CN113051611B - Authority control method of online file and related product - Google Patents

Authority control method of online file and related product Download PDF

Info

Publication number
CN113051611B
CN113051611B CN202110274535.8A CN202110274535A CN113051611B CN 113051611 B CN113051611 B CN 113051611B CN 202110274535 A CN202110274535 A CN 202110274535A CN 113051611 B CN113051611 B CN 113051611B
Authority
CN
China
Prior art keywords
file
token
server
path
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110274535.8A
Other languages
Chinese (zh)
Other versions
CN113051611A (en
Inventor
王之龙
郑猛猛
杨子骁
徐伟伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Sensetime Intelligent Technology Co Ltd
Original Assignee
Shanghai Sensetime Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Sensetime Intelligent Technology Co Ltd filed Critical Shanghai Sensetime Intelligent Technology Co Ltd
Priority to CN202110274535.8A priority Critical patent/CN113051611B/en
Publication of CN113051611A publication Critical patent/CN113051611A/en
Priority to KR1020227014600A priority patent/KR20220130088A/en
Priority to PCT/CN2021/105569 priority patent/WO2022193494A1/en
Application granted granted Critical
Publication of CN113051611B publication Critical patent/CN113051611B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • G06F21/335User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application discloses an authority control method of an online file and a related product, wherein the method comprises the following steps: the method comprises the steps that a server receives a first file operation request from terminal equipment; the first file operation request is used for requesting to execute a first operation on a file of a first path, the first file operation request carries a first token, the first token comprises a second path and a first operation set, the first operation set comprises one or more operations, and the first path and the second path are both paths in a file management system operated by the server; the server executes the first operation on the file under the condition that the first file operation request meets a first condition; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path comprises the first path; the rights of the user can be verified more quickly.

