UidZddlmZddlmZddlmZddlmZddl m Z e e Z GddZ Gd d Zd S) ucPermission resolution for document access control. Uses a unified ``acl_ids`` field with prefixed identifiers: A_ = area, D_ = department, O_ = office, R_ = role, U_ = user. User tokens are built from JWT claims; the ES filter is a single ``terms`` query on the ``acl_ids`` keyword field. 文档访问权限解析模块。 基于统一前缀标识符(A_=区域, D_=部门, O_=科室, R_=角色, U_=用户) 构建用户的 ACL 令牌集合,并生成 ES 的 terms 过滤条件。 OA 系统已在每个文档的 acl_ids 中存储了完整的层级祖先 ID, 因此无需在此处进行层级展开。 ) annotations)Any) UserContext) RedisClient) get_loggercNeZdZdZdZddZedd Zdd ZddZ ddZ dS)PermissionContextu^Resolved permission tokens for ES query filtering. ``acl_tokens`` is a flat list of prefixed IDs that the user is allowed to match against. For example:: ["U_zhang_san", "O_17", "D_05", "A_01", "R_03"] 已解析的权限上下文,包含用户的全部 ACL 令牌。 用于构建 ES 查询中的权限过滤条件。 user_id acl_tokensr strr list[str]c"||_||_dSNr )selfr r s -D:\work\zm-rag\backend\app\core\permission.py__init__zPermissionContext.__init__)s $returndict[str, Any]cdddddiigiiS)z7Build the ES filter that matches only public documents.boolmust_notexistsfieldacl_idsrrrpublic_es_filterz"PermissionContext.public_es_filter-s( h)(<=>  rcJd|dd|jiigddiS)zBuild the ES permission filter. A document is visible if: 1. It is public (no ``acl_ids`` field), OR 2. Any of the user's tokens appears in the document's ``acl_ids``. rtermsr)shouldminimum_should_match)rr rs rbuild_es_filterz!PermissionContext.build_es_filter6sE ))++y$/:;  )*  r doc_acl_idslist[str] | Nonercl|sdStt|t|jzS)zCCheck whether the current permission context can access a document.T)rsetr )rr&s rhas_acl_accessz PermissionContext.has_acl_accessIs4 4C $$s4?';';;<<s rresolvezPermissionService.resolve`sQ ; ;;;DLIIIIIIIIF ,&00 $ Lvl344 ) L%l3 ##D)) ; +22 v&        LL  6{{     !&IIIIrrc|jg}|jr||j|jr||j|jr||j|jD]}|||S)uDerive ACL tokens from a UserContext. Tokens are the user's direct identifiers at every hierarchy level, each prefixed by its type. No hierarchy expansion is needed because the OA system already stores all ancestor IDs on each document's ACL. 所有 ID 在 SSO/Mock 入口处已添加类型前缀(U_、O_、D_、A_、R_), 此处直接使用,不再重复添加。 )r office_idappenddept_idarea_idrole_ids)r;r>role_ids rrCzPermissionService._build_tokenss"\N > * MM$. ) ) ) < ( MM$, ' ' ' < ( MM$, ' ' '} # #G MM' " " " " rr)r7r8)r;rrr )r;rrr)r/r0r1r2rrFr4rCrrrr6r6Vsp #####$J$J$J$JL\rr6N)r2 __future__rtypingr app.api.depsrapp.infrastructure.redis_clientrapp.utils.loggerrr/rAr r6rrrrSs  #"""""$$$$$$777777'''''' H  8 8 8 8 8 8 8 8 vFFFFFFFFFFr