41 lines
1.1 KiB
TypeScript
41 lines
1.1 KiB
TypeScript
import {
|
|
CanActivate,
|
|
ExecutionContext,
|
|
ForbiddenException,
|
|
Injectable,
|
|
} from '@nestjs/common';
|
|
import { Reflector } from '@nestjs/core';
|
|
import { Role } from '../generated/prisma/enums.js';
|
|
import { ROLES_KEY } from './roles.decorator.js';
|
|
import { MESSAGES } from '../common/messages.js';
|
|
|
|
/**
|
|
* 角色守卫:读取 @Roles 元数据并校验当前登录角色是否可访问。
|
|
*/
|
|
@Injectable()
|
|
export class RolesGuard implements CanActivate {
|
|
constructor(private readonly reflector: Reflector) {}
|
|
|
|
/**
|
|
* 守卫入口:认证后执行授权校验。
|
|
*/
|
|
canActivate(context: ExecutionContext): boolean {
|
|
const requiredRoles = this.reflector.getAllAndOverride<Role[]>(ROLES_KEY, [
|
|
context.getHandler(),
|
|
context.getClass(),
|
|
]);
|
|
|
|
if (!requiredRoles || requiredRoles.length === 0) {
|
|
return true;
|
|
}
|
|
|
|
const request = context.switchToHttp().getRequest<{ actor?: { role?: Role } }>();
|
|
const actorRole = request.actor?.role;
|
|
if (!actorRole || !requiredRoles.includes(actorRole)) {
|
|
throw new ForbiddenException(MESSAGES.DEFAULT_FORBIDDEN);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
}
|