CA3058061A1 - Permission processing method, device, application side device and storage media - Google Patents

Permission processing method, device, application side device and storage media Download PDF

Info

Publication number
CA3058061A1
CA3058061A1 CA3058061A CA3058061A CA3058061A1 CA 3058061 A1 CA3058061 A1 CA 3058061A1 CA 3058061 A CA3058061 A CA 3058061A CA 3058061 A CA3058061 A CA 3058061A CA 3058061 A1 CA3058061 A1 CA 3058061A1
Authority
CA
Canada
Prior art keywords
permission
user
identifier
permission identifier
mapping relationship
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CA3058061A
Other languages
French (fr)
Inventor
Nan Wang
Haoting Sun
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
10353744 Canada Ltd
Original Assignee
10353744 Canada Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 10353744 Canada Ltd filed Critical 10353744 Canada Ltd
Publication of CA3058061A1 publication Critical patent/CA3058061A1/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Embodiments of the present disclosure disclose a permission processing method, device, an application side device and a storage media. The method includes: determining a user's desired permission identifier in response to the user's access request; calling an application permission control system, and querying whether there is a mapping relationship between the user and the desired permission identifier in the application permission control system, wherein the application permission control system stores a first mapping relationship between the user and a permission identifier; obtaining the permission identifier corresponding to the user in the first mapping relationship in response to that there is a mapping relationship between the user and the desired permission identifier in the first mapping relationship; and determining components that are displayed on a client and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the first mapping relationship and a minimum required permission identifier of the client. The technical solutions of the embodiments of the present disclosure can avoid the situation where a user is provided with a service that does not conform to the permission thereof after maintenance.

Description

PERMISSION PROCESSING METHOD, DEVICE, APPLICATION SIDE DEVICE AND
STORAGE MEDIA
Technical Field [0001] The present disclosure relates to the field of electronic information, and in particular, to a permission processing method, device, an application side device, and a storage medium.
Back2round
[0002] A single page application is a special web application. A single page application limits all activities referenced to on a single web page. The corresponding Hypertext Markup Language (HTML), Java script (JavaScript), and Cascading Style Sheets (CSS) are loaded only when the web page is initialized. Once the web page is completed, a single page application does not perform page reload or page jump due to user actions. Because the page reloading is avoided, the operation is smoother, and the application range of the single page application is increasingly extensive.
Summary
[0003] The present disclosure provides a permission processing method, device, an application side device, and a storage medium, which can avoid the situation where a user is provided with a service that does not conform to the permission thereof after maintenance.
[0004] In a first aspect, the embodiments of the present disclosure provide a permission processing method, and the method comprises: determining a user's desired permission identifier in response to the user's access request, wherein the desired permission identifier is a permission identifier corresponding to a permission desired by the user; calling an application permission control system, and querying whether there is a mapping relationship between the user and the desired permission identifier in the application permission control system, wherein the application permission control system stores a first mapping relationship between the user and a permission identifier; obtaining the permission identifier corresponding to the user in the first mapping relationship in response to that there is a mapping relationship between the user and the desired permission identifier in the first mapping relationship; and determining components that are shown on a client and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the first mapping relationship and a minimum required permission identifier of the client.
[0005] In a second aspect, the embodiments of the present disclosure provide a permission processing device, and the device comprises: a responding module, which is used for determining a user's desired permission identifier in response to the user's access request, wherein the desired permission identifier is a permission identifier corresponding to a permission desired by the user; a permission control calling module, which is used for calling an application permission control system, and querying whether there is a mapping relationship between the user and the desired permission identifier in the application permission control system, wherein the application permission control system stores a first mapping relationship between the user and a permission identifier; a permission identifier obtaining module, which is used for obtaining the permission identifier corresponding to the user in the first mapping relationship in response to that there is a mapping relationship between the user and the desired permission identifier in the first mapping relationship; and a determining module, which is used for determining components that are shown at a client and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the first mapping relationship and a minimum required permission identifier of the client.
[0006] In a third aspect, the embodiments of the present disclosure provide an application side device, and the application side device comprises: a memory and a processor; the memory is configured to store executable program code; and the processor is configured to read executable program code stored in the memory to perform the permission processing method as set forth in the technical solutions in the first aspect.
[0007] In a fourth aspect, the embodiments of the present disclosure provide a storage medium, and computer program instructions are stored on the storage medium;
and the computer program instructions are executable by the processor so as to implement the permission processing method as set forth in the technical solutions in the first aspect.
[0008] The embodiments of the present disclosure provide a permission processing method, device, an application side device, and a storage medium. A client may determine a desired permission identifier of a user according to an access request in response to the access request issued by the user. An application permission system may be called to query whether there is a mapping relationship between the user and the desired permission identifier in a first mapping relationship between the user and the permission identifier stored in the application permission control system. In response to the presence of the mapping relationship between the user and the desired permission identifier in the application permission control system, it indicates that the permission corresponding to the desired permission identifier is allowed for the user. In such a case, the components displayed by the application front end and/or the interface callable by the application background can be determined on the basis of the permission identifier and the minimum required permission identifier corresponding to the permission of the user. Thus, in the case of maintaining the permission of the user (including adding permission, deleting permission, changing permission, and the like), only the first mapping relationship between the user and the permission identifier stored in the application permission control system needs to be maintained.
When the user sends an access request, the application permission control system will be called to perform the query in the first mapping relationship after the maintenance, so as to provide service for the user in accordance with the permission after the maintenance, and thereby avoiding the situation where a user is provided with a service that does not conform to the permission thereof after the maintenance.
Description of the Drawings
[0009] The present disclosure may be better understood from the following description of the embodiments of the present invention, in which the same or similar reference numerals indicate the same or similar features.
[0010] FIG. 1 is a schematic diagram of a scenario involved in a single page application according to some embodiments of the present disclosure.
[0011] FIG. 2 is a flowchart of a permission processing method according to one embodiment of the present disclosure.
[0012] FIG. 3 is a flowchart of a permission processing method according to another embodiment of the present disclosure.
[0013] FIG. 4 is a schematic structural diagram of a permission processing device according to some embodiments of the present disclosure.
[0014] FIG. 5 is a structural diagram of the exemplary hardware architecture of an application side device according to some embodiments of the present disclosure.

