yumoqing/rbac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
204 Commits 2 Branches 0 Tags
Commit Graph

112 Commits

Author SHA1 Message Date
yumoqing
53111aa2fd fix: Form.getValue()返回FormData对象,改用_getValue()获取普通对象 
根因:bricks Form的getValue()内部调用get_formdata()返回浏览器
原生FormData对象,不支持.cell_no属性访问。
改用_getValue()返回{name:value}普通JS对象。
 2026-05-28 16:27:56 +08:00
yumoqing
92627c9c96 fix: 手机验证码tab改用VBox+独立Button,避免toolbar tool触发submit导致tab跳转 
根因:Form toolbar tool点击会同时触发Form的submit事件,
submit的urlwidget替换Form后TabPanel重置到第一个tab。
改为VBox包裹Form和独立Button,Button通过bricks.getWidgetById
读取Form值,fetch加_webbricks_=1确保返回纯JSON。
 2026-05-28 15:03:50 +08:00
yumoqing
7200ee43a0 fix: 手机验证码gen_code按钮用datawidget/datamethod传表单值给script 
原script中this.getValue()在toolbar tool事件上下文中拿不到表单数据,
改用datawidget/datamethod机制将表单值通过params传入script。
回写codeid用.bind(this)保持Form引用。
 2026-05-28 14:10:37 +08:00
yumoqing
de21b9fd38 feat: 手机验证码登录对接 + 注册tab + user_logined事件派发 
- 新增 code_login.dspy: 接收前端表单(cell_no/codeid/check_code)
  映射到sms_engine验证,返回UI widget含自动登录binds
- 修复 login.ui 手机验证码tab: gen_code按钮改用script调用
  gen_sms_code.dspy并回写key到隐藏字段,submit指向code_login.dspy
- login.ui 新增注册tab: 用户名/手机号/密码/确认密码表单
- register.dspy: 注册成功后自动remember_user并返回含binds的
  Message widget(加载userinfo、销毁登录窗、派发user_logined)
- up_login.dspy: 补充user_logined事件派发bind
- load_path.py: code_login.dspy加入any权限,gen_sms_code.dspy
  从logined移至any(验证码发送在登录前)
 2026-05-28 13:50:17 +08:00
yumoqing
54b0f3d7b6 fix: dispatch user_logined event after successful login 
After login message is dismissed, dispatches 'user_logined' on bricks.app
so the sidebar menu reloads without requiring manual page reload.
 2026-05-28 13:42:03 +08:00
yumoqing
9d2a94131a feat: improve logout.dspy with refresh button 
After logout, show success message with a button to reload the page,
which triggers the sidebar menu to re-render with unauthenticated state.
 2026-05-27 17:58:15 +08:00
yumoqing
835a2ff3f7 fix: add filler css + overflowY:auto to content container 2026-05-26 13:57:42 +08:00
yumoqing
1b21f46336 feat: add index.ui as module entry with user management, path roles, and unauth file scan cards 2026-05-26 12:11:32 +08:00
yumoqing
f8c8a4ce4d refactor: move RBAC tools logic to rbac/rbac_tools.py, dspy files call via request._run_ns 2026-05-26 09:32:38 +08:00
yumoqing
0b456486db feat: add RBAC tools — list_path_roles, find_unauth_files, and permission registration script 2026-05-26 09:18:04 +08:00
yumoqing
c53c16d54c feat: add RBAC tools — list_path_roles and find_unauth_files 2026-05-26 09:12:33 +08:00
yumoqing
04552941e5 bugfix 2026-05-22 16:54:08 +08:00
yumoqing
0ac6c83ead bugfix 2026-05-18 16:00:42 +08:00
yumoqing
d168326f09 bugfix 2026-05-18 15:31:00 +08:00
yumoqing
3f2001378e bugfix 2026-05-18 15:25:43 +08:00
yumoqing
d96444cf60 fix: replace getID() with uuid() in dspy context 2026-05-13 11:50:24 +08:00
yumoqing
cd82b345aa fix: use dappid+userid for downapikey query/insert, matching actual table schema 2026-05-13 11:44:34 +08:00
yumoqing
f313877f4b fix: remove non-existent kwdownapikey table, use downapikey directly for per-user apikey lookup 2026-05-13 11:22:04 +08:00
yumoqing
fe7025ac0f fix: use kwdownapikey for per-user apikey existence check to prevent same org sharing apikey 2026-05-12 20:12:19 +08:00
yumoqing
d57d165a08 fix: add openCustomerAccounts call and fix sync message in usersync 2026-05-12 18:54:15 +08:00
yumoqing
59c321d941 fix: check user existence and register user/org if missing using rbac functions 2026-05-12 18:46:02 +08:00
yumoqing
e7193933ae fix: ensure user and org are created in users table before apikey creation in usersync 2026-05-12 18:37:23 +08:00
yumoqing
2fb9098699 fix: correct indentation in batch loop, fix for-else bug causing continue syntax error 2026-05-12 18:30:56 +08:00
yumoqing
3bb57dafd7 fix: convert tabs to spaces in usersync/index.dspy to resolve TabError 2026-05-12 18:20:24 +08:00
yumoqing
f1ed6ad151 fix: verify user exists before returning existing apikey in usersync, clean stale downapikey records 2026-05-12 18:13:50 +08:00
yumoqing
09acce0637 fix: remove ServerEnv() usage in dspy script, change expires_at to expired_date 2026-05-12 18:03:32 +08:00
yumoqing
fb5a24c240 fix: add POST method to register form submit binding 2026-05-12 10:41:50 +08:00
yumoqing
ceb26adf53 feat: 添加用户同步接口 /rbac/usersync/ 
- 新增POST接口支持单个和批量用户同步到dapi模块
- 返回每个用户的dapi apikey
- 优先调用dapi模块的create_user_apikey函数
- 添加API说明书文档
 2026-05-11 15:10:56 +08:00
yumoqing
ccf66ecd23 bugfix 2026-04-26 20:27:54 +08:00
yumoqing
0d5878f2ea bugfix 2026-04-26 20:25:05 +08:00
yumoqing
a460c0b888 bugfix 2026-04-26 20:24:53 +08:00
yumoqing
fdabfc2261 bugfix 2026-04-26 20:14:56 +08:00
yumoqing
90e9e943b2 bugfix 2026-04-26 15:14:33 +08:00
yumoqing
7b36e2d159 bugfix 2026-04-26 15:02:32 +08:00
yumoqing
59f68c3141 bugfix 2026-04-26 15:01:05 +08:00
yumoqing
afceb713b7 bugfix 2026-04-26 12:29:35 +08:00
yumoqing
c0c9d0a489 fix: change datetime.now() to datetime.datetime.now() in up_login.dspy 
ahserver pre-loads 'import datetime' module, so datetime class must be
accessed as datetime.datetime, not directly as datetime (which was only
valid when 'from datetime import datetime' was used).
 2026-04-26 11:37:30 +08:00
yumoqing
1b5ae8aba9 fix: remove unnecessary 'from datetime import datetime' in up_login.dspy 
datetime module is pre-loaded by ahserver framework, import statements
are not needed and not supported in .dspy files.
 2026-04-26 11:32:48 +08:00
yumoqing
8aada101ca fix(rbac): remove MySQL-specific SQL for cross-database compatibility 
- Replace DATE_SUB(NOW(), INTERVAL 300 SECOND) with Python-level time check
- Replace NOW() with parameterized timestamps from Python
- Lockout check now done in _is_locked() function (DB-agnostic)
- All UPDATE statements use parameterized values, not DB functions
- Works with MySQL, PostgreSQL, SQLite, SQL Server, Oracle
 2026-04-26 11:04:15 +08:00
yumoqing
622b0558b9 fix(rbac): fix high-concurrency race conditions in login and cache 
1. Login lockout race condition:
   - Replace SELECT-then-UPDATE with atomic database operations
   - Lockout check now in SQL WHERE clause (DATE_SUB comparison)
   - Fail count increment: UPDATE ... SET count = count + 1 (atomic)
   - Applied to checkUserPassword, basic_auth, up_login.dspy, phone_login.dspy

