feat: ACLRule.exclude_subfolder

Author: LazuliKao

internal/model/acl.go

@@ -4,14 +4,15 @@ import "time"
 
 // ACLRule represents an access control rule for a specific role and path
 type ACLRule struct {
-	ID          uint      `json:"id" gorm:"primaryKey"`
-	Role        string    `json:"role" gorm:"index;not null"`    // OIDC role name
-	IsRegex     bool      `json:"is_regex" gorm:"default:false"` // whether Role is a regex pattern
-	Path        string    `json:"path" gorm:"not null"`          // path pattern (e.g., "/", "/folder/*")
-	Permissions int32     `json:"permissions"`                   // bitwise permissions
-	Priority    int       `json:"priority" gorm:"default:0"`     // higher priority rules override lower ones
-	CreatedAt   time.Time `json:"created_at"`
-	UpdatedAt   time.Time `json:"updated_at"`
+	ID               uint      `json:"id" gorm:"primaryKey"`
+	Role             string    `json:"role" gorm:"index;not null"`             // OIDC role name
+	IsRegex          bool      `json:"is_regex" gorm:"default:false"`          // whether Role is a regex pattern
+	Path             string    `json:"path" gorm:"not null"`                   // path pattern (e.g., "/", "/folder")
+	ExcludeSubfolder bool      `json:"exclude_subfolder" gorm:"default:false"` // whether to exclude all subfolders (default: false)
+	Permissions      int32     `json:"permissions"`                            // bitwise permissions
+	Priority         int       `json:"priority" gorm:"default:0"`              // higher priority rules override lower ones
+	CreatedAt        time.Time `json:"created_at"`
+	UpdatedAt        time.Time `json:"updated_at"`
 }
 
 // ACL Permission bits

internal/op/acl.go

@@ -96,8 +96,8 @@ func CheckACLPermission(ctx context.Context, path string, requiredPerm int32) (*
 			continue
 		}
 
-		// Check if path matches the rule
-		if pathMatches(normalizedPath, rule.Path) {
+		// Check if path matches the rule, considering ExcludeSubfolder
+		if pathMatchesWithSubfolder(normalizedPath, rule.Path, !rule.ExcludeSubfolder) {
 			if matchedRule == nil || rule.Priority > matchedRule.Priority {
 				matchedRule = &rule
 			}
@@ -185,7 +185,7 @@ func GetMatchedACLRule(ctx context.Context, path string) (*model.ACLMatchedRule,
 			continue
 		}
 
-		if pathMatches(normalizedPath, rule.Path) {
+		if pathMatchesWithSubfolder(normalizedPath, rule.Path, !rule.ExcludeSubfolder) {
 			if matchedRule == nil || rule.Priority > matchedRule.Priority {
 				matchedRule = &rule
 			}
@@ -257,28 +257,18 @@ func normalizePath(path string) string {
 	return path
 }
 
-func pathMatches(path, pattern string) bool {
-	// Normalize both paths
+// pathMatchesWithSubfolder checks if path matches pattern, with subfolder option
+func pathMatchesWithSubfolder(path, pattern string, includeSubfolder bool) bool {
 	path = normalizePath(path)
 	pattern = normalizePath(pattern)
 
-	// Exact match
 	if path == pattern {
 		return true
 	}
-
-	// Pattern with wildcard
-	if strings.HasSuffix(pattern, "/*") {
-		prefix := strings.TrimSuffix(pattern, "/*")
+	if includeSubfolder {
 		// Check if path is under this directory
-		return strings.HasPrefix(path, prefix+"/") || path == prefix
+		return strings.HasPrefix(path, pattern+"/") || path == pattern
 	}
-
-	// Pattern is a parent directory
-	if strings.HasPrefix(path, pattern+"/") {
-		return true
-	}
-
 	return false
 }
 

server/handles/acl.go

@@ -9,11 +9,12 @@ import (
 )
 
 type ACLRuleReq struct {
-	Role        string `json:"role" binding:"required"`
-	IsRegex     bool   `json:"is_regex"`
-	Path        string `json:"path" binding:"required"`
-	Permissions int32  `json:"permissions"`
-	Priority    int    `json:"priority"`
+	Role             string `json:"role" binding:"required"`
+	IsRegex          bool   `json:"is_regex"`
+	Path             string `json:"path" binding:"required"`
+	Permissions      int32  `json:"permissions"`
+	Priority         int    `json:"priority"`
+	ExcludeSubfolder bool   `json:"exclude_subfolder"` // false means include subfolders (default)
 }
 
 // ListACLRules lists all ACL rules
@@ -64,11 +65,12 @@ func CreateACLRule(c *gin.Context) {
 		return
 	}
 	rule := &model.ACLRule{
-		Role:        req.Role,
-		IsRegex:     req.IsRegex,
-		Path:        req.Path,
-		Permissions: req.Permissions,
-		Priority:    req.Priority,
+		Role:             req.Role,
+		IsRegex:          req.IsRegex,
+		Path:             req.Path,
+		Permissions:      req.Permissions,
+		Priority:         req.Priority,
+		ExcludeSubfolder: req.ExcludeSubfolder,
 	}
 	if err := op.CreateACLRule(rule); err != nil {
 		common.ErrorResp(c, err, 500)