Description

Authority control method of online file and related product
Technical Field
The present application relates to the field of authority control, and in particular, to an authority control method for an online file and a related product.
Background
In the field of online documentation, files (pictures, documents, audio, video, etc.) of individuals are stored in the internet cloud, such as servers that provide file management services. The server needs to control access authority for some private files stored by the server. The server performs access right control on the file, which means that the server allows the user to perform a first operation after verifying that the user has the right to perform the first operation on the file accessed by the user. The first operation may include: at least one of read-only, write, modify, delete, etc. For example, after a user inputs a modification instruction for an online file accessed by the user, the server verifies whether the user has the right to modify the online file. If the server verifies that the user has the authority to modify the online file, corresponding operation is executed according to the modification instruction; otherwise, execution of the modified instruction is denied.
Currently, a server usually verifies whether a user has a right to perform some operation on a document accessed by the user by inquiring the right information of the user. However, it usually takes a long time to query the user's rights information, which results in a long time to verify the user's rights and a poor user experience. Therefore, there is a need to investigate ways in which the rights of a user can be verified more quickly.
Disclosure of Invention
The embodiment of the application discloses an authority control method of an online file and a related product.
In a first aspect, an embodiment of the present application provides a method for controlling an authority of an online file, where the method includes: the method comprises the steps that a server receives a first file operation request from terminal equipment; the first file operation request is used for requesting to execute a first operation on a file of a first path, the first file operation request carries a first token, the first token comprises a second path and a first operation set, the first operation set comprises one or more operations, and the first path and the second path are both paths in a file management system operated by the server; the server executes the first operation on the file under the condition that the first file operation request meets a first condition; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path comprises the first path.
The time taken by the server to judge whether the first file operation request meets the first condition is less than the time taken by the verification user (corresponding to the terminal device) to check whether the user has the authority to execute the first operation on the file of the first path.
In the embodiment of the application, the server executes a first operation on the file under the condition that the first file operation request meets a first condition; the authority information of the user (corresponding to the terminal equipment) does not need to be inquired, the authority of the user can be verified more quickly, and the first file operation request can be responded to more quickly.
In one possible implementation, the first token further includes a validity period of the first token; the first condition further comprises: the time when the server receives the first file operation request is within the validity period.
The validity period of the first token may be used to determine the validity of the first token. It should be understood that the first token is valid if the time at which the server receives the first token (i.e., the time at which the first file operation request is received) is within the validity period of the first token; otherwise, the first token is invalid.
In this implementation, the first condition further includes: the time when the server receives the first file operation request is within the valid period, and the token can be quickly and accurately determined to be valid. In addition, adverse effects due to leakage of the token can be reduced by setting the validity period of the token. In some embodiments, the server may set different validity periods depending on the permissions (corresponding to the first set of operations). For example, for some high-risk operations such as modification and deletion of files, the validity period of the token is set as short as possible; for some permissions to view files, the validity period may be relaxed.
In one possible implementation manner, before the server performs the first operation on the file, the method further includes: the server carries out validity check and validity check on the first token; the validity check is to check whether the time when the server receives the first file operation request is within the validity period; and in the case that the first token passes the validity check and the validity check, the server verifies whether the first operation is included in the first operation set and whether the second path comprises the first path.
In the implementation mode, firstly, the first token is subjected to validity check and validity check, and if the first token passes the validity check and validity check, whether the first operation is included in the first operation set or not and whether the second path includes the first path or not is verified; verifying whether the first operation is included in the first set of operations and whether the second path includes the first path may be reduced.
In one possible implementation manner, before the server receives the first file operation request from the terminal device, the method further includes: the server generating the first token; and the server sends the first token to the terminal equipment.
In the implementation manner, the server sends a first token to the terminal device, so that the terminal device generates a required file operation request through the first token.
In one possible implementation, the server generating the first token includes: the server generating an initial token; and encrypting the initial token based on an HMACSHA256 algorithm to obtain the first token. The server may store a key (Secret). The server generating the initial token may be: the server generates the initial token using JsonWebToken. JSON Web Token (abbreviated JWT) is a currently popular cross-domain authentication solution.
In the embodiment of the application, the initial token is encrypted based on an HMACSHA256 algorithm to obtain a first token; the content of the first token cannot be cracked by the outside, the first token is prevented from being forged, and the safety is high.
In one possible implementation, before the server generates the first token, the method further includes: the server receives a token acquisition request from the terminal equipment, wherein the token acquisition request is used for acquiring a token required by the first operation on the file of the first path; the server acquires the role authority information of the target account logged in by the terminal equipment according to the token acquisition request; the target account is an account used by the terminal equipment for logging in the file management system; the server generating the first token comprises: and the server generates the first token according to the role authority information.
In the implementation mode, the server generates a first token according to the role authority information; the first token matching the role authority information can be quickly generated.
In one possible implementation manner, before the server receives the token obtaining request from the terminal device, the method further includes: the server logs in the login authentication of the file management system by using the target account through the terminal equipment; the server receiving a token acquisition request from the terminal device includes: and the server receives the access operation of the terminal equipment aiming at the file of the first path in the file management system.
The server can perform login authentication on the target account by verifying the target account and the password used by the terminal device for logging in the file management system. The access operation may be an operation of selecting the file of the first path by the terminal device, for example, an operation of clicking the file of the first path.
In this implementation manner, the server receiving the access operation of the terminal device to the file of the first path in the file management system may be regarded as receiving a token acquisition request from the terminal device, and may generate a corresponding token in time.
In one possible implementation, the method further includes: the server receives a second file operation request from the terminal equipment; the second file operation request is used for requesting to execute a second operation on a file of a third path, the second file operation request carries a second token, the second token comprises a fourth path and a second operation set, and the second operation set comprises one or more operations; the server refuses the second file operation request under the condition that the second file operation request does not meet a second condition; the second condition includes: the second token passes the validity check of the server, the second operation is included in the second operation set, and the fourth path includes the third path.
In the embodiment of the application, the server rejects the second file operation request under the condition that the second file operation request does not meet the second condition; the authority of the user (corresponding to the terminal equipment) does not need to be checked, the authority of the user can be verified more quickly, and the second file operation request can be responded to more quickly.
In one possible implementation, the second token further includes a validity period of the second token; the second condition further comprises: the time when the server receives the second file operation request is within the validity period of the second token.
In this implementation, the second condition further includes: the time when the server receives the second file operation request is within the validity period of the second token, and the token can be quickly and accurately determined to be valid. In addition, adverse effects due to leakage of the token can be reduced by setting the validity period of the token.
In a possible implementation manner, the files of the first path are partial files in the same directory, and the first operation set includes: one or more of new, modified, locked, deleted, moved, hidden. The files of the first path may be arbitrary files, not all files under the entire directory. That is, the path may match a user arbitrary directory or file.
In the implementation mode, the file of the first path can be any file, and can support more service scenes; the first set of operations includes: and one or more items of new creation, modification, locking, deletion, movement and hiding can realize more access authority control. It should be understood that the path can be customized in the token, and the operation rights, such as new creation, modification, locking, deletion, movement, hiding, can be customized in the token.
In a second aspect, an embodiment of the present application provides another method for controlling an authority of an online file, including: the terminal equipment generates a first file operation request; the first file operation request is used for requesting to execute a first operation on a file of a first path, the first file operation request carries a first token, the first token comprises a second path and a first operation set, the first operation set comprises one or more operations, the first path and the second path are both paths in a file management system operated by the server, and the first token is used for the server to check whether the terminal equipment has the authority of executing the first operation on the file of the first path; and the terminal equipment sends the first file operation request to the server.
In the embodiment of the application, the terminal device sends a first file operation request carrying a first token to the server, so that the server can quickly and accurately verify whether the terminal device (corresponding to a user) has the authority to execute a first operation on a file of a first path by using the first token.
In one possible implementation manner, the first token further includes a validity period of the first token, and the validity period is used for checking validity of the first token.
In this implementation, the first token further includes a validity period of the first token, which may enable the server to verify the validity of the first token.
In one possible implementation manner, before the terminal device generates the first file operation request, the method further includes: the terminal equipment acquires the first token cached by a browser or a client application; the terminal equipment generates a first file operation request, and the method comprises the following steps: and the terminal equipment generates the first file operation request based on the first token.
In this implementation, the terminal device may quickly acquire the first token, thereby quickly generating the first file operation request.
In one possible implementation manner, before the terminal device generates the first file operation request, the method further includes: the terminal equipment sends a token acquisition request to the server, wherein the token acquisition request is used for acquiring a token required by the first operation on the file of the first path; and the terminal equipment receives the first token from the server and caches the first token.
In this implementation, the terminal device may quickly acquire the first token by sending a token acquisition request to the server.