2. Cache threading.Lock -> asyncio.Lock:
   - LRUCache now uses lazy-init asyncio.Lock
   - Prevents blocking the event loop in async environment
   - UserPermissions._rp_lock also uses asyncio.Lock
   - Double-check pattern in load_roleperms prevents duplicate DB loads

3. Use database NOW() instead of Python curDateString for concurrent updates
 2026-04-26 10:58:13 +08:00
yumoqing
3fdd4efeff feat(rbac): add login tracking, lockout, secure cache 
- Add created_at, last_login, login_fail_count, last_login_fail fields
- 3 failed logins locks account for 5 minutes
- LRU+TTL cache for UserPermissions, thread-safe
- All login methods update last_login
- Migration SQL for existing databases
 2026-04-26 10:49:01 +08:00
yumoqing
a8a5199c25 bugfix 2026-04-23 12:51:51 +08:00
yumoqing
704f7f3700 bugfix 2026-04-15 15:37:08 +08:00
yumoqing
188ce21b83 bugfix 2026-04-01 18:20:46 +08:00
yumoqing
593f60a7a0 bugfix 2026-04-01 18:19:16 +08:00
yumoqing
3098c3dd7e bugfix 2026-04-01 18:05:51 +08:00
yumoqing
059df2aef2 bugfix 2026-03-26 11:49:12 +08:00
yumoqing
0c69929a72 bugfix 2026-03-25 17:40:17 +08:00
yumoqing
4bc14dfee1 bugfix 2026-03-25 14:11:46 +08:00
yumoqing
6ad1abd5cf bugfix 2026-03-24 15:56:41 +08:00