From 04e9b718dbfc07063412376ec2816c1d1bf4eb78 Mon Sep 17 00:00:00 2001 From: yumoqing Date: Fri, 29 May 2026 23:12:22 +0800 Subject: [PATCH] fix: check_roles_path supports % wildcard alongside ** load_path.py scripts across modules register paths like '/module/api/%' using SQL LIKE wildcard, but check_roles_path() only recognized '**' as wildcard suffix. This caused all %-terminated paths to be treated as exact matches, resulting in 403 for any sub-path. Now both '/module/api/%' and '/module/api/**' work as prefix wildcards. --- rbac/userperm.py | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/rbac/userperm.py b/rbac/userperm.py index 0fbcbc2..354e7cd 100644 --- a/rbac/userperm.py +++ b/rbac/userperm.py @@ -281,7 +281,8 @@ where a.id = c.userid Supports: - Exact match: '/customer_management/index.ui' or '/main/login.ui' - - Wildcard prefix match: '/customer_management/**' matches any path starting with '/customer_management/' + - Wildcard prefix match: '/customer_management/**' or '/customer_management/%' + matches any path starting with '/customer_management/' - Path normalization: tries both the raw path and path with /main stripped """ for role in roles: @@ -298,16 +299,22 @@ where a.id = c.userid return True # Also try wildcard match with normalized path for perm_path in paths: + prefix = None if perm_path.endswith('**'): prefix = perm_path[:-2] - if normalized.startswith(prefix) or path.startswith(prefix): - return True + elif perm_path.endswith('%'): + prefix = perm_path[:-1] + if prefix and (normalized.startswith(prefix) or path.startswith(prefix)): + return True # Wildcard prefix match with raw path for perm_path in paths: + prefix = None if perm_path.endswith('**'): prefix = perm_path[:-2] - if path.startswith(prefix): - return True + elif perm_path.endswith('%'): + prefix = perm_path[:-1] + if prefix and path.startswith(prefix): + return True return False async def is_user_has_path_perm(self, userid, path):