In one possible implementation manner, before the terminal device sends the token obtaining request to the server, the method further includes: the terminal equipment logs in the file management system by using a target account; the sending, by the terminal device, the token acquisition request to the server includes: and responding to the access operation of a user for the file of the first path in the file management system, and sending the token acquisition request to the server.
In this implementation, the token acquisition request may be sent in a timely manner in response to a user access operation to a file of a first path in the file management system.
In a possible implementation manner, the files of the first path are partial files in the same directory, and the first operation set includes: one or more of new, modified, locked, deleted, moved, hidden.
In the implementation mode, the file of the first path can be any file, and can support more service scenes; the first set of operations includes: and one or more items of new creation, modification, locking, deletion, movement and hiding can realize more access authority control.
In a third aspect, an embodiment of the present application provides a server, including: the receiving and sending unit is used for receiving a first file operation request from the terminal equipment; the first file operation request is used for requesting to execute a first operation on a file of a first path, the first file operation request carries a first token, the first token comprises a second path and a first operation set, the first operation set comprises one or more operations, and the first path and the second path are both paths in a file management system operated by the server; the processing unit is used for executing the first operation on the file under the condition that the first file operation request meets a first condition; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path comprises the first path.
In one possible implementation, the first token further includes a validity period of the first token; the first condition further comprises: the time when the server receives the first file operation request is within the validity period.
In a possible implementation manner, the processing unit is further configured to perform validity check and validity check on the first token; the validity check is to check whether the time when the server receives the first file operation request is within the validity period; and if the first token passes the validity check and the validity check, verifying whether the first operation is included in the first operation set and whether the second path comprises the first path.
In a possible implementation manner, the processing unit is further configured to generate the first token; the transceiver unit is further configured to send the first token to the terminal device.
In a possible implementation manner, the processing unit is specifically configured to encrypt the initial token based on an HMACSHA256 algorithm to obtain the first token. The processing unit is specifically configured to generate the initial token by using JsonWebToken.
In a possible implementation manner, the transceiver unit is further configured to receive a token obtaining request from the terminal device, where the token obtaining request is used to obtain a token required for performing the first operation on the file of the first path; the processing unit is further configured to acquire role authority information of a target account logged in by the terminal device according to the token acquisition request; the target account is an account used by the terminal equipment for logging in the file management system; the processing unit is specifically configured to generate the first token according to the role authority information.
In a possible implementation manner, the processing unit is further configured to log in the file management system through a login authentication that the terminal device logs in the file management system by using the target account; the transceiver unit is specifically configured to receive an access operation of the terminal device for a file of the first path in the file management system.
In a possible implementation manner, the transceiver unit is further configured to receive a second file operation request from the terminal device; the second file operation request is used for requesting to execute a second operation on a file of a third path, the second file operation request carries a second token, the second token comprises a fourth path and a second operation set, and the second operation set comprises one or more operations; the processing unit is further configured to reject the second file operation request if the second file operation request does not satisfy a second condition; the second condition includes: the second token passes the validity check of the server, the second operation is included in the second operation set, and the fourth path includes the third path.
In a possible implementation manner, the files of the first path are partial files in the same directory, and the first operation includes: one or more of new, modified, locked, deleted, moved, hidden.
With regard to technical effects brought about by the third aspect or various alternative embodiments, reference may be made to the introduction of the technical effects of the first aspect or the corresponding implementation.
In a fourth aspect, an embodiment of the present application provides a terminal device, including: the processing unit is used for generating a first file operation request; the first file operation request is used for requesting to execute a first operation on a file of a first path, the first file operation request carries a first token, the first token comprises a second path and a first operation set, the first operation set comprises one or more operations, the first path and the second path are both paths in a file management system operated by the server, and the first token is used for the server to check whether the terminal equipment has the authority of executing the first operation on the file of the first path; and the transceiving unit is used for sending the first file operation request to the server.
In one possible implementation manner, the first token further includes a validity period of the first token, and the validity period is used for checking validity of the first token.
In a possible implementation manner, the processing unit is further configured to obtain the first token cached by the browser or the client application; the processing unit is specifically configured to generate the first file operation request based on the first token.
In a possible implementation manner, the transceiver unit is further configured to send a token obtaining request to the server, where the token obtaining request is used to obtain a token required for performing the first operation on the file of the first path; receiving the first token from the server and caching the first token.
In a possible implementation manner, the processing unit is further configured to log in the file management system by using a target account; the receiving and sending unit is further configured to send the token obtaining request to the server in response to an access operation of a user for the file of the first path in the file management system.
In a possible implementation manner, the files of the first path are partial files in the same directory, and the first operation includes: one or more of new, modified, locked, deleted, moved, hidden.
With regard to the technical effects brought about by the fourth aspect or the various alternative embodiments, reference may be made to the introduction of the technical effects of the second aspect or the corresponding implementation.
In a fifth aspect, an embodiment of the present application provides a server, where the server includes: a memory for storing a program; a processor for executing the program stored in the memory, the processor being configured to perform the method of the first aspect and any possible implementation when the program is executed.
In a sixth aspect, an embodiment of the present application provides a terminal device, where the terminal device includes: a memory for storing a program; a processor for executing the program stored in the memory, the processor being configured to perform the method of the second aspect and any possible implementation as described above when the program is executed.
In a seventh aspect, an embodiment of the present application provides a chip, where the chip includes a processor and a data interface, and the processor reads instructions stored on a memory through the data interface to execute the method according to the first aspect and any possible implementation manner.
In an eighth aspect, embodiments of the present application provide a chip, where the chip includes a processor and a data interface, and the processor reads instructions stored on a memory through the data interface to execute the method according to the second aspect and any possible implementation manner.
In a ninth aspect, the present application provides a computer-readable storage medium, which stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute the method of the first aspect and any possible implementation manner.
In a tenth aspect, the present application provides a computer-readable storage medium, in which a computer program is stored, the computer program including program instructions, which, when executed by a processor, cause the processor to execute the method of the second aspect and any possible implementation manner.
In an eleventh aspect, the present application provides a computer program product, which includes program instructions, and when executed by a processor, causes the processor to execute the method of the first aspect and any possible implementation manner.
In a twelfth aspect, the present application provides a computer program product, which includes program instructions, and when executed by a processor, causes the processor to execute the method of the second aspect and any possible implementation manner.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments or the background art of the present application, the drawings required to be used in the embodiments or the background art of the present application will be described below.
Fig. 1 is a flowchart of an online file authority control method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of another method for controlling the authority of an online file according to an embodiment of the present application;
FIG. 3 is a flowchart of another method for controlling the authority of an online file according to an embodiment of the present disclosure;
FIG. 4 is a flowchart of another method for controlling the authority of an online file according to an embodiment of the present disclosure;
FIG. 5 is a flowchart of another method for controlling the authority of an online file according to an embodiment of the present disclosure;
fig. 6 is an interaction flowchart of an authority control method for an online file according to an embodiment of the present application;
FIG. 7 is an interaction flowchart of another method for controlling the permission of an online file according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a server according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a server according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of another terminal device 110 provided in the embodiment of the present application;
fig. 12 is a block diagram of a partial structure of a terminal device according to an embodiment of the present application.
Detailed Description
The terms "first," "second," and "third," etc. in the description and claims of the present application and the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprises" and "comprising," as well as any variations thereof, are intended to cover a non-exclusive inclusion, such as a list of steps or elements. A method, system, article, or apparatus is not necessarily limited to those steps or elements explicitly listed, but may include other steps or elements not explicitly listed or inherent to such process, system, article, or apparatus.
In order to prevent the private file (i.e., the online file) stored in the cloud of the network from being leaked and/or tampered, access authority control is generally required to be performed on the private file. As described in the background, the access right control method generally adopted at present is as follows: whether the user has the authority to execute certain operation on the accessed document is verified by inquiring the authority information of the user. However, it usually takes a long time to query the user's rights information, which results in a long time to verify the user's rights and a poor user experience. The application provides an authority control scheme of an online file, which can verify the authority of a user by means of a token and can verify the authority of the user more quickly.
The permission control method of the online file provided by the embodiment of the application can be applied to editing the scene of the online file. The following briefly introduces an application of the online file authority control method provided in the embodiment of the present application in editing an online file scene.
Editing an online file scene: the terminal equipment carries out editing processing (such as modification, deletion, movement, locking and the like) on the online files in the file management system operated by the server. For example, a user logs in a file management system operated by a server by using terminal equipment; a user uses a terminal device to send a file operation request carrying a token to a server, wherein the file operation request is used for requesting to perform target operation on a certain online file in a file management system; the server verifies whether the user has the authority of performing target operation on the online file or not according to the token; and after verifying that the user has the authority to perform target operation on the file, the server performs the target operation on the online file, otherwise, the server rejects the file operation request.