Detailed Description [0016] Various features and some exemplary embodiments of various aspects of the present disclosure will be described in detail below. In the following detailed description, numerous specific details will be provided. However, it is obvious to a person skilled in the art that the present disclosure may be practiced without some of these details. The description of the embodiments is merely intended to provide better understanding of the present disclosure. The present disclosure is not limited to any specific configuration and algorithm presented below.
Any modifications, substitutions, and improvements of the elements, components, and algorithms without departing from the spirit of the disclosure are encompassed with the present invention. The known structures and technologies are not shown in the drawings and the following description in order to avoid unnecessary obscuring of the present disclosure.
[0017] The embodiments of the present disclosure provide a permission processing method, system, device and a storage medium which can be applied to various single page applications that can provide different permissions to different users. For example, it can be applied to a management platform, an advertisement delivery platform, and the like. When different users log on to a single page application and perform various types of access, the user can be provided with the services in accordance with the permission of the user, thereby avoiding unauthorized access.
[0018] FIG. 1 is a schematic diagram of a scenario involved in a single page application according to some embodiments of the present disclosure. As shown in FIG. 1, the single page application involves a client 10 and an application permission control system 11. The client may be a local program that provides a service for a user, or a locally installed application side device that provides a service for the user, which is not limited herein. The client 10 can call the application permission control system 11. In some examples, the client 10 may include an application front end 101 and an application background 102. The application front end 101 is mainly responsible for displaying the pages of the application, and can display various components, such as a sidebar, a picture, a floating window, a table, a linked drop-down box, and the like, and the type and number of the components are not limited herein.
The application background 102 can provide an interface for calling the application front end 101, such as an application programming interface (API) corresponding to a component of the application front end 101. The application permission control system 11 stores a first mapping relationship between the user and the permission identifier, wherein the permission identifier is used to identify the permission. The permissions may include previewing permissions, reading permissions, writing permissions, deleting permissions, and the like; and the types of permissions are not limited herein. In addition, the permissions have different levels. For example, in the case where the permissions include the previewing permissions, reading permissions, writing permissions, deleting permissions, and the foregoing permissions can be sorted in an ascending order from lowest permission level to the highest permission level as previewing permissions, reading permissions, writing permissions and deleting permissions. In addition, it may also limit the permissions and permission identifiers of the components of the application front end. For example, the permission identifiers of the reading permissions of different components can be different. The permissions of the components can be set in advance according to actual needs. For example, the reading permission of a table is higher than the reading permission of an image. In order to facilitate comparison of various permissions, the corresponding permission identifiers can also reflect the level of permission.
The specific content will be described later.
[0019] FIG. 2 is a flowchart of a permission processing method according to one embodiment of the present disclosure. This permission processing method can be used for the client. As shown in FIG. 2, the permission processing method may include steps S201 to S204.
[0020] Step S201 is determining a user's desired permission identifier in response to the user's access request.
[0021] A user may issue an access request through an operation. An interceptor can be set on the client to intercept the access request before the access request reaches the application front end.
[0022] After receiving the access request of the user, the client may respond to the access request of the user to determine a desired permission identifier of the user according to the access request. In some examples, the access request may include the user's desired permission identifier, and the present invention does not limit the number of the desired permission identifiers which can be included in the access request. The desired permission identifier is the permission identifier corresponding to the permission desired by the user. As a result, the desired permission identifier of a user may include the permissions that are allowed for the user, and may also include the permissions that are not allowed for the user. According to the desired permission identifier of the user in the access request, it can be determined whether the desired permission corresponding to the user's desired permission identifier is allowed for this user.
[0023] Step S202 is calling an application permission control system, and querying whether there is a mapping relationship between the user and the desired permission identifier in the application permission control system.
[0024] A mapping relationship between the user and the permission identifier is stored in the application permission control system. That is to say, according to a first mapping relationship stored in the application permission control system, the permission for each user can be determined. It should be noted that the mapping relationship between the user and the permission identifier is not stored on the client. Rather, when determining whether the permission corresponding to the desired permission identifier in the user's access request is valid, such a query can be performed in the application permission control system.
[0025] Therefore, when the mapping relationship between the user and the permission identifier needs to be maintained, only the first mapping relationship stored in the application permission control system needs to be maintained. For an access request for accessing the client, the application permission system may be called, and the mapping relationship between the desired permission identifier in the access request and the user of the access request is queried in the application permission system in order to determine whether it exists in the application permission control system. In this way, whether or not the first mapping relationship after maintenance is present in the application permission control system can be used to determine whether the permission indicated by the desired permission identifier in the access request is valid.
[0026] For example, the first mapping relationship between the user and the permission identifier may be stored in in the form of a table in the application permission control system.
For example, Table 1 is the first mapping relationship between the user and the permission identifier stored in the application permission control system. The permission identifiers corresponding to user A include readlanl, writetable3, and prewinl. The permission identifiers corresponding to user B include read1an2, readtable4, and prewinl, in which readlanl indicates the reading permission of the content 1 of the sidebar; writetable3 indicates the writing permission of the table 3; prewinl indicates the previewing permission of the floating window 1;

