Files
cyh-tk-backend/guards/permissions.guard.ts
zhxiao1124 4eff4d877e refactor: 完成项目整体目录重构与路径别名配置
1.  重构项目文件结构,统一文件存放位置与命名规则
2.  配置tsconfig路径别名,替换原有相对路径导入
3.  迁移drama-status枚举到dramas.types统一管理
4.  新增全局配置文件与工具类,补充完整注释与文档
5.  修复所有导入路径与依赖引用问题
2026-07-02 19:17:56 +08:00

50 lines
1.6 KiB
TypeScript

/**
* Permissions guard.
* @file 管理端权限校验守卫
* @module guards/permissions.guard
* @author zhxiao1124
*/
import { CanActivate, ExecutionContext, ForbiddenException, Injectable } from "@nestjs/common";
import { Reflector } from "@nestjs/core";
import { Request } from "express";
import { REQUIRED_PERMISSIONS_METADATA } from "@app/decorators/require-permissions.decorator";
import { AdminUserRecord } from "@src/admin/admin.types";
import { AdminService } from "@src/admin/admin.service";
@Injectable()
export class PermissionsGuard implements CanActivate {
constructor(
private readonly reflector: Reflector,
private readonly adminService: AdminService,
) {}
async canActivate(context: ExecutionContext): Promise<boolean> {
const required = this.reflector.getAllAndOverride<string[]>(REQUIRED_PERMISSIONS_METADATA, [context.getHandler(), context.getClass()]) ?? [];
if (required.length === 0) {
return true;
}
const request = context.switchToHttp().getRequest<Request & { adminUser?: AdminUserRecord }>();
const adminUser = request.adminUser;
if (!adminUser) {
throw new ForbiddenException("No permission");
}
if (adminUser.isSuperAdmin) {
return true;
}
const permissions = await this.adminService.getPermissionCodesForAdmin(adminUser.id);
const allowed = required.every((permission) => permissions.includes(permission));
if (!allowed) {
throw new ForbiddenException("No permission");
}
return true;
}
}