The terminal equipment can be intelligent terminals such as mobile phones, personal computers, tablet computers, wearable equipment, personal digital assistants and information processing centers. The server may be a server having a data processing function, such as a cloud server, a web server, an application server, and a management server. The server can receive a file operation request from the terminal equipment through an interactive interface, and then performs corresponding processing through a memory for storing data and a processor for executing data processing. The memory may be a generic term that includes databases that store historical data locally, either on the server or on other network servers.
In the above scenario, the permission control method for the online file provided by the application can be used for verifying the permission of the user more quickly, and further responding to the file operation request of the user more quickly.
The following describes a method for controlling the authority of an online file provided by the present application with reference to the accompanying drawings.
Fig. 1 is a flowchart of an online file authority control method according to an embodiment of the present application. As shown in fig. 1, the method includes:
101. the server receives a first file operation request from the terminal equipment.
The first file operation request is used for requesting to execute a first operation on the file of the first path. The first file operation request carries a first token. The first token can be brought into the first file operation request by the terminal equipment in a mode of requesting a header or requesting parameters. The file of the first path may be understood as a file under the first path.
The first token comprises a second path and a first operation set. The first set of operations includes one or more operations. The first path and the second path are both paths in a file management system operated by the server. The first path may be a path corresponding to a directory in the file management system operated by the server, or may be a path corresponding to any file in the file management system operated by the server, for example, a path corresponding to a file. The second path may be a path corresponding to one directory in the file management system operated by the server, or may be a path corresponding to any file in the file management system operated by the server, for example, a path corresponding to one file. For example, the first path may be a path of a file, and the second path may be a path of a file/directory including the file. Also for example, the first path and the second path are the same path. It should be understood that the files of the first path may be all files under one directory, or may be partial files under one directory. That is to say, the authority control method of the online file provided by the application can accurately control the access authority to any file or folder. The one or more operations included in the first operation set may be understood as file operations, such as one or more of reading, creating, modifying, locking, deleting, moving and hiding, that the terminal device providing the first token can perform on the file of the second path. The first operation may be any one of reading, creating, modifying, locking, deleting, moving, hiding, and the like. Compared with the traditional scheme that only simple read-write control can be performed, the scheme provided by the application can customize operation authority (namely access authority) through the token, for example, reading, creating, modifying, locking, deleting, moving, hiding and the like can meet the diversity requirements.
102. And under the condition that the first file operation request meets a first condition, the server executes a first operation on the file of the first path.
The first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes the first path. The server can carry out validity check on the first token, and can prevent others from accessing the online file through forged tokens. The validity of the first token passing the server checks indicates that the first token is not a counterfeit token. The first token comprises a second path and a first operation set, and indicates that the terminal device providing the first token has the authority to execute each operation in the first operation set on the file of the second path. It should be understood that if the first operation is included in the first operation set and the second path includes the first path, that is, if the first operation exists in the first operation set and the accessible file range indicated by the second path is greater than or equal to the accessible file range indicated by the first path, the terminal device inevitably has the authority to perform the first operation on the file of the first path. The authority for executing the first operation on the file of the first path may be understood as an authority corresponding to the first file operation request, and the authority for executing each operation in the first operation set on the file of the second path is an authority corresponding to the first token. In some embodiments, the server only needs to check the validity of the first token and whether the authority corresponding to the first file operation request is consistent with the authority corresponding to the first token, and does not need to query the authority information of the terminal device. Therefore, the server can directly and quickly confirm whether the terminal equipment has the authority for executing the first operation on the file in the first path or not according to the first token and the first file operation request, the authority information of the terminal equipment does not need to be inquired, time consumed for authority verification can be reduced, and file access efficiency can be effectively improved.
In one possible implementation, the first token further includes a validity period of the first token; the first condition further includes: the time when the server receives the first file operation request is within the validity period.
The validity period of the first token may be used to determine the validity of the first token. It should be understood that the first token is valid if the time at which the server receives the first token (i.e., the time at which the first file operation request is received) is within the validity period of the first token; otherwise, the first token is invalid.
In this implementation, the first condition further includes: the time when the server receives the first file operation request is within the valid period, and the token can be quickly and accurately determined to be valid. In addition, adverse effects due to leakage of the token can be reduced by setting the validity period of the token. In some embodiments, the server may set different validity periods depending on the permissions (corresponding to the first set of operations). For example, for some high-risk operations such as modification and deletion of files, the validity period of the token is set as short as possible; for some permissions to view files, the validity period may be relaxed.
The method flow in fig. 1 can be understood as token-based access right control, decoupled from the login authentication approach (i.e. the approach to login to the file management system). That is, the access right control implemented by the method flow in fig. 1 is independent of the login authentication manner. The login authentication modes of different terminal devices may be different, but the authority access control of the files can be unified through the token mode.
In one embodiment, the server may further perform the steps of:
103. the server receives a second file operation request from the terminal device.
The second file operation request is used for requesting to execute a second operation on the file of the third path. The second file operation request carries a second token, and the second token comprises a fourth path and a second operation set. The second set of operations includes one or more operations. The second file operation request is similar to the first file operation request.
104. And in the case that the second file operation request does not meet the second condition, the server refuses the second file operation request.
The second condition includes: the second token passes the validity check of the server, the second operation is included in the second operation set, and the fourth path includes the third path. The denial of the second file operation request by the server may be: the server sends a response message to the terminal device, wherein the response message is used for instructing the server to reject the second file operation request. The server rejecting the second file operation request may also be: the server does not respond to the second file operation request (including not performing the second operation on the file of the third path).
In one possible implementation, the second token further includes a validity period of the second token; the second condition further includes: and the time when the server receives the second file operation request is within the validity period of the second token.
In this embodiment, the server executes an operation (e.g., a first operation) corresponding to the file operation request on the file when receiving the file operation (e.g., the first file operation request) that meets a preset condition (e.g., the first condition), and rejects the file operation request (e.g., a second file operation request) when receiving the file operation (e.g., the second file operation request) that does not meet the preset condition (e.g., the second condition); therefore, the server can realize authority control only by verifying the token carried in the file operation, does not need to inquire the authority information of the user (corresponding to the terminal equipment), can verify the authority of the user more quickly, and further responds to the file operation request more quickly.
Fig. 2 is a flowchart of another method for controlling the authority of an online file according to an embodiment of the present application. The process flow in fig. 2 is a refinement and refinement of the process flow in fig. 1. As shown in fig. 2, the method includes:
201. the server receives a first file operation request from the terminal equipment.
Step 201 may be the same as step 101, and is not described herein again.
202. And the server performs validity check and validity check on the first token.
The validity check is to check whether the time when the server receives the first file operation request is within the validity period. In a possible implementation manner, the server may perform validity check on the first token first, and perform validity check on the first token when the first token passes the validity check. In another possible implementation manner, the server may perform validity check on the first token first, and perform validity check on the first token after the first token passes the validity check. In yet another possible implementation, the server may perform the validity check on the first token and the validity check on the first token simultaneously (or in parallel).
203. In the case where the first token passes the validity check and the validity check, the server verifies whether the first operation is included in the first operation set and whether the second path includes the first path.
The first token passes the validity check and the validity check to indicate that the first token is valid and valid. It should be appreciated that if the first token fails the validity check or validity check, the server does not have to verify whether the first operation is included in the first set of operations and whether the second path includes the first path, thus avoiding useless processing flows.
204. And under the condition that the first file operation request meets a first condition, the server executes a first operation on the file of the first path.
Step 204 may be the same as step 102 and will not be described in detail here.
In the embodiment of the application, the validity check and the validity check are performed on the first token, and after the first token passes the validity check and the validity check, whether the first operation is included in the first operation set and whether the second path includes the first path is verified; the method and the device can reduce the number of operations for verifying whether the first operation is included in the first operation set and whether the second path comprises the first operation, reduce part of unnecessary operations, further save the time consumption for verification and improve the processing efficiency.
Fig. 3 is a flowchart of another method for controlling the authority of an online file according to an embodiment of the present application. The process flow in fig. 3 is a refinement and refinement of the process flow in fig. 1. As shown in fig. 3, the method includes:
301. the server receives a token acquisition request from the terminal device.
The token obtaining request is used for obtaining a token required by the first operation on the file of the first path.
In a possible implementation manner, before performing step 301, the server may log in, through the terminal device, a login authentication of a file management system in which the server operates using the target account; step 301 may be replaced by: the server receives the access operation of the terminal device aiming at the file of the first path in the file management system. For example, the terminal device may log in a file management system operated by a server using a target account, and the server receives an access operation (e.g., an operation of clicking an icon of a file) of the first path in the file management system by the terminal device.
