + action
|
||||
}
|
||||
|
||||
func loadPermissionSnapshot(
|
||||
db *sql.DB,
|
||||
userID int64,
|
||||
roleID int64,
|
||||
deptCodes []string,
|
||||
) (permissionSnapshot, error) {
|
||||
snapshot := permissionSnapshot{
|
||||
user: make(map[string]bool, 128),
|
||||
roleDept: make(map[string]bool, 128),
|
||||
role: make(map[string]bool, 128),
|
||||
}
|
||||
|
||||
userRows, err := db.Query(`
|
||||
SELECT module_code, action, allowed
|
||||
FROM mk_sys_user_permissions
|
||||
WHERE user_id = $1
|
||||
`, userID)
|
||||
if err != nil {
|
||||
return snapshot, err
|
||||
}
|
||||
for userRows.Next() {
|
||||
var module, action string
|
||||
var allowed bool
|
||||
if err := userRows.Scan(&module, &action, &allowed); err != nil {
|
||||
_ = userRows.Close()
|
||||
return snapshot, err
|
||||
}
|
||||
snapshot.user[permissionKey(module, action)] = allowed
|
||||
}
|
||||
if err := userRows.Err(); err != nil {
|
||||
_ = userRows.Close()
|
||||
return snapshot, err
|
||||
}
|
||||
_ = userRows.Close()
|
||||
|
||||
if len(deptCodes) > 0 {
|
||||
roleDeptRows, err := db.Query(`
|
||||
SELECT module_code, action, BOOL_OR(allowed) AS allowed
|
||||
FROM vw_role_dept_permissions
|
||||
WHERE role_id = $1
|
||||
AND department_code = ANY($2)
|
||||
GROUP BY module_code, action
|
||||
`,
|
||||
roleID,
|
||||
pq.Array(deptCodes),
|
||||
)
|
||||
if err != nil {
|
||||
return snapshot, err
|
||||
}
|
||||
for roleDeptRows.Next() {
|
||||
var module, action string
|
||||
var allowed bool
|
||||
if err := roleDeptRows.Scan(&module, &action, &allowed); err != nil {
|
||||
_ = roleDeptRows.Close()
|
||||
return snapshot, err
|
||||
}
|
||||
snapshot.roleDept[permissionKey(module, action)] = allowed
|
||||
}
|
||||
if err := roleDeptRows.Err(); err != nil {
|
||||
_ = roleDeptRows.Close()
|
||||
return snapshot, err
|
||||
}
|
||||
_ = roleDeptRows.Close()
|
||||
}
|
||||
|
||||
roleRows, err := db.Query(`
|
||||
SELECT module_code, action, allowed
|
||||
FROM mk_sys_role_permissions
|
||||
WHERE role_id = $1
|
||||
`, roleID)
|
||||
if err != nil {
|
||||
return snapshot, err
|
||||
}
|
||||
for roleRows.Next() {
|
||||
var module, action string
|
||||
var allowed bool
|
||||
if err := roleRows.Scan(&module, &action, &allowed); err != nil {
|
||||
_ = roleRows.Close()
|
||||
return snapshot, err
|
||||
}
|
||||
snapshot.role[permissionKey(module, action)] = allowed
|
||||
}
|
||||
if err := roleRows.Err(); err != nil {
|
||||
_ = roleRows.Close()
|
||||
return snapshot, err
|
||||
}
|
||||
_ = roleRows.Close()
|
||||
|
||||
return snapshot, nil
|
||||
}
|
||||
|
||||
func resolvePermissionFromSnapshot(
|
||||
s permissionSnapshot,
|
||||
module string,
|
||||
action string,
|
||||
) bool {
|
||||
key := permissionKey(module, action)
|
||||
|
||||
if allowed, ok := s.user[key]; ok {
|
||||
return allowed
|
||||
}
|
||||
if allowed, ok := s.roleDept[key]; ok {
|
||||
return allowed
|
||||
}
|
||||
if allowed, ok := s.role[key]; ok {
|
||||
return allowed
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func GetUserRoutePermissionsHandler(db *sql.DB) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
@@ -436,10 +569,16 @@ func GetUserRoutePermissionsHandler(db *sql.DB) http.HandlerFunc {
|
||||
return
|
||||
}
|
||||
|
||||
repo := permissions.NewPermissionRepository(db)
|
||||
|
||||
// JWT’den departmanlar
|
||||
depts := claims.DepartmentCodes
|
||||
snapshot, err := loadPermissionSnapshot(
|
||||
db,
|
||||
int64(claims.ID),
|
||||
int64(claims.RoleID),
|
||||
claims.DepartmentCodes,
|
||||
)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), 500)
|
||||
return
|
||||
}
|
||||
|
||||
rows, err := db.Query(`
|
||||
SELECT DISTINCT
|
||||
