yumoqing/rbac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: yumoqing:d168326f09146e5267776798b3720adef61201c0
Branches Tags
yumoqing:main
yumoqing:feat/dataviz-users
...
compare: yumoqing:0ac6c83ead62e6bd897ac3efb27f41d86d830ebb
Branches Tags
yumoqing:main
yumoqing:feat/dataviz-users

3 Commits
d168326f09 ... 0ac6c83ead

Author SHA1 Message Date
yumoqing
0ac6c83ead bugfix 2026-05-18 16:00:42 +08:00
yumoqing
c0ea3baef1 Merge branch 'main' of git.opencomputing.cn:yumoqing/rbac 2026-05-18 15:57:36 +08:00
yumoqing
4f103000b9 feat: implement real-time cache invalidation via DB event binding 
- Fixed syntax errors in userperm.py __init__ (removed broken 'this' reference
  and incomplete method definition)
- Added 7 production-grade event handlers on UserPermissions:
  - on_user_create/update/delete: invalidate specific user cache
  - on_rolepermission_change: invalidate role-permission cache
  - on_permission_change: invalidate role-permission cache
  - on_role_change: invalidate ALL user + role-permission caches
  - on_userrole_change: invalidate specific user cache by userid
- Added _bind_rbac_events() in init.py with 13 event bindings covering:
  users C/U/D, rolepermission C/U/D, permission U, role C/U/D, userrole C/U/D
- All handlers have try/except error isolation to prevent one failure
  from breaking other handlers
- Events auto-dispatched by sqlor after C/U/D operations (no service restart needed)
- Cleaned up unused imports (DBPools, exception)
 2026-05-18 12:42:17 +08:00
10 changed files with 413 additions and 290 deletions
Show Stats Expand all files Collapse all files

42
rbac/init.py
View File

@ -1,5 +1,6 @@
from ahserver.auth_api import AuthAPI
from ahserver.serverenv import ServerEnv
from sqlor.dbpools import DBPools
from .orgs import (
get_platform_providers
)
@ -19,6 +20,7 @@ from rbac.set_role_perms import (
set_role_perm,
set_role_perms
)
from appPublic.log import debug
async def get_owner_orgid(*args, **kw):
return '0'
@ -26,6 +28,37 @@ async def get_owner_orgid(*args, **kw):
async def sor_get_owner_orgid(sor, orgid):
return '0'
def _bind_rbac_events(dbpools, dbname, up):
"""Bind database events to RBAC cache invalidation handlers.
Events are dispatched by sqlor after C/U/D operations.
Format: {dbname}:{tablename}:{c|u|d}:after
"""
bindings = [
# users table: invalidate specific user cache on C/U/D
(f'{dbname}.users:c:after', up.on_user_create),
(f'{dbname}.users:u:after', up.on_user_update),
(f'{dbname}.users:d:after', up.on_user_delete),
# rolepermission table: invalidate role-permission cache on any change
(f'{dbname}.rolepermission:c:after', up.on_rolepermission_change),
(f'{dbname}.rolepermission:u:after', up.on_rolepermission_change),
(f'{dbname}.rolepermission:d:after', up.on_rolepermission_change),
# permission table: invalidate role-permission cache on update
(f'{dbname}.permission:u:after', up.on_permission_change),
# role table: invalidate ALL caches (affects all users)
(f'{dbname}.role:c:after', up.on_role_change),
(f'{dbname}.role:u:after', up.on_role_change),
(f'{dbname}.role:d:after', up.on_role_change),
# userrole table: invalidate specific user cache based on userid
(f'{dbname}.userrole:c:after', up.on_userrole_change),
(f'{dbname}.userrole:u:after', up.on_userrole_change),
(f'{dbname}.userrole:d:after', up.on_userrole_change),
]
for event_name, handler in bindings:
dbpools.bind(event_name, handler)
debug(f'RBAC event bound: {event_name}')
def load_rbac():
AuthAPI.checkUserPermission = objcheckperm
env = ServerEnv()
@ -47,3 +80,12 @@ def load_rbac():
env.invalidate_user_perm_cache = env.userpermissions.invalidate_user_cache
env.invalidate_all_perm_caches = env.userpermissions.invalidate_all_user_caches
env.invalidate_role_perm_cache = env.userpermissions.invalidate_rp_cache
# Bind database events for automatic cache invalidation
dbpools = DBPools()
dbname = env.get_module_dbname('rbac')
if dbname:
_bind_rbac_events(dbpools, dbname, env.userpermissions)
debug(f'RBAC event listeners bound for database: {dbname}')
else:
debug('RBAC event listeners skipped: no database configured for rbac module')