read1an2 indicates the read permission of the content 2 of the sidebar; and readtable4 indicates the read permission of the table 4.
Table 1 User permission identifier User A readlanl writetable3 prewinl User B read1an2 readtable4 prewinl [0027] Step S203 is obtaining the permission identifier corresponding to the user in the first mapping relationship in response to that there is a mapping relationship between the user and the desired permission identifier in the first mapping relationship.
[0028] It should be noted that the permission identifier corresponding to the user in the first mapping relationship acquired by the client includes the desired permission identifier of the user, but is not limited to the desired permission identifier of the user, and may also include other permission identifiers corresponding to the user in the first mapping relationship stored in the application permission control system.
[0029] If the mapping relationship between the user and the desired permission identifier exists in the first mapping relationship, it indicates that the permission corresponding to the desired permission identifier of the user is allowed. Accordingly, the permission identifier corresponding to the user may be provided to the client, so that the client can obtain the permission identifier corresponding to the user, and then display the component according to the permission of the user, and/or call the interface according to the permission of the user.
[0030] However, if the mapping relationship between the user and the desired permission identifier does not exist in the first mapping relationship, it indicates that the permission corresponding to the desired permission identifier of the user is not allowed.
Accordingly, the desired permission identifier corresponding to the not-allowed permission in the access request may be intercepted. Thus, the application front end and/or application background of the client will not be provided with the desired permission identifier corresponding to the permission that is not allowed. In addition, on the basis that the application front end and/or the application background of the client are not provided with the desired permission identifier corresponding to the permission that is not allowed. In such a case, according to the specific scenario, whether or not the permission identifier corresponding to the user in the mapping relationship stored in the application permission control system is provided to the application front end and/or the application background of the client may be further determined.
[0031] For example, the first mapping relationship stored in the application permission control system is as shown in Table 1. If the access request issued by user A
includes two desired permission identifiers, in which one desired permission identifier indicates the writing permission of table 3, and the other desired permission identifier indicates the previewing permission of floating window 3. In this case, the search may be performed in the first mapping relationship shown in table 1. In the case where it is determined that the mapping relationship between the user A and the desired permission identifier indicating the writing permission of the table 3 is present in the first mapping relationship, but the mapping relationship between the user A and the desired permission identifier indicating the previewing permission of floating window 3 is not present in the first mapping relationship, the desired permission identifier for the writing permission of table 3 writetable3 may be provided to the client and the application front end and/or application background of the client. In addition, the desired permission identifier of table 3 writetable3 and other permission identifiers readlanl and prewinl corresponding to user A in the table 1 may be provided to the client and the application front end and/or the application background of the client.
[0032] Step S204 is determining components that are shown on a client and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the first mapping relationship and a minimum required permission identifier of the client.
[0033] An application side minimum permission identifier can be configured in advance for the client. The minimum required permission identifier is the permission identifier of the lowest permission level allowed by the client.
[0034] In some examples, the client may include an application front end and an application background. Correspondingly, the minimum required permission identifier may include a front end minimum required permission identifier and a background minimum required permission identifier. The front end minimum required permission identifier can be configured on the application front end. The background minimum required permission identifier can be configured in the application background. The front end minimum required permission identifier is a permission identifier of the lowest level of permission that is allowed by the application front end. The background minimum required permission identifier is the permission identifier of the lowest level of permission that is allowed by the application background. In the process of developing the permissions for the permission processing system, the application front end should focus on the display effect, while the application background should focus on the call to the interface (that is, access). The application front end is different from the application background. However, by setting various types of permissions, the permissions of the application front end display component and/or the permissions of the application background call interface can be set separately. The desired permission identifier determined according to the user's access request may include a permission identifier for indicating the permission of a display component of the application front end, and/or a permission identifier for indicating the permission of a callable interface of the application background. In this way, it can avoid conflicts between the application front end and the application background.
[0035] The permission identifier corresponding to the user is the allowed permission of the user, but the permission allowed for the user may not be allowed by the client. Therefore, the permission of the permission identifier corresponding to the user allowed by the client can be determined by using the minimum required permission identifier.
[0036] Specifically, if the permission indicated by the permission identifier corresponding to the user in the first mapping relationship is higher than or equal to the permission indicated by the minimum required permission identifier, the client may display the component indicated by the permission identifier corresponding to the user, and/or an interface indicated by the permission identifier corresponding to the user may be called. However, if the permission indicated by the permission identifier corresponding to the user in the first mapping relationship is lower than the permission indicated by the minimum required permission identifier, the application side does not display the component indicated by the permission identifier corresponding to the user, and an interface indicated by the permission identifier corresponding to the user cannot be called.
[0037] In some examples, the route of the permission indicated by the permission identifier corresponding to the user allowed by the client may be calculated according to the permission identifier corresponding to the user allowed by the client, and the jump between displaying various components may be performed according to the calculated route. For example, the route of the initial permission corresponding to the user indicates the sidebar of a single page application displayed on the client, and the route of the next permission corresponding to the user indicates the image to be displayed by the single page application on the client, then the client display may jump from the sidebar to the image to be displayed.
[0038] In an embodiment of the present disclosure, the client may determine the desired permission identifier of the user according to an access request in response to the access request issued by the user. The application permission system is called to query whether the mapping relationship between the user and the desired permission identifier exists in the first mapping relationship between the user and the permission identifier stored in the application permission control system. If there is a mapping relationship between the user and the desired permission identifier in the application permission control system, it indicates that the permission corresponding to the desired permission identifier is allowed for the user.
Then, based on the permission identifier corresponding to the permission of the user and the minimum required permission identifier, the component displayed by the application front end and/or the interface callable by the application background may be determined. In the case of maintaining the permission of the user (including adding permissions, deleting permissions, changing permissions, and the like), only the first mapping relationship between the user and the permission identifier stored in the application permission control system needs to be maintained.
[0039] When the user sends an access request, the application permission control system is called to perform the query in the first mapping relationship after the maintenance, and a service is provided in accordance with the permission of the user after the maintenance. This can avoid the situation where a user is provided with a service that does not conform to the permission thereof after maintenance, for example, to avoid the problem that a user is allowed to access beyond the user's permission. Thus, the maintainability and operability of permission processing are improved.
[0040] In a specific operation, the requested address may be adjusted according to specific requirements, such as an address (such as an endpoint) pointing to the route of a component displayed by the client, and/or an address of the interface (such as an endpoint) to be called.
Therefore, the address (such as an endpoint) of the route for the component displayed by the client and/or the address of the interface (such as an endpoint) to be called are subject to change and are unstable.
[0041] In some embodiments of the present disclosure, the permission is relatively stable, and thus the permission identifier is also relatively stable. The component displayed by the client and/or the callable interface is determined according to the permission identifier corresponding to the permission, which thus enhances the stability of the single page application.
[0042] In some examples, a permission triplet of all types of permissions can be configured to the client. In this case, the all types of permissions here refer to all types of permissions that the client can support. For example, the client supports the previewing permissions, reading permissions, and writing permissions. Even if some or all of the user's requests do not include all of the previewing permissions, reading permissions, and writing permissions, the client must be configured with the permission triplets of the previewing permissions, reading permissions, and writing permissions.
[0043] In this case, each one of the permission triplets comprises a first permission identifier, a second permission identifier, and a third permission identifier, the first permission identifier is a permission variable name recorded by the client, the second permission identifier is a permission value for transmission and permission comparison, the third permission identifier is a permission token name recorded by the application permission control system;
and the first permission identifier, the second permission identifier, and the third permission identifier in the same permission triplet are configured to represent the same permission.
[0044] For example, a permission triplet can be represented as (Key, Code, Token), in which the first permission identifier is Key, the second permission identifier is Code, and the third permission identifier is Token. It should be noted that, in the permission triplet, the order of the first permission identifier, the second permission identifier, and the third permission identifier may be changed, and is not limited herein. For example, the permission triplet of the reading permission of table 3 can be expressed as (ta3_re, 3, tab1e3 read), in which the first permission identifier ta3_re, the second permission identifier 3, and the third permission identifier tab1e3 read all indicate the reading permission of table 3. In addition, according to any one of the first permission identifier, the second permission identifier and the third permission identifier, another identifier may be found in the permission triplet.