@@ -454,17 +593,9 @@ func GetUserRoutePermissionsHandler(db *sql.DB) http.HandlerFunc {
|
||||
}
|
||||
defer rows.Close()
|
||||
|
||||
type Row struct {
|
||||
Route string `json:"route"`
|
||||
CanAccess bool `json:"can_access"`
|
||||
}
|
||||
|
||||
list := make([]Row, 0, 64)
|
||||
|
||||
routeSeeds := make([]routePermissionSeed, 0, 128)
|
||||
for rows.Next() {
|
||||
|
||||
var module, action, path string
|
||||
|
||||
if err := rows.Scan(
|
||||
&module,
|
||||
&action,
|
||||
@@ -473,22 +604,26 @@ func GetUserRoutePermissionsHandler(db *sql.DB) http.HandlerFunc {
|
||||
continue
|
||||
}
|
||||
|
||||
allowed, err := repo.ResolvePermissionChain(
|
||||
int64(claims.ID),
|
||||
int64(claims.RoleID),
|
||||
depts,
|
||||
module,
|
||||
action,
|
||||
)
|
||||
|
||||
if err != nil {
|
||||
log.Println("PERM RESOLVE ERROR:", err)
|
||||
continue
|
||||
}
|
||||
routeSeeds = append(routeSeeds, routePermissionSeed{
|
||||
Module: module,
|
||||
Action: action,
|
||||
Path: path,
|
||||
})
|
||||
}
|
||||
if err := rows.Err(); err != nil {
|
||||
http.Error(w, err.Error(), 500)
|
||||
return
|
||||
}
|
||||
|
||||
list := make([]Row, 0, len(routeSeeds))
|
||||
for _, route := range routeSeeds {
|
||||
list = append(list, Row{
|
||||
Route: path,
|
||||
CanAccess: allowed,
|
||||
Route: route.Path,
|
||||
CanAccess: resolvePermissionFromSnapshot(
|
||||
snapshot,
|
||||
route.Module,
|
||||
route.Action,
|
||||
),
|
||||
})
|
||||
}
|
||||
|
||||
@@ -507,18 +642,17 @@ func GetMyEffectivePermissions(db *sql.DB) http.HandlerFunc {
|
||||
return
|
||||
}
|
||||
|
||||
repo := permissions.NewPermissionRepository(db)
|
||||
|
||||
// ✅ JWT'DEN DEPARTMENTS
|
||||
depts := claims.DepartmentCodes
|
||||
|
||||
log.Printf("🧪 EFFECTIVE PERM | user=%d role=%d depts=%v",
|
||||
claims.ID,
|
||||
claims.RoleID,
|
||||
depts,
|
||||
snapshot, err := loadPermissionSnapshot(
|
||||
db,
|
||||
int64(claims.ID),
|
||||
int64(claims.RoleID),
|
||||
claims.DepartmentCodes,
|
||||
)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), 500)
|
||||
return
|
||||
}
|
||||
|
||||
// all system perms
|
||||
all, err := db.Query(`
|
||||
SELECT DISTINCT module_code, action
|
||||
FROM mk_sys_routes
|
||||
@@ -529,14 +663,7 @@ func GetMyEffectivePermissions(db *sql.DB) http.HandlerFunc {
|
||||
}
|
||||
defer all.Close()
|
||||
|
||||
type Row struct {
|
||||
Module string `json:"module"`
|
||||
Action string `json:"action"`
|
||||
Allowed bool `json:"allowed"`
|
||||
}
|
||||
|
||||
list := make([]Row, 0, 128)
|
||||
|
||||
moduleActions := make([]moduleActionSeed, 0, 128)
|
||||
for all.Next() {
|
||||
|
||||
var m, a string
|
||||
@@ -544,22 +671,32 @@ func GetMyEffectivePermissions(db *sql.DB) http.HandlerFunc {
|
||||
continue
|
||||
}
|
||||
|
||||
allowed, err := repo.ResolvePermissionChain(
|
||||
int64(claims.ID),
|
||||
int64(claims.RoleID),
|
||||
depts,
|
||||
m,
|
||||
a,
|
||||
)
|
||||
moduleActions = append(moduleActions, moduleActionSeed{
|
||||
Module: m,
|
||||
Action: a,
|
||||
})
|
||||
}
|
||||
if err := all.Err(); err != nil {
|
||||
http.Error(w, err.Error(), 500)
|
||||
return
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
type Row struct {
|
||||
Module string `json:"module"`
|
||||
Action string `json:"action"`
|
||||
Allowed bool `json:"allowed"`
|
||||
}
|
||||
|
||||
list := make([]Row, 0, len(moduleActions))
|
||||
for _, item := range moduleActions {
|
||||
list = append(list, Row{
|
||||
Module: m,
|
||||
Action: a,
|
||||
Allowed: allowed,
|
||||
Module: item.Module,
|
||||
Action: item.Action,
|
||||
Allowed: resolvePermissionFromSnapshot(
|
||||
snapshot,
|
||||
item.Module,
|
||||
item.Action,
|
||||
),
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user