86
rbac/userperm.py
View File

@ -1,9 +1,9 @@
import asyncio
from collections import OrderedDict
from sqlor.dbpools import DBPools, get_sor_context
from sqlor.dbpools import get_sor_context
from ahserver.serverenv import ServerEnv
from appPublic.Singleton import SingletonDecorator
from appPublic.log import debug, exception, error
from appPublic.log import debug, error
class LRUCache:
"""Async-safe LRU cache with TTL support.
@ -80,7 +80,87 @@ class UserPermissions:
# Async lock for rp_caches initialization (lazy init)
self._rp_lock = None
def on_user_update(self, data):
"""Event handler for users table update.
Clears the specific user's permission cache.
"""
try:
userid = getattr(data, 'id', None)
if userid:
self.invalidate_user_cache(userid)
debug(f'RBAC cache invalidated for user id={userid} (users update)')
except Exception as e:
error(f'RBAC on_user_update handler error: {e}')
def on_user_create(self, data):
"""Event handler for users table insert.
Clears the specific user's permission cache.
"""
try:
userid = getattr(data, 'id', None)
if userid:
self.invalidate_user_cache(userid)
debug(f'RBAC cache invalidated for user id={userid} (users create)')
except Exception as e:
error(f'RBAC on_user_create handler error: {e}')
def on_user_delete(self, data):
"""Event handler for users table delete.
Clears the specific user's permission cache.
"""
try:
userid = getattr(data, 'id', None)
if userid:
self.invalidate_user_cache(userid)
debug(f'RBAC cache invalidated for user id={userid} (users delete)')
except Exception as e:
error(f'RBAC on_user_delete handler error: {e}')
def on_rolepermission_change(self, data):
"""Event handler for rolepermission table C/U/D.
Clears the role-permission cache.
"""
try:
self.invalidate_rp_cache()
debug('RBAC role-permission cache invalidated (rolepermission change)')
except Exception as e:
error(f'RBAC on_rolepermission_change handler error: {e}')
def on_permission_change(self, data):
"""Event handler for permission table update.
Clears the role-permission cache.
"""
try:
self.invalidate_rp_cache()
debug('RBAC role-permission cache invalidated (permission change)')
except Exception as e:
error(f'RBAC on_permission_change handler error: {e}')
def on_role_change(self, data):
"""Event handler for role table C/U/D.
Clears all user caches and role-permission cache,
since role changes may affect any user.
"""
try:
self.invalidate_all_user_caches()
self.invalidate_rp_cache()
debug('RBAC all caches invalidated (role change)')
except Exception as e:
error(f'RBAC on_role_change handler error: {e}')
def on_userrole_change(self, data):
"""Event handler for userrole table C/U/D.
Clears the specific user's permission cache based on userid.
"""
try:
userid = getattr(data, 'userid', None)
if userid:
self.invalidate_user_cache(userid)
debug(f'RBAC cache invalidated for user id={userid} (userrole change)')
except Exception as e:
error(f'RBAC on_userrole_change handler error: {e}')
def _get_rp_lock(self):
if self._rp_lock is None:
self._rp_lock = asyncio.Lock()

70
wwwroot/add_adminuser.ui
View File

@ -1,36 +1,36 @@
{
"widgettype":"ModalForm",
"options":{
"cwidth":20,
"cheight":30,
"title":"增加管理员",
"fields":[
{
"name":"username",
"label":"用户名",
"uitype":"str"
},
{
"name":"password",
"label":"密码",
"uitype":"password"
},
{
"name":"chkpassword",
"label":"确认密码",
"uitype":"password"
}
]
},
"binds":[
{
"wid":"self",
"event":"submit",
"actiontype":"urlwidget",
"target":"self",
"options":{
"url":"{{entire_url('./add_adminuser.dspy')}}"
}
}
]
}
"widgettype": "ModalForm",
"options": {
"cwidth": 20,
"cheight": 30,
"title": "增加管理员",
"fields": [
{
"name": "username",
"label": "用户名",
"uitype": "str"
},
{
"name": "password",
"label": "密码",
"uitype": "password"
},
{
"name": "chkpassword",
"label": "确认密码",
"uitype": "password"
}
]
},
"binds": [
{
"wid": "self",
"event": "submit",
"actiontype": "urlwidget",
"target": "self",
"options": {
"url": "{{entire_url('./add_adminuser.dspy')}}"
}
}
]
}