[0045] In some examples, the client is generally developer-oriented, so the permission identifier can be a variable name defined in the development programming for indicating the permission.
[0046] The second permission identifier is used for transmission and permission comparison.
[0047] In order to facilitate the transmission and the comparison of the permission levels, the second permission identifier may be an integer value for indicating the permission. When a permission comparison is performed, it can be set that a larger second permission identifier indicates that the permission indicated by the second permission identifier is high. In this way, various permissions can be compared.
[0048] The application permission control system is generally oriented to operators. Thus the third permission identifier can be an easy token string for indicating the permission.
[0049] Under the requirements of different areas and different functions, the mutual conversions between the first permission identifier, the second permission identifier, and the third permission identifier in the same permission triplet may be performed according to the permission triplet.
[0050] In the above embodiments, the access request is used to transmit the desired permission identifier, and the desired permission identifier in the access request may be the second permission identifier. The first mapping relationship is stored in the application permission control system, and the permission identifier in the first mapping relationship is the third permission identifier.
[0051] In step S202 of the above embodiments, the process of querying whether there is a mapping relationship between the user and the desired permission identifier in the application permission control system may include: specifically, converting the desired permission identifier to the third permission identifier corresponding to the desired permission identifier according to the permission triplet; and querying, in the application permission control system, whether there is a mapping relationship between the user and the third permission identifier converted from the desired permission identifier.
[0052] To facilitate transmission, the desired permission identifier in the access request is the second permission identifier. However, the permission identifier in the first mapping relationship stored in the application permission control system is the third permission identifier. In order to facilitate the search, the desired permission identifier in the access request is first converted into the corresponding third permission identifier according to the permission triplet, and then search in the first mapping relationship to determine whether there is a mapping relationship between the user and the third permission identifier converted from the desired permission identifier.
[0053] In step S204 of the above embodiments, the process of determining components that are shown at a client and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the first mapping relationship and a minimum required permission identifier of the client may include: specifically, converting the permission identifier corresponding to the user in the first mapping relationship and the minimum required permission identifier into the second permission identifiers according to the permission triplet; determining a second target component and/or a second target interface that can be called shown on the client, in response to that the second permission identifier of the user is greater than or equal to the second permission identifier converted from the minimum required permission identifier.
[0054] In the foregoing process, the second permission identifier of the user is the second permission identifier converted from the permission identifier corresponding to the user in the first mapping relationship; the second target component and the second target interface both correspond to the second permission identifier of the user.
[0055] Both the target component and the target interface correspond to the user's second permission identifier. That is to say, the target component is a component corresponding to the second permission identifier of the user. The target interface is an interface corresponding to the second permission identifier of the user.
[0056] The permission identifier in the first mapping relationship in the application permission control system is the third permission identifier. An application side minimum permission identifier configured on the client is the first permission identifier. In order to facilitate comparison, the permission identifier corresponding to the user in the first mapping relationship and the minimum required permission identifier are both converted into the second permission identifier for comparison according to the permission triplet. The second permission identifier is the permission value used for permission comparison. In the case where the second permission identifier of the user is greater than or equal to the second permission identifier converted from the minimum required permission identifier, it indicates that the permission indicated by the second permission identifier of the user is greater than or equal to the permission indicated by the minimum required permission identifier. Accordingly, the client can display the target component, and/or can call the target interface.
[0057] In some examples, the client includes an application front end and an application background. Correspondingly, the minimum required permission identifier may include a front end minimum required authority identifier and/or a background minimum required permission identifier. Similarly, if the second permission identifier of the user is greater than or equal to the second permission identifier converted from the front end minimum required permission identifier, the application front end displays the target component. The application front end displaying the target component needs to call the interface corresponding to the target component. If the second permission identifier of the user is greater than or equal to the second permission identifier converted from the background minimum required permission identifier, the application background can call the target interface.
[0058] In some examples, the permission identifier corresponding to the user in the first mapping relationship is all of the permission identifiers corresponding to the user in response that no permission full querying request is received from the user.
[0059] It can be determined whether the user has issued a permission full querying request before the user's current access request. In some examples, whether the user has issued a permission full querying request can be determined by detecting whether the permission full querying interface has been called.
[0060] The permission full querying request is used to query all of the permission identifiers corresponding to the user in the first mapping relationship stored in the application permission control system. For example, before the access request, when the user has performed a registration operation or a login operation within the valid time, it can be considered that the user has issued a full permission querying request.
[0061] If it is determined that the user has not issued a permission full querying request, the permission control system may query the stored first mapping relationship for all of the permission identifiers corresponding to the user, and obtain all of the permissions corresponding to the user in the first mapping relationship. For example, the first mapping relationship is as shown in Table 1 above, and the user is User B. In this case, all of the permission identifiers corresponding to the user B obtained by querying in the first mapping relationship include readlan2, readtable4, and prewinl.