302. And the server acquires the role authority information of the target account logged in by the terminal equipment according to the token acquisition request.
The target account is an account used by a file management system operated by the terminal equipment login server. The role authority information of the target account may include a role of the target account and an authority corresponding to the role. A file management system operated by a server supports accounts with different roles, and the accounts with different roles have different permissions, namely one role corresponds to a certain permission. For example, a file management system operated by the server supports accounts with 3 different roles of a manager, a common user and a senior user, a role of a target account is any one of the 3 roles, and a permission possessed by the target account is a permission corresponding to the role of the target account. In this example, the administrator has the most corresponding permissions and the ordinary user has the least corresponding permissions. In practical application, various roles supported by a file management system operated by a server and permissions corresponding to the roles can be set according to actual requirements, so that the permissions of accounts with different roles can be managed more conveniently.
303. And the server generates a first token according to the role authority information.
In some embodiments, the server may be running a file service application, which (corresponding to a file management system) may provide file services. The file service may maintain a separate key that is used to encrypt the token. The file service may also provide a token generation interface that may provide a path (e.g., a first path), a set of operations (e.g., a first set of operations), and an expiration time parameter (corresponding to a validity period) and be customized by a calling party (e.g., an owner of the online file). The token generation interface can firstly adopt JsonWebToken to generate an initial token, and then encrypt the initial token based on a Hash Message Authentication Code Secure Hash Algorithm 256 (HMACSHA 256) Algorithm to obtain the first token, wherein the content of the token signature cannot be cracked by the outside, and the security of token and file access is improved. The server may store a key (Secret). The file service may enable verification of the token and the operation in the file operation request (e.g., the first operation described above). The server may provide a business gateway service that may handle authentication tasks, such as authenticating accounts and passwords used by users to log into the file management system. The server can also be provided with an independent user center which is used for maintaining the basic information and the role authority information of the user. After the user logs in the file management system, the server can call an authentication interface of the user center to verify the role authority information and the like of the user. The server can obtain the role authority information of the user through the user center and call a token generation interface of the file service to obtain the token. The server can be pre-configured with access rights possessed by different role rights information, so that the token generation interface for calling the file service can generate tokens matched with the different role rights information.
304. The server sends the first token to the terminal device.
305. The server receives a first file operation request from the terminal equipment.
306. And under the condition that the first file operation request meets a first condition, the server executes a first operation on the file of the first path.
Step 306 may be the same as step 102 and will not be described in detail herein. In some embodiments, the server may perform step 202 and step 203 of fig. 2 before performing step 306, thereby determining whether the first file operation request satisfies the first condition.
In the embodiment of the application, the server generates the first token and sends the first token to the terminal equipment. In addition, the server also verifies the validity and legitimacy of the first token. The generation and verification of the first token are uniformly controlled by the server, the initial token generated by the token generation interface is encrypted by the server based on the HMACSHA256 algorithm to obtain the first token, and other people cannot forge the token, so that the safety can be improved.
The authority control scheme of the online file provided by the application can be realized only by matching the server and the terminal equipment. The foregoing embodiment describes a method flow executed by a server in the authority control scheme of an online file provided in the present application. The following describes a method flow executed by a terminal device in the authority control scheme of an online file provided by the present application, with reference to the accompanying drawings.
Fig. 4 is a flowchart of another method for controlling the authority of an online file according to an embodiment of the present application. As shown in fig. 4, the method includes:
401. the terminal equipment generates a first file operation request.
The first file operation request is used for requesting to execute a first operation on the file of the first path. The first file operation request carries a first token, and the first token comprises a second path and a first operation set. The first set of operations includes one or more operations. The first path and the second path are both paths in a file management system operated by the server. The first token is used for the server to verify whether the terminal equipment has the authority of executing the first operation on the file of the first path.
The implementation of step 401 may be: the method comprises the steps that terminal equipment obtains a first token cached by a browser or a client application; and generating the first file operation request based on the first token.
402. The terminal equipment sends a first file operation request to the server.
In the embodiment of the application, the terminal device sends a first file operation request carrying a first token to the server, so that the server can quickly and accurately verify whether the terminal device (corresponding to a user) has the authority to execute a first operation on a file of a first path by using the first token.
Fig. 5 is a flowchart of another method for controlling the authority of an online file according to an embodiment of the present application. The method flow in fig. 5 is a refinement and refinement of the method flow in fig. 4. As shown in fig. 5, the method includes:
501. and the terminal equipment logs in a file management system operated by the server by using the target account.
502. In response to a user's access operation to a file of a first path in the file management system, the terminal device transmits a token acquisition request to the server.
In one embodiment, after a terminal device logs in a file management system operated by a server by using a target account, the terminal device may display a page of the file management system, where the page may include one or more folders, and each folder includes at least one file; the operation of the user opening (e.g., clicking) the file of the first path is an access operation of the user to the file of the first path in the file management system.
Step 502 may be: in response to an access operation of a user for a file of a first path in the file management system, the terminal device sends a token acquisition request to the server under the condition that a token corresponding to the file of the first path is not cached. The token corresponding to the file for a path may be the token that includes the path.
503. The terminal equipment receives the first token from the server and caches the first token.
The terminal device caching the first token may be: the browser or client application on the terminal device caches the first token.
504. The terminal equipment generates a first file operation request based on the first token.
One possible implementation of step 504 is as follows: in response to an access operation of a user for a file of a first path in the file management system, the terminal device generates a first file operation request based on a first token when the first token corresponding to the file of the first path is cached. In some embodiments, the terminal device may cache one or more tokens, and the paths corresponding to different tokens are different; the terminal device may first obtain the token corresponding to the file operation request in the cache before generating any file operation request. For example, the terminal device is to generate a file operation request for operating a file of a first path, and the terminal device may obtain a token (e.g., a first token) including a path as the first path.
505. The terminal equipment sends a first file operation request to the server.
In the embodiment of the application, the terminal device can quickly acquire the first token, so that the first file operation request is quickly generated, and the server can quickly and accurately verify whether the terminal device (corresponding to the user) has the authority to execute the first operation on the file of the first path by using the first token.
Fig. 6 is an interaction flowchart of an authority control method for an online file according to an embodiment of the present application. The method interaction flow in fig. 6 includes a method flow executed by the server and a method flow executed by the terminal device. As shown in fig. 6, the method interaction flow includes:
601. the terminal device detects an access operation of a user to a file of a first path in the file management system.
The file management system runs on a server.
602. The terminal device obtains a first token cached by the browser or the client application.
The first token includes a second path, a first set of operations, the first set of operations including one or more operations. The second path includes the first path. One possible implementation of step 602 is as follows: the terminal equipment obtains a token with a first path from a plurality of tokens cached by a browser or a client application, and obtains the first token.
603. The terminal equipment generates a first file operation request based on the first token.
The first file operation request is used for requesting to execute a first operation on the file of the first path. The first file operation request carries a first token.
604. The terminal equipment sends a first file operation request to the server.
605. And in the case that the first file operation request meets a first condition, the server executes a first operation on the file.
In the embodiment of the application, the server executes a first operation on the file under the condition that the first file operation request meets a first condition; the authority of the user (corresponding to the terminal equipment) is not required to be checked, the authority of the user can be verified more quickly, and the first file operation request can be responded to more quickly.
It should be appreciated that the terminal device may perform the method flow of fig. 6 on the premise that the terminal device has cached the first token. The following describes an interaction flow of the authority control method implemented by the terminal device without caching the corresponding token, with reference to the accompanying drawings.
Fig. 7 is an interaction flowchart of another method for controlling the permission of an online file according to an embodiment of the present application. The method interaction flow in fig. 7 includes the steps of the terminal device obtaining and caching the first token. As shown in fig. 7, the method interaction flow includes:
701. the terminal device detects an access operation of a user to a file of a first path in the file management system.
Before step 701, the terminal device may log in a file management system operated by the server using the target account.
702. The terminal device sends a token acquisition request to the server without caching the token including the first path.
The token obtaining request is used for obtaining a token required for performing the first operation on the file of the first path. The token acquisition request may carry information indicating the first path or the first path.
The case where the terminal device does not cache the token including the first path may be: the terminal device does not inquire the token with the included path as the first path from the plurality of tokens cached by the browser or the client application.
703. And the server acquires the role authority information of the target account logged in by the terminal equipment according to the token acquisition request.
The target account is an account used by a file management system operated by the terminal equipment login server.
704. And the server generates a first token according to the role authority information.
The role privilege information may be referred to as access privilege information (corresponding to the first set of operations). In some embodiments, user a may configure role privilege information for user B as follows: 1) the user A logs in a file management system operated by the server; 2) and the user A creates the file in the file management system. 3) User a configures role authority information for user B in the file management system (corresponding to operations that user B can perform on the file).
705. The server sends the first token to the terminal device.
706. The terminal equipment caches the first token and generates a first file operation request based on the first token.
It should be understood that after the terminal device caches the first token, when the terminal device requests the server to perform any operation on the file in the first path, the first token may be brought into the file operation request in a manner of a request header or request parameters. That is, when the terminal device subsequently requests to perform any operation on the file of the first path, the first token may be obtained from the cache and a corresponding file operation request may be generated without obtaining the first token again from the server. Only after the first token fails, the terminal device needs to obtain the first token from the server again and cache the first token.