41
wwwroot/qr_scan.ui
View File

@ -1,21 +1,22 @@
{
"widgettype": "QRCodeScan",
"options": {},
"binds": [
{
"wid": "self",
"event": "recognized",
"actiontype": "urlwidget",
"target": "root.page_center",
"options": {
"url": "${text}"
}
}, {
"wid": "self",
"event": "recognized",
"actiontype": "script",
"target": "-@PopupWindow",
"script": "this.dismiss()"
}
]
}
"widgettype": "QRCodeScan",
"options": {},
"binds": [
{
"wid": "self",
"event": "recognized",
"actiontype": "urlwidget",
"target": "root.page_center",
"options": {
"url": "${text}"
}
},
{
"wid": "self",
"event": "recognized",
"actiontype": "script",
"target": "-@PopupWindow",
"script": "this.dismiss()"
}
]
}

224
wwwroot/user/login.ui
View File

@ -1,112 +1,114 @@
{
"id":"login_window",
"widgettype":"PopupWindow",
"options":{
"title": "登录/注册",
"auto_open":true,
"anthor":"cc",
"cwidth":22,
"cheight":19
},
"subwidgets":[
{
"widgettype":"TabPanel",
"options":{
"tab_wide":"auto",
"height":"100%",
"width":"100%",
"tab_pos":"top",
"items":[
{
"name":"userpasswd",
"label":"用户密码",
"content":{
"widgettype":"Form",
"options":{
"cols":1,
"fields":[
{
"name":"username",
"label":"用户名",
"uitype":"str"
},
{
"name":"password",
"label":"密码",
"uitype":"password"
}
]
},
"binds":[
{
"wid":"self",
"event":"submit",
"actiontype":"urlwidget",
"target":"self",
"options":{
"method":"POST",
"url":"{{entire_url('up_login.dspy')}}"
}
}
]
}
},
{
"name":"checkcode",
"label":"手机验证码",
"content":{
"widgettype":"Form",
"options":{
"toolbar":{
"tools":[
{
"name":"gen_code",
"label":"发送验证码"
}
]
},
"description":"限中国国内手机",
"fields":[
{
"name":"cell_no",
"label":"手机号",
"uitype":"str"
},{
"name":"codeid",
"uitype":"hide",
"value":"{{uuid()}}"
},{
"name":"check_code",
"uitype":"str"
}
]
},
"binds":[
{
"wid":"self",
"event":"gen_code",
"actiontype":"urlwidget",
"datawidget":"self",
"datamethod":"getValue",
"target":"self",
"options":{
"url":"{{entire_url('../gen_sms_code.dspy')}}"
}
},
{
"wid":"self",
"event":"submit",
"actiontype":"urlwidget",
"target":"self",
"options":{
"url":"{{entire_url('code_login.dspy')}}"
}
}
]
}
}
]
}
}
]
}
"id": "login_window",
"widgettype": "PopupWindow",
"options": {
"title": "登录/注册",
"auto_open": true,
"anthor": "cc",
"cwidth": 22,
"cheight": 19
},
"subwidgets": [
{
"widgettype": "TabPanel",
"options": {
"tab_wide": "auto",
"height": "100%",
"width": "100%",
"tab_pos": "top",
"items": [
{
"name": "userpasswd",
"label": "用户密码",
"content": {
"widgettype": "Form",
"options": {
"cols": 1,
"fields": [
{
"name": "username",
"label": "用户名",
"uitype": "str"
},
{
"name": "password",
"label": "密码",
"uitype": "password"
}
]
},
"binds": [
{
"wid": "self",
"event": "submit",
"actiontype": "urlwidget",
"target": "self",
"options": {
"method": "POST",
"url": "{{entire_url('up_login.dspy')}}"
}
}
]
}
},
{
"name": "checkcode",
"label": "手机验证码",
"content": {
"widgettype": "Form",
"options": {
"toolbar": {
"tools": [
{
"name": "gen_code",
"label": "发送验证码"
}
]
},
"description": "限中国国内手机",
"fields": [
{
"name": "cell_no",
"label": "手机号",
"uitype": "str"
},
{
"name": "codeid",
"uitype": "hide",
"value": "{{uuid()}}"
},
{
"name": "check_code",
"uitype": "str"
}
]
},
"binds": [
{
"wid": "self",
"event": "gen_code",
"actiontype": "urlwidget",
"datawidget": "self",
"datamethod": "getValue",
"target": "self",
"options": {
"url": "{{entire_url('../gen_sms_code.dspy')}}"
}
},
{
"wid": "self",
"event": "submit",
"actiontype": "urlwidget",
"target": "self",
"options": {
"url": "{{entire_url('code_login.dspy')}}"
}
}
]
}
}
]
}
}
]
}