[0062] In some examples, the permission identifiers in the first mapping relationship are all third permission identifiers. All of the third permission identifiers corresponding to the user obtained by the query may be converted into the second permission identifier and transmitted to the client. The transmitted second permission identifier is then compared with the second permission identifier converted from the minimum required permission identifier, and the component displayed by the client and/or the callable interface is determined.
The transmitted second permission identifier can also be converted into the first permission identifier, which is then recorded in the application background of the client, so that developers can view it.
[0063] FIG. 3 is a flowchart of a permission processing method according to another embodiment of the present disclosure. As shown in FIG. 3, the method of permission processing includes steps S301 to S306.
[0064] Step S301 is receiving a permission full querying request from a user.
[0065] In this step, the description for the permission full querying request can be seen in the foregoing examples, which will not be repeated herein.
[0066] Step S302 is calling the application permission control system to search for all of the permission identifiers corresponding to the user in the first mapping relationship.
[0067] After receiving the permission full querying request issued by the user, in some examples, the interface of permission full querying request may be called to obtain all of the permission identifiers corresponding to the user in the first mapping relationship.
[0068] Step S303 is caching all of the permission identifiers corresponding to the user in the first mapping relationship in the client, such that when the desired permission identifier of the user is present in a cache of the client, identify the components that are shown at the client and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the cache of the client and the minimum required permission identifier.
[0069] The client's cache is a local cache. The permission identifier corresponding to the user in the first mapping relationship is obtained in response to the permission full query request issued by the user, and all of the permission identifiers corresponding to the user in the mapping relationship stored by the application permission control system are cached on the client. In the case where the same user issues an access request again, the query can be made directly in the client's cache.

[0070] Step S304 is determining a user's desired permission identifier in response to the user's access request.
[0071] For related content of step S304, please refer to the related description of step S201 in the above examples and its details are not described herein again.
[0072] Step S305 is determining the component displayed by the client and/or the callable interface based on the permission identifier and the minimum required permission identifier corresponding to the user in the cache of the client, in response to the presence of the desired permission identifier in the cache of the client.
[0073] In the foregoing step, the permission identifier corresponding to the user in the cache of the client includes the desired permission identifier.
[0074] When the user issues an access request again, the client's cache is queried for the presence of the desired permission identifier. If there is the desired permission identifier in the cache of the client, it indicates that the user's permission corresponding to the desired permission identifier is allowed. Further based on the permission identifier and the minimum required permission identifier corresponding to the user in the cache of the client, it can be determined whether the user's permission are allowed by the client, and it is also determined for the component displayed by the client and the callable interface.
[0075] In step S305, the processing of the desired permission identifier by the client may be referred to the search for the desired permission identifier in the application permission control system as set forth in the above examples. In addition, the client may determine the content of the component displayed by the client and/or the callable interface according to the user's corresponding permission identifier and the minimum required permission identifier.
[0076] Step S306 is displaying a prompt message on the client in response to the absence of the desired permission identifier in the client's cache.
[0077] In the foregoing step, the prompt message indicates an initial valid route. The initial valid route is, in the path where the route where the route corresponding to the desired permission identifier is located, the initial route where the permission identifier is present in the cache of the client. That is, the initial valid route is the first route of permission among the permissions that the user is allowed on the client. For example, the initial valid route is the route to the sidebar that the client can display for the user.

[0078] In some examples, in order to avoid that the permission identifier in the cache of the client is not synchronized with the maintained application permission control system, the application permission control system may be called again, and query verification in the application permission control system may be performed. The permission triplet can be used for mutual conversion between the first permission identifier, the second permission identifier, and the third permission identifier in the permission triplet.
[0079] Specifically, determine that the second permission identifier of the user is greater than or equal to the second permission identifier converted from the minimum required permission identifier, convert the second permission identifier corresponding to the user into the third permission identifier, call the application permission control system to query the presence of a mapping relationship between the user and the third permission identifier of the user in the first mapping relationship, and determine a first target component displayed on the client and/or a callable first target interface in response to the presence of the mapping relationship between the user and the third permission identifier of the user in the first mapping relationship.
[0080] In the foregoing process, the third permission identifier of the user is the third permission identifier converted from the second permission identifier corresponding to the user.
The first target component and the first target interface both correspond to the third permission identifier of the user. For the specific contents of querying whether the user and the user's third permission identifier exist in the first mapping relationship, and determining the content of the target component and/or the callable target interface displayed on the client, please refer to the related description in the foregoing examples, and details will not be described herein again.
[0081] FIG. 4 is a schematic structural diagram of a permission processing device according to some embodiments of the present disclosure. As shown in FIG. 4, the permission processing device 400 may include a responding module 401, a permission control calling module 402, a permission identifier obtaining module 403 and a determining module 404.
[0082] The responding module 401 is used for determining a user's desired permission identifier in response to the user's access request, [0083] wherein the desired permission identifier is a permission identifier corresponding to a permission desired by the user.