707. The terminal equipment sends a first file operation request to the server.
708. And under the condition that the first file operation request meets a first condition, the server executes a first operation on the file of the first path.
In the embodiment of the application, the terminal device can obtain and cache the required token under the condition that the required token is not cached, so that the authority of the user can be verified more quickly in the following process.
Fig. 8 is a schematic structural diagram of a server according to an embodiment of the present application. As shown in fig. 8, the server includes:
a transceiving unit 801 configured to receive a first file operation request from a terminal device; the first file operation request is used for requesting to execute a first operation on a file of a first path, the first file operation request carries a first token, the first token comprises a second path and a first operation set, the first operation set comprises one or more operations, and the first path and the second path are both paths in a file management system operated by the server;
a processing unit 802, configured to execute the first operation on the file if the first file operation request satisfies a first condition; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes the first path.
In one possible implementation, the first token further includes a validity period of the first token; the first condition further includes: the time when the server receives the first file operation request is within the validity period.
In a possible implementation manner, the processing unit 802 is further configured to perform validity check and validity check on the first token; the validity check is to check whether the time when the server receives the first file operation request is within the validity period; and verifying whether the first operation is included in the first operation set and whether the second path includes the first path or not when the first token passes validity check and validity check.
In a possible implementation manner, the processing unit 802 is further configured to generate the first token; the transceiver unit is further configured to send the first token to the terminal device.
In one possible implementation, the processing unit 802 is specifically configured to encrypt the initial token based on the HMACSHA256 algorithm to obtain the first token. The processing unit 802 is specifically configured to generate the initial token by using JsonWebToken.
In a possible implementation manner, the transceiver 801 is further configured to receive a token obtaining request from the terminal device, where the token obtaining request is used to obtain a token required for performing the first operation on the file of the first path; the processing unit 802 is further configured to obtain role authority information of a target account logged in by the terminal device according to the token obtaining request; the target account is an account used by the terminal equipment for logging in the file management system; the processing unit 802 is specifically configured to generate the first token according to the role authority information.
In a possible implementation manner, the processing unit 802 is further configured to log in, through the terminal device, a login authentication for logging in the file management system by using the target account; the transceiving unit 801 is specifically configured to receive an access operation of the terminal device for the file of the first path in the file management system.
In a possible implementation manner, the transceiving unit 801 is further configured to receive a second file operation request from the terminal device; the second file operation request is used for requesting to execute a second operation on a file of a third path, the second file operation request carries a second token, the second token comprises a fourth path and a second operation set, and the second operation set comprises one or more operations; the processing unit 802 is further configured to reject the second file operation request when the second file operation request does not satisfy a second condition; the second condition includes: the second token passes the validity check of the server, the second operation is included in the second operation set, and the fourth path includes the third path.
Fig. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application. As shown in fig. 9, the terminal device includes:
a processing unit 901, configured to generate a first file operation request; the first file operation request is used for requesting to execute a first operation on a file of a first path, the first file operation request carries a first token, the first token comprises a second path and a first operation set, the first operation set comprises one or more operations, the first path and the second path are both paths in a file management system operated by the server, and the first token is used for the server to check whether the terminal device has the authority to execute the first operation on the file of the first path;
a transceiving unit 902, configured to send the first file operation request to the server.
In a possible implementation manner, the first token further includes a validity period of the first token, and the validity period is used for verifying validity of the first token.
In a possible implementation manner, the processing unit 901 is further configured to obtain the first token cached by the browser or the client application; the processing unit 901 is specifically configured to generate the first file operation request based on the first token.
In a possible implementation manner, the transceiving unit 902 is further configured to send a token obtaining request to the server, where the token obtaining request is used to obtain a token required to perform the first operation on the file of the first path; and receiving the first token from the server and caching the first token.
In a possible implementation manner, the processing unit 901 is further configured to log in the file management system by using a target account; the transceiving unit 902 is further configured to send the token obtaining request to the server in response to an access operation of a user for the file of the first path in the file management system.
In a possible implementation manner, the files of the first path are partial files in the same directory, and the first operation includes: one or more of new, modified, locked, deleted, moved, hidden.
It should be understood that the above division of the units of the server and the terminal device is only a division of logical functions, and the actual implementation may be wholly or partially integrated into one physical entity, or may be physically separated. For example, the above units may be processing elements which are set up separately, or may be implemented by integrating the same chip, or may be stored in a storage element of the controller in the form of program codes, and a certain processing element of the processor calls and executes the functions of the above units. In addition, the units can be integrated together or can be independently realized. The processing element may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the method or the units above may be implemented by hardware integrated logic circuits in a processor element or instructions in software. The processing element may be a general-purpose processor, such as a Central Processing Unit (CPU), or may be one or more integrated circuits configured to implement the above method, such as: one or more application-specific integrated circuits (ASICs), or one or more microprocessors (DSPs), or one or more field-programmable gate arrays (FPGAs), among others.
Fig. 10 is a schematic structural diagram of a server according to an embodiment of the present invention, where the server 1000 may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 1022 (e.g., one or more processors) and a memory 1032, and one or more storage media 1030 (e.g., one or more mass storage devices) for storing applications 1042 or data 1044. Memory 1032 and storage medium 1030 may be, among other things, transient or persistent storage. The program stored on the storage medium 1030 may include one or more modules (not shown), each of which may include a series of instruction operations for the server. Still further, a central processor 1022 may be disposed in communication with the storage medium 1030, and configured to execute a series of instruction operations in the storage medium 1030 on the server 1000.
The server 1000 may also include one or more power supplies 1026, one or more wired or wireless network interfaces 1050, one or more input-output interfaces 1058, and/or one or more operating systems 1041, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, and so forth.
The steps performed by the server in the above embodiment may be based on the server structure shown in fig. 10. Specifically, the central processing unit 1022 may implement the function of the processing unit 802 in fig. 8, and the input/output interface 1058 may implement the function of the transceiver unit 801.
Fig. 11 is a schematic structural diagram of another terminal device 110 according to an embodiment of the present application. As shown in fig. 11, the terminal device shown in fig. 11 includes a logic circuit 1101 and an interface 1102. The logic circuit 1101 may implement the functions of the processing unit 901 in fig. 9. The interface 1102 may implement the functions of the transceiving unit 902 in fig. 9. The logic circuit 1101 may be a chip, a processing circuit, an integrated circuit or a system on chip (SoC) chip, and the interface 1102 may be a communication interface, an input/output interface, and the like. In the embodiments of the present application, the logic circuit and the interface may also be coupled to each other. The embodiments of the present application are not limited to the specific connection manner of the logic circuit and the interface.
Fig. 12 is a block diagram of a partial structure of a terminal device according to an embodiment of the present application. As shown in fig. 12, terminal device 1200 can include a processor 1201, a memory 1202, an input device 1203, an output device 1204, and a bus 1205. The processor 1201, the memory 1202, the input device 1203, and the output device 1204 may be communicatively connected to each other via a bus 1205. The bus 1205 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 12, but this is not intended to represent only one bus or type of bus.
The processor 1201 may employ a general Central Processing Unit (CPU), a microprocessor, a Graphics Processing Unit (GPU), an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, to execute related programs, so as to implement the technical solution provided by the embodiments of the present invention. Processor 1201 may implement the functions of processing unit 901 in fig. 9.
The Memory 1202 may be a Read Only Memory (ROM), a static Memory device, a dynamic Memory device, or a Random Access Memory (RAM). The memory 1202 may store an operating system, as well as other application programs. The program codes for implementing the functions required to be executed by the modules and components included in the terminal device provided by the embodiment of the present application, or for implementing the above-mentioned method provided by the embodiment of the present application, are stored in the memory 1202, and the processor 1201 reads the codes in the memory 1202 to execute the operations required to be executed by the modules and components included in the terminal device, or to execute the above-mentioned method provided by the embodiment of the present application.
An input device 1203 is used for inputting data and user instructions. For example, the input device may receive a token from a server. For example, the input device may input a user's access operation for a file of the first path.
An output device 1204 for outputting data and images. For example, the output device outputs a file operation request. As another example, the output device 1204 displays a page of a file management system. The output device 1204 may implement the functionality of the transceiving unit 902 in fig. 9.
Bus 1205 may include a pathway to transfer information between various components of the terminal device, such as processor 1201, memory 1202, input device 1203, output device 1204.
It should be noted that although the terminal device 1200 shown in fig. 12 only shows the processor 1201, the memory 1202, the input device 1203, the output device 1204 and the bus 1205, in a specific implementation process, a person skilled in the art should understand that the terminal device 1200 also includes other devices necessary for realizing normal operation. Meanwhile, it will be apparent to those skilled in the art that the terminal device 1200 may also include hardware components implementing other additional functions according to specific needs. Further, it should be understood by those skilled in the art that the terminal apparatus 1200 may also include only the devices necessary to implement the embodiments of the present application, and not necessarily all of the devices shown in fig. 12.
The present application also provides a computer-readable storage medium having stored therein computer code which, when run on a computer, causes the computer to perform the method of the above-described embodiment.
The present application also provides a computer program product comprising computer code or a computer program which, when run on a computer, causes the method of the above embodiments to be performed.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the above claims.

