feat: Implement role-based access control and enhance permissions system

2026-06-27 18:33:16 +08:00 · 2024-12-27 13:35:29 +08:00
parent e815d1bec5
commit 5a7c17752a
22 changed files with 1888 additions and 39 deletions
--- a/middleware.ts
+++ b/middleware.ts
@@ -1,22 +1,47 @@
 import { auth } from "@/lib/auth"
 import { NextResponse } from "next/server"
+import { PERMISSIONS } from "@/lib/permissions"
+import { checkPermission } from "@/lib/auth"
+import { Permission } from "@/lib/permissions"

-export async function middleware() {
+const API_PERMISSIONS: Record<string, Permission> = {
+  '/api/emails': PERMISSIONS.MANAGE_EMAIL,
+  '/api/webhook': PERMISSIONS.MANAGE_WEBHOOK,
+  '/api/roles/promote': PERMISSIONS.PROMOTE_USER,
+}
+
+export async function middleware(request: Request) {
  const session = await auth()
+  const pathname = new URL(request.url).pathname

  if (!session?.user) {
    return NextResponse.json(
-      { error: "Unauthorized" },
+      { error: "未授权" },
      { status: 401 }
    )
  }

+  for (const [route, permission] of Object.entries(API_PERMISSIONS)) {
+    if (pathname.startsWith(route)) {
+      const hasAccess = await checkPermission(permission)
+      
+      if (!hasAccess) {
+        return NextResponse.json(
+          { error: "权限不足" },
+          { status: 403 }
+        )
+      }
+      break
+    }
+  }
+
  return NextResponse.next()
 }

 export const config = {
  matcher: [
-    "/api/emails/:path*",
-    "/api/webhook/:path*",
+    '/api/emails/:path*',
+    '/api/webhook/:path*',
+    '/api/roles/:path*',
  ]
 }