[0084] The permission control calling module 402 is used for calling an application permission control system, and querying whether there is a mapping relationship between the user and the desired permission identifier in the application permission control system, [0085] wherein the application permission control system stores a first mapping relationship between the user and a permission identifier.
[0086] The permission identifier obtaining module 403 is used for obtaining the permission identifier corresponding to the user in the first mapping relationship in response to the presence of a mapping relationship between the user and the desired permission identifier in the first mapping relationship;
[0087] wherein the permission identifier corresponding to the user in the obtained first mapping relationship comprises the desired permission identifier.
[0088] The determining module 404 is used for determining components that are shown at a client and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the first mapping relationship and a minimum required permission identifier of the client.
[0089] In some examples, the permission processing device 400 may further include a configuring module 405 for configuring the permission triplet of all types of permissions to the permission processing device 400, [0090] wherein each one of the permission triplets comprises a first permission identifier, a second permission identifier, and a third permission identifier, the first permission identifier is a permission variable name recorded by the permission processing device 400, the second permission identifier is a permission value for transmission and permission comparison, the third permission identifier is a permission token name recorded by the application permission control system; and the first permission identifier, the second permission identifier, and the third permission identifier in the same permission triplet are configured to represent the same permission.
[0091] In some examples, the desired permission identifier is a second permission identifier, and the permission identifier in the first mapping relationship is a third permission identifier.
[0092] The permission control calling module 402 is specifically configured to convert the desired permission identifier into a third permission identifier corresponding to the desired permission identifier according to the permission triplet; and query, in the application permission control system, whether there is a mapping relationship between the user and the third permission identifier converted from the desired permission identifier.
[0093] In some examples, it is determined that the permission processing device 400 has not received a permission full querying request from the user, and the permission identifier corresponding to the user in the first mapping relationship obtained by the permission identifier obtaining module 403 is all the permission identifiers corresponding to the user.
[0094] In some examples, the permission processing device 400 may further include a receiving module 406 and a caching module 407. The permission processing device 400 may =
also include a cache querying module 408 and a prompting module 409.
[0095] The receiving module 406 is used for receiving a permission full querying request from the user.
[0096] The permission control calling module 402 is further used for calling the application permission control system to find all of the permission identifiers corresponding to the user in the first mapping relationship.
[0097] The caching module 407 is used for caching all of the permission identifiers corresponding to the user in the first mapping relationship in the permission processing device 400, such that when the desired permission identifier of the user is present in a cache of the permission processing device 400, identify the components that are shown at the permission processing device 400 and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the cache of the permission processing device 400 and the minimum required permission identifier.
[0098] The cache querying module 408 is used for querying the cache for the presence of the desired permission identifier.
[0099] The determining module 404 is further used for determining the displayed component and/or the callable interface on the basis of the permission identifier corresponding to the user and the minimum required permission identifier in the cache, when the desired permission identifier is in the cache.
[0100] In the foregoing process, the permission identifier corresponding to the user in the cache includes the desired permission identifier.

[0101] The prompting module 409 is used for displaying a prompt message on the permission processing device 400 in response to the absence of the desired permission identifier in the cache of the permission processing device 400.
[0102] In the foregoing process, the prompt message indicates an initial valid route. The initial valid route is, in the path where the route where the route corresponding to the desired permission identifier is located, the initial route where the permission identifier is present in the cache of the permission processing device 400.
[0103] In some examples, the permission processing device 400 is configured with permission triplets, each permission triplet includes a first permission identifier, a second permission identifier, and a third permission identifier.
[0104] In some examples, the determining module 404 is further used for, according to the permission triplet, converting the permission identifier corresponding to the user in the first mapping relationship and the minimum required permission identifier to the second permission identifier; and determining the second target component displayed on the permission processing device 400 and/or the callable second target interface, in the case where the second permission identifier of the user is greater than or equal to the second permission identifier converted from the minimum required permission identifier; the second target component and the second target interface respectively correspond to the second permission identifier of the user, and the user second permission identifier is a second permission identifier converted from the permission identifier corresponding to the user in the first mapping relationship.
[0105] In an embodiment of the present disclosure, the responding module can determine the desired permission identifier of the user according to the access request in response to the access request issued by the user. The permission control calling module can call the application permission system, and queries whether the mapping relationship between the user and the desired permission identifier exists in the first mapping relationship between the user and the permission identifier stored in the application permission control system. If there is a mapping relationship between the user and the desired permission identifier in the application permission control system, it indicates that the permission corresponding to the desired permission identifier is allowed for the user. Then, based on the permission identifier corresponding to the permission of the user and the minimum required permission identifier, the component displayed by the application front end and/or the interface callable by the application background may be determined by the determining module. In the case of maintaining the permission of the user (including adding permissions, deleting permissions, changing permissions, and the like), only the first mapping relationship between the user and the permission identifier stored in the application permission control system needs to be maintained.
[0106] When the user sends an access request, the application permission control system is called to perform the query in the first mapping relationship after the maintenance, and a service is provided in accordance with the permission of the user after the maintenance. This can avoid the situation where a user is provided with a service that does not conform to the permission thereof after maintenance, for example, to avoid the problem that a user is allowed to make access beyond the user's permission. Thus, the maintainability and operability of permission processing are improved.
[0107] FIG. 5 is a structural diagram of the exemplary hardware architecture of an application side device according to some embodiments of the present disclosure. As shown in FIG. 5, the application side device 500 includes an input device 501, an input interface 502, a central processing unit 503, a memory 504, an output interface 505, and an output device 506.
The input interface 502, the central processing unit 503, the memory 504, and the output interface 505 are connected to each other through a bus 510. The input device 501 and the output device 506 are respectively connected to the bus 510 through the input interface 502 and the output interface 505, and further connected to other components of the application side device 500.
[0108] Specifically, the input device 501 receives input information from the outside and transmits the input information to the central processing unit 503 through the input interface 502;
the central processing unit 503 processes the input information based on computer executable instructions stored in the memory 504 to generate an output. The information is temporarily or permanently stored in the memory 504, and then the output information is transmitted to the output device 506 through the output interface 505; the output device 506 outputs the output information to the outside of the application side device 500 for use by users.
[0109] That is, the server shown in FIG. 5 can also be implemented to include: a memory storing computer executable instructions; and a processor that can implement the permission processing method and device of the above embodiments when executing the computer executable instructions.