96
wwwroot/user/reset_password/index.ui
View File

@ -1,49 +1,49 @@
{
"widgettype":"PopupWindow",
"options":{
"cwidth":22,
"height":"75%",
"archor":"cc",
"auto_open":true
},
"subwidgets":[
{
"widgettype":"Form",
"options":{
"title":"Reset Password",
"description":"reset yourself password",
"fields":[
{
"name": "password",
"type": "str",
"length": 255,
"uitype": "password",
"datatype": "str",
"required":true,
"label": "\u5bc6\u7801"
},
{
"name": "cfm_password",
"type": "str",
"length": 255,
"uitype": "password",
"datatype": "str",
"required":true,
"label": "\u5bc6\u7801"
}
]
},
"binds":[
{
"wid":"self",
"event":"submit",
"actiontype":"urlwidget",
"target":"self",
"options":{
"url":"{{entire_url('reset_password.dspy')}}"
}
}
]
}
]
}
"widgettype": "PopupWindow",
"options": {
"cwidth": 22,
"height": "75%",
"archor": "cc",
"auto_open": true
},
"subwidgets": [
{
"widgettype": "Form",
"options": {
"title": "Reset Password",
"description": "reset yourself password",
"fields": [
{
"name": "password",
"type": "str",
"length": 255,
"uitype": "password",
"datatype": "str",
"required": true,
"label": "密码"
},
{
"name": "cfm_password",
"type": "str",
"length": 255,
"uitype": "password",
"datatype": "str",
"required": true,
"label": "密码"
}
]
},
"binds": [
{
"wid": "self",
"event": "submit",
"actiontype": "urlwidget",
"target": "self",
"options": {
"url": "{{entire_url('reset_password.dspy')}}"
}
}
]
}
]
}

28
wwwroot/user/user.ui
View File

@ -1,15 +1,15 @@
{
"id":"user_container",
"widgettype":"VBox",
"options":{
"cwidth":6
},
"subwidgets":[
{
"widgettype":"urlwidget",
"options":{
"url":"{{entire_url('userinfo.ui')}}"
}
}
]
}
"id": "user_container",
"widgettype": "VBox",
"options": {
"cwidth": 6
},
"subwidgets": [
{
"widgettype": "urlwidget",
"options": {
"url": "{{entire_url('userinfo.ui')}}"
}
}
]
}

28
wwwroot/user/user_panel.ui
View File

@ -1,15 +1,15 @@
{
"id":"user_panel",
"widgettype":"VBox",
"options":{
"width":"auto"
},
"subwidgets":[
{
"widgettype":"urlwidget",
"options":{
"url":"{{entire_url('user.ui')}}"
}
}
]
}
"id": "user_panel",
"widgettype": "VBox",
"options": {
"width": "auto"
},
"subwidgets": [
{
"widgettype": "urlwidget",
"options": {
"url": "{{entire_url('user.ui')}}"
}
}
]
}

7
wwwroot/user/wechat_login.ui
View File

@ -1,5 +1,4 @@
{
"widgettype":"VBox",
"options":{
}
}
"widgettype": "VBox",
"options": {}
}

81
wwwroot/userpassword_login.ui
View File

@ -1,43 +1,42 @@
{
"id":"login_window",
"widgettype":"PopupWindow",
"options":{
"auto_open":true,
"anthor":"cc",
"cwidth":20,
"cheight":"14"
"id": "login_window",
"widgettype": "PopupWindow",
"options": {
"auto_open": true,
"anthor": "cc",
"cwidth": 20,
"cheight": "14"
},
"subwidgets":[
{
"widgettype":"Form",
"id":"userpasswd",
"options":{
"cols":1,
"fields":[
{
"name":"username",
"label":"用户名",
"uitype":"str"
},
{
"name":"passwd",
"label":"密码",
"uitype":"password"
}
]
}
}
],
"binds":[
{
"wid":"userpasswd",
"event":"submit",
"actiontype":"urlwidget",
"target":"self",
"options":{
"url":"{{entire_url('userpassword_login.dspy')}}"
}
}
]
}
"subwidgets": [
{
"widgettype": "Form",
"id": "userpasswd",
"options": {
"cols": 1,
"fields": [
{
"name": "username",
"label": "用户名",
"uitype": "str"
},
{
"name": "passwd",
"label": "密码",
"uitype": "password"
}
]
}
}
],
"binds": [
{
"wid": "userpasswd",
"event": "submit",
"actiontype": "urlwidget",
"target": "self",
"options": {
"url": "{{entire_url('userpassword_login.dspy')}}"
}
}
]
}