Claims (16)

1. An authority control method for an online file is characterized by comprising the following steps:
the method comprises the steps that a server receives a first file operation request from terminal equipment; the first file operation request is used for requesting to execute a first operation on a file of a first path, the first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes one or more operations, the first path and the second path are both paths in a file management system operated by the server, and the first operation set includes: one or more items of new creation, modification, locking, deletion, movement and hiding;
the server executes the first operation on the file under the condition that the first file operation request meets a first condition; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path comprises the first path.
2. The method of claim 1, wherein the first token further comprises a validity period of the first token; the first condition further comprises: the time when the server receives the first file operation request is within the validity period.
3. The method of claim 2, wherein prior to the server performing the first operation on the file, the method further comprises:
the server carries out validity check and validity check on the first token; the validity check is to check whether the time when the server receives the first file operation request is within the validity period;
and in the case that the first token passes the validity check and the validity check, the server verifies whether the first operation is included in the first operation set and whether the second path comprises the first path.
4. The method according to any one of claims 1 to 3, wherein before the server receives the first file operation request from the terminal device, the method further comprises:
the server generating the first token;
and the server sends the first token to the terminal equipment.
5. The method of claim 4,
before the server generates the first token, the method further comprises:
the server receives a token acquisition request from the terminal equipment, wherein the token acquisition request is used for acquiring a token required by the first operation on the file of the first path;
the server acquires the role authority information of the target account logged in by the terminal equipment according to the token acquisition request; the target account is an account used by the terminal equipment for logging in the file management system;
the server generating the first token comprises:
and the server generates the first token according to the role authority information.
6. The method of claim 5,
before the server receives a token acquisition request from the terminal device, the method further includes:
the server logs in the login authentication of the file management system by using the target account through the terminal equipment;
the server receiving a token acquisition request from the terminal device includes:
and the server receives the access operation of the terminal equipment aiming at the file of the first path in the file management system.
7. An authority control method for an online file is characterized by comprising the following steps:
the terminal equipment generates a first file operation request; the first file operation request is used for requesting to execute a first operation on a file of a first path, the first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes one or more operations, the first path and the second path are both paths in a file management system operated by a server, the first token is used for the server to check whether the terminal device has a right to execute the first operation on the file of the first path, and the first operation set includes: one or more items of new creation, modification, locking, deletion, movement and hiding; the terminal equipment caches one or more tokens, and the paths corresponding to different tokens are different; the first condition that the permission of executing the first operation on the file of the first path needs to be met by the terminal device comprises: the first operation is included in the first set of operations and the second path comprises the first path;
the terminal equipment sends the first file operation request to the server;
before the terminal device generates the first file operation request, the method further includes:
and the terminal equipment acquires the first token corresponding to the first file operation request in the cache.
8. The method of claim 7, wherein the first token further comprises a validity period of the first token, and wherein the validity period is used to verify the validity of the first token.
9. The method of claim 7,
the terminal equipment generates a first file operation request, and the method comprises the following steps:
and the terminal equipment generates the first file operation request based on the first token.
10. The method according to any one of claims 7 to 9, wherein before the terminal device generates the first file operation request, the method further comprises:
the terminal equipment sends a token acquisition request to the server, wherein the token acquisition request is used for acquiring a token required by the first operation on the file of the first path;
and the terminal equipment receives the first token from the server and caches the first token.
11. The method of claim 10,
before the terminal device sends a token obtaining request to the server, the method further includes:
the terminal equipment logs in the file management system by using a target account;
the sending, by the terminal device, the token acquisition request to the server includes:
and responding to the access operation of a user for the file of the first path in the file management system, and sending the token acquisition request to the server.
12. A server, comprising:
the receiving and sending unit is used for receiving a first file operation request from the terminal equipment; the first file operation request is used for requesting to execute a first operation on a file of a first path, the first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes one or more operations, the first path and the second path are both paths in a file management system operated by the server, and the first operation set includes: one or more items of new creation, modification, locking, deletion, movement and hiding;
the processing unit is used for executing the first operation on the file under the condition that the first file operation request meets a first condition; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path comprises the first path.
13. A terminal device, comprising:
the processing unit is used for generating a first file operation request; the first file operation request is used for requesting to execute a first operation on a file of a first path, the first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes one or more operations, the first path and the second path are both paths in a file management system operated by a server, the first token is used for the server to check whether the terminal device has a right to execute the first operation on the file of the first path, and the first operation set includes: one or more items of new creation, modification, locking, deletion, movement and hiding; the terminal equipment caches one or more tokens, and the paths corresponding to different tokens are different; the first condition that the permission of executing the first operation on the file of the first path needs to be met by the terminal device comprises: the first operation is included in the first set of operations and the second path comprises the first path;
the receiving and sending unit is used for sending the first file operation request to the server;
the processing unit is further configured to obtain the first token corresponding to the first file operation request in the cache.
14. A server, comprising: a memory for storing a program; a processor for executing the program stored by the memory, the processor being configured to perform the method of any of claims 1 to 6 when the program is executed.
15. A terminal device, comprising: a memory for storing a program; a processor for executing the program stored by the memory, the processor being configured to perform the method of any of claims 7 to 11 when the program is executed.
16. A computer-readable storage medium, in which a computer program is stored, the computer program comprising program instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 11.
CN202110274535.8A 2021-03-15 2021-03-15 Authority control method of online file and related product Active CN113051611B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN202110274535.8A CN113051611B (en) 2021-03-15 2021-03-15 Authority control method of online file and related product
KR1020227014600A KR20220130088A (en) 2021-03-15 2021-07-09 Authority control method and server, terminal, storage medium and computer program
PCT/CN2021/105569 WO2022193494A1 (en) 2021-03-15 2021-07-09 Permission control method, server, terminal, storage medium, and computer program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110274535.8A CN113051611B (en) 2021-03-15 2021-03-15 Authority control method of online file and related product