[0110] The embodiments of the present disclosure further provide a storage medium on which the computer program instructions are stored. When the computer program instructions are executed by the processor, the permission processing method provided by the embodiments of the present disclosure can be implemented.
[0111] The functional blocks shown in the above structural block diagram may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it can be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, plug-ins, function cards, and the like. When implemented in software, elements of the present disclosure are programs or code segments that are used to perform the required tasks. The program or code segments can be stored in a machine readable medium or transmitted over a transmission medium or communication link through a data signal carried in the carrier. A "storage medium" may include any medium that can store or transfer information.
Examples of storage media include electronic circuits, semiconductor memory devices, ROM, flash memories, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links, and the like. The code segments can be downloaded via a computer network such as the Internet, an intranet, and the like.
[0112] A person skilled in the art should understand that in the claims, the term "comprising"
does not exclude other means or steps; the indefinite article "a" does not exclude a plurality;
[0113] The terms "first" and "second" are used to indicate a name and are not intended to mean any particular order.
[0114] It is to be understood that the various embodiments in the description are described in a progressive manner, and the same or similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the difference from other embodiments.
[0115] For device embodiments, application side device embodiments, and storage media embodiments, the relevant aspects and advantageous effects can be found in the description section of the method embodiments. The present disclosure is not limited to the specific steps and structures described above and illustrated in the drawings. A person skilled in the art can make various changes, modifications and additions, or changes in the order of the steps after understanding the spirit of the present disclosure. Also, a detailed description of known method technologies is omitted herein for the sake of brevity.

Claims (10)

What is claimed is:
1. A permission processing method, characterized in that the method comprises:
determining a user's desired permission identifier in response to the user's access request, wherein the desired permission identifier is a permission identifier corresponding to a permission desired by the user;
calling an application permission control system, and querying whether there is a mapping relationship between the user and the desired permission identifier in the application permission control system, wherein the application permission control system stores a first mapping relationship between the user and a permission identifier;
obtaining the permission identifier corresponding to the user in the first mapping relationship in response to the presence of a mapping relationship between the user and the desired permission identifier in the first mapping relationship;
determining components that are displayed at a client and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the first mapping relationship and a minimum required permission identifier of the client.
2. The method according to claim 1, characterized in that the method further comprises, prior to responding to the user's access request, configuring synchronously permission triplets of all types of permissions to the client;
wherein each one of the permission triplets comprises a first permission identifier, a second permission identifier, and a third permission identifier, the first permission identifier is a permission variable name recorded by the client, the second permission identifier is a permission value for transmission and permission comparison, the third permission identifier is a permission token name recorded by the application permission control system; and the first permission identifier, the second permission identifier, and the third permission identifier in the same permission triplet are configured to represent the same permission.
3. The method according to claim 2, characterized in that the desired permission identifier is the second permission identifier, and the permission identifier in the first mapping relationship is the third permission identifier;

the querying whether there is a mapping relationship between the user and the desired permission identifier in the application permission control system comprises:
converting the desired permission identifier to the third permission identifier corresponding to the desired permission identifier according to the permission triplet;
querying, in the application permission control system, whether there is a mapping relationship between the user and the third permission identifier converted from the desired permission identifier.
4. The method according to claim 1, characterized in that the method further comprises:
prior to determining a user's desired permission identifier in response to the user's access request, receiving a permission full querying request from the user;
calling the application permission control system to search for all of the permission identifiers corresponding to the user in the first mapping relationship;
caching all of the permission identifiers corresponding to the user in the first mapping relationship in the client, such that when the desired permission identifier of the user is present in a cache of the client, identify the components that are displayed on the client and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the cache of the client and the minimum required permission identifier.
5. The method according to claim 4, characterized in that the permission identifier corresponding to the user in the first mapping relationship is all of the permission identifiers corresponding to the user in response to the absence of a permission full querying request received from the user.
6. The method according to claim 2, characterized in that the determining components that are displayed at a client and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the first mapping relationship and a minimum required permission identifier of the client comprises:
converting the permission identifier corresponding to the user in the first mapping relationship and the minimum required permission identifier into the second permission identifiers according to the permission triplet;

