work/application/project/middleware/ProjectAuth.php

<?php

namespace app\project\middleware;

use app\common\Model\Project;
use app\common\Model\ProjectMember;
use app\common\Model\Task;
use think\Request;

/**
 * 项目内容操作权限管理
 * Class ProjectAuth
 * @package app\admin\middleware
 */
class ProjectAuth
{
    protected $needAuthActions = [
        'Project/edit',
        'Project/recycle',
        'Project/recovery',
        'Project/archive',
        'Project/recoveryArchive',
        'ProjectMember/inviteMember',

        'Task/save',
        'Task/taskDone',
        'Task/assignTask',
//        'Task/sort',
        'Task/edit',
        'Task/recycle',
        'Task/recovery',
        'Task/recycle',
        'Task/delete',

        'TaskMember/inviteMember',
        'TaskMember/inviteMemberBatch',

        'TaskStages/save',
        'TaskStages/sort',
        'TaskStages/edit',
        'TaskStages/delete',
    ];
    protected $needVisibleActions = [
        'Project/read',
        'Task/read',
        'TaskStages/index',
    ];

    /**
     * 权限检测
     * 原则上需要获取到项目的code进行判断，所以接口需要传递projectCode或者taskCode来获得项目信息
     * @param Request $request
     * @param \Closure $next
     * @return mixed
     * @throws \think\db\exception\DataNotFoundException
     * @throws \think\db\exception\ModelNotFoundException
     * @throws \think\exception\DbException
     */
    public function handle($request, \Closure $next)
    {
        $member = getCurrentMember();
        if (!$member) {
            return $next($request);
        }
        list($module, $controller, $action) = [$request->module(), $request->controller(), $request->action()];
        $node = "$controller/$action";
        //方法转小写
        foreach ($this->needAuthActions as &$action) {
            $arr = explode('/', $action);
            $arr[1] = strtolower($arr[1]);
            $action = implode('/', $arr);
        }
        //操作权限
        if (in_array($node, $this->needAuthActions)) {
            $code = $this->getCode();
            if (!$code) {
//                return json(['code' => 404, 'msg' => '资源不存在']);
            }
            if ($code) {
                $result = $this->checkAuth($code);
                if (!$result) {
                    return json(['code' => 403, 'msg' => '无权限操作资源，访问被拒绝']);
                }
            }
        }
        //只读权限
        if (in_array($node, $this->needVisibleActions)) {
            $code = $this->getCode();
            if ($code) {
                $info = Project::where(['code' => $code])->field('private')->find();
                if ($info['private']) {
                    $result = $this->checkAuth($code);
                    if (!$result) {
                        return json(['code' => 4031, 'msg' => '无权限操作资源，访问被拒绝']);
                    }
                }
            }
        }
        return $next($request);
    }

    public function getCode()
    {
        $code = \think\facade\Request::param('projectCode');
        if (!$code) {
            $code = \think\facade\Request::param('project_code');
        }
        if (!$code) {
            $taskCode = \think\facade\Request::param('taskCode');
            if (!$taskCode) {
                $taskCode = \think\facade\Request::param('pcode'); // 父任务
            }
            $task = Task::where(['code' => $taskCode])->field('project_code')->find();

            if ($task) {
                $code = $task['project_code'];
            }
        }
        return $code;
    }

    /**
     * 检测操作权限
     * @param $code
     * @return bool
     * @throws \think\db\exception\DataNotFoundException
     * @throws \think\db\exception\ModelNotFoundException
     * @throws \think\exception\DbException
     */
    public function checkAuth($code)
    {
        $info = Project::where(['code' => $code])->field('private')->find();
        if (!$info) {
            return false;
        }
        $where = ['project_code' => $code, 'member_code' => getCurrentMember()['code']];
        $projectMember = ProjectMember::where($where)->field('id')->find();
        if (!$projectMember) {
            return false;
        }
        return true;
    }
}