SongZihuan
/
HBlog
-ын хуулбар https://github.com/SongZihuan/HBlog.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163
							from sql import db
from sql.base import DBBit
import object.user

from typing import List

role_authority = ["WriteBlog", "WriteComment", "WriteMsg", "CreateUser",
                  "ReadBlog", "ReadComment", "ReadMsg", "ReadSecretMsg", "ReadUserInfo",
                  "DeleteBlog", "DeleteComment", "DeleteMsg", "DeleteUser",
                  "ConfigureSystem", "ReadSystem"]


def read_user(email: str):
    """ 读取用户 """
    cur = db.search("SELECT PasswdHash, Role, ID FROM user WHERE Email=%s", email)
    if cur is None or cur.rowcount != 1:
        return ["", -1, -1]
    return cur.fetchone()


def create_user(email: str, passwd: str):
    """ 创建用户 """
    email = email.replace("'", "''")
    if len(email) == 0:
        return None

    cur = db.search("SELECT COUNT(*) FROM user")
    passwd = object.user.User.get_passwd_hash(passwd)
    if cur is None or cur.rowcount == 0 or cur.fetchone()[0] == 0:
        # 创建为管理员用户
        cur = db.insert("INSERT INTO user(Email, PasswdHash, Role) "
                        "VALUES (%s, %s, %s)", email, passwd, 1)
    else:
        cur = db.insert("INSERT INTO user(Email, PasswdHash) "
                        "VALUES (%s, %s)", email, passwd)
    if cur is None or cur.rowcount != 1:
        return None
    return cur.lastrowid


def delete_user(user_id: int):
    """ 删除用户 """
    cur = db.delete("DELETE FROM message WHERE Auth=%s", user_id)
    if cur is None:
        return False
    cur = db.delete("DELETE FROM comment WHERE Auth=%s", user_id)
    if cur is None:
        return False
    cur = db.delete("DELETE FROM blog WHERE Auth=%s", user_id)
    if cur is None:
        return False
    cur = db.delete("DELETE FROM user WHERE ID=%s", user_id)
    if cur is None or cur.rowcount == 0:
        return False
    return True


def __authority_to_sql(authority):
    """ authority 转换为 Update语句, 不检查合法性 """
    sql = []
    args = []
    for i in authority:
        sql.append(f"{i}=%s")
        args.append(authority[i])
    return ",".join(sql), args


def create_role(name: str, authority: List[str]):
    name = name.replace("'", "''")
    cur = db.insert("INSERT INTO role(RoleName) VALUES (%s)", name)
    if cur is None or cur.rowcount == 0:
        return False

    sql, args = __authority_to_sql({i: (1 if i in authority else 0) for i in role_authority})
    cur = db.update(f"UPDATE role "
                    f"SET {sql} "
                    f"WHERE RoleName=%s", *args, name)
    if cur is None or cur.rowcount == 0:
        return False
    return True


def delete_role(role_id: int):
    cur = db.delete("DELETE FROM role WHERE RoleID=%s", role_id)
    if cur is None or cur.rowcount == 0:
        return False
    return True


def set_user_role(role_id: int, user_id: str):
    cur = db.update("UPDATE user "
                    "SET Role=%s "
                    "WHERE ID=%s", role_id, user_id)
    if cur is None or cur.rowcount == 0:
        return False
    return True


def change_passwd_hash(user_id: int, passwd_hash: str):
    cur = db.update("UPDATE user "
                    "SET PasswdHash=%s "
                    "WHERE ID=%s", passwd_hash, user_id)
    if cur is None or cur.rowcount == 0:
        return False
    return True


def get_user_email(user_id):
    """ 获取用户邮箱 """
    cur = db.search("SELECT Email FROM user WHERE ID=%s", user_id)
    if cur is None or cur.rowcount == 0:
        return None
    return cur.fetchone()[0]


def get_role_name(role: int):
    """ 获取用户角色名称 """
    cur = db.search("SELECT RoleName FROM role WHERE RoleID=%s", role)
    if cur is None or cur.rowcount == 0:
        return None
    return cur.fetchone()[0]


def __check_operate(operate):
    return operate in role_authority


def check_role(role: int, operate: str):
    """ 检查角色权限（通过角色ID） """
    if not __check_operate(operate):  # 检查, 防止SQL注入
        return False
    cur = db.search(f"SELECT {operate} FROM role WHERE RoleID=%s", role)
    if cur is None or cur.rowcount == 0:
        return False
    return cur.fetchone()[0] == DBBit.BIT_1


def check_role_by_name(role: str, operate: str):
    """ 检查角色权限（通过角色名） """
    if not __check_operate(operate):  # 检查, 防止SQL注入
        return False
    role = role.replace("'", "''")
    cur = db.search(f"SELECT {operate} FROM role WHERE RoleName=%s", role)
    if cur is None or cur.rowcount == 0:
        return False
    return cur.fetchone()[0] == DBBit.BIT_1


def get_role_id_by_name(role: str):
    """ 检查角色权限（通过角色名） """
    role = role.replace("'", "''")
    cur = db.search("SELECT RoleID FROM role WHERE RoleName=%s", role)
    if cur is None or cur.rowcount == 0:
        return None
    return cur.fetchone()[0]


def get_role_list():
    """ 获取归档列表 """
    cur = db.search("SELECT RoleID, RoleName FROM role")
    if cur is None or cur.rowcount == 0:
        return []
    return cur.fetchall()