determining a second target component and/or a second target interface that can be called displayed on the client, in response to that the second permission identifier of the user is greater than or equal to the second permission identifier converted from the minimum required permission identifier, wherein the second target component and the second target interface both correspond to the second permission identifier of the user, and the second permission identifier of the user is the second permission identifier converted from the permission identifier corresponding to the user in the first mapping relationship.
7. A permission processing device, characterized in that the device comprises:
a responding module, which is used for determining a user's desired permission identifier in response to the user's access request, wherein the desired permission identifier is a permission identifier corresponding to a permission desired by the user;
a permission control calling module, which is used for calling an application permission control system, and querying whether there is a mapping relationship between the user and the desired permission identifier in the application permission control system, wherein the application permission control system stores a first mapping relationship between the user and a permission identifier;
a permission identifier obtaining module, which is used for obtaining the permission identifier corresponding to the user in the first mapping relationship in response to the presence of a mapping relationship between the user and the desired permission identifier in the first mapping relationship, wherein the permission identifier corresponding to the user in the obtained first mapping relationship comprises the desired permission identifier;
a determining module, which is used for determining components that are displayed at a client and/or interfaces that can be called on the basis of the permission identifier corresponding to the user in the first mapping relationship and a minimum required permission identifier of the client.
8. The device according to claim 7, characterized in that the device further comprises:
a configuring module, which is used for configuring synchronously permission triplets of all types of permissions to the permission processing device;

wherein each one of the permission triplets comprises a first permission identifier, a second permission identifier, and a third permission identifier, the first permission identifier is a permission variable name recorded by the client, the second permission identifier is a permission value for transmission and permission comparison, the third permission identifier is a permission token name recorded by the application permission control system; and the first permission identifier, the second permission identifier, and the third permission identifier in the same permission triplet are configured to represent the same permission.
9. An application side device, characterized in that the application side device comprises:
a memory and a processor;
the memory is configured to store executable program code;
the processor is configured to read executable program code stored in the memory to perform the permission processing method according to any one of claims 1 to 6.
10. A storage medium, characterized in that computer program instructions are stored on the storage medium; and the computer program instructions are executable by the processor so as to implement the permission processing method according to any one of claims 1 to 6.
CA3058061A 2018-10-11 2019-10-09 Permission processing method, device, application side device and storage media Pending CA3058061A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811184754.1A CN109472127B (en) 2018-10-11 2018-10-11 Authority processing method and device, application side equipment and storage medium
CN201811184754.1 2018-10-11

Publications (1)

Publication Number Publication Date
CA3058061A1 true CA3058061A1 (en) 2020-04-11

Family

ID=65665080

Family Applications (1)

Application Number Title Priority Date Filing Date
CA3058061A Pending CA3058061A1 (en) 2018-10-11 2019-10-09 Permission processing method, device, application side device and storage media

Country Status (2)

Country Link
CN (1) CN109472127B (en)
CA (1) CA3058061A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022194545A1 (en) * 2021-03-18 2022-09-22 International Business Machines Corporation Managing search queries using encrypted cache data

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111143824B (en) * 2019-12-31 2022-06-10 奇安信科技集团股份有限公司 Method and device for determining redundancy permission, computer equipment and readable storage medium
CN113642011A (en) * 2020-05-11 2021-11-12 阿里巴巴集团控股有限公司 Resource access method, authority verification method, information processing method, equipment and storage medium
CN113204790B (en) * 2021-05-25 2024-03-01 北京字跳网络技术有限公司 View authority processing method, device, equipment and medium
CN115766296B (en) * 2023-01-09 2023-05-23 广东中思拓大数据研究院有限公司 Authority control method, device, server and storage medium for user account

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007021823A2 (en) * 2005-08-09 2007-02-22 Tripwire, Inc. Information technology governance and controls methods and apparatuses
CN101499906A (en) * 2008-02-02 2009-08-05 厦门雅迅网络股份有限公司 Method for implementing subscriber authority management based on role function mapping table
CN104486357A (en) * 2014-12-30 2015-04-01 北京经开投资开发股份有限公司 Method for achieving role-based access control (RBAC) based on SSH website

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022194545A1 (en) * 2021-03-18 2022-09-22 International Business Machines Corporation Managing search queries using encrypted cache data

Also Published As

Publication number Publication date
CN109472127B (en) 2021-01-22
CN109472127A (en) 2019-03-15

Similar Documents

Publication Publication Date Title
CA3058061A1 (en) Permission processing method, device, application side device and storage media
US20220021626A1 (en) Incorporating web applications into web pages at the network level
US10798127B2 (en) Enhanced document and event mirroring for accessing internet content
RU2673403C2 (en) Website access method, device and website system
US11516312B2 (en) Kubernetes as a distributed operating system for multitenancy/multiuser
US10275347B2 (en) System, method and computer program product for managing caches
US10484383B2 (en) Pre-authorizing a client application to access a user account on a content management system
CN113452780B (en) Access request processing method, device, equipment and medium for client
WO2014152078A1 (en) Application architecture supporting multiple services and caching
CN108256014B (en) Page display method and device
US8392911B2 (en) Download discovery for web servers
US11853806B2 (en) Cloud computing platform that executes third-party code in a distributed cloud computing network and uses a distributed data store
US20230061228A1 (en) Managing shared applications at the edge of a content delivery network
US9223557B1 (en) Application provided browser plugin
JP2010152772A (en) Information processor, information processing method and program
CN103269353A (en) Web cache and return optimization method and Web cache system
CN109428872B (en) Data transmission method, equipment, server, starting method and system
US20210014278A1 (en) Multi-tenant authentication framework
US20230129725A1 (en) Serving assets in a networked environment
CN103701844A (en) User information management method and system
US8527711B2 (en) Method and system to preview new cacheable content
CN114095245B (en) Network attack tracing method, device, equipment and medium
EP4229530A1 (en) Privacy manager for connected tv and over-the-top applications
CN117131295A (en) Resource management method, system, device, electronic equipment and storage medium
CN115495166A (en) Page loading method, device, equipment and storage medium

Legal Events

Date Code Title Description
EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916