Publications (2)

Publication Number Publication Date
CN113051611A CN113051611A (en) 2021-06-29
CN113051611B true CN113051611B (en) 2022-04-29

Family

ID=76512268

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110274535.8A Active CN113051611B (en) 2021-03-15 2021-03-15 Authority control method of online file and related product

Country Status (3)

Country Link
KR (1) KR20220130088A (en)
CN (1) CN113051611B (en)
WO (1) WO2022193494A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113051611B (en) * 2021-03-15 2022-04-29 上海商汤智能科技有限公司 Authority control method of online file and related product

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110363026A (en) * 2019-07-19 2019-10-22 深圳前海微众银行股份有限公司 File operation method, device, equipment, system and computer readable storage medium
CN112487450A (en) * 2020-11-30 2021-03-12 银盛支付服务股份有限公司 File server access grading method

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103488791B (en) * 2013-09-30 2018-03-27 华为技术有限公司 Data access method, system and data warehouse
KR102117584B1 (en) * 2016-01-29 2020-06-26 구글 엘엘씨 Local device authentication
US10708053B2 (en) * 2017-05-19 2020-07-07 Intuit Inc. Coordinating access authorization across multiple systems at different mutual trust levels
CN107613005B (en) * 2017-09-20 2021-04-13 携程旅游信息技术(上海)有限公司 Reverse proxy method and device, electronic device and storage medium
CN109657481B (en) * 2017-10-12 2020-12-22 北京京东尚科信息技术有限公司 Data management method and device
CN110909373B (en) * 2018-09-18 2023-06-20 阿里巴巴集团控股有限公司 Access control method, equipment, system and storage medium
CN110601832A (en) * 2019-09-27 2019-12-20 中煤航测遥感集团有限公司 Data access method and device
CN110855672A (en) * 2019-11-15 2020-02-28 无锡家校邦网络科技有限公司 JWT-based authorization method capable of being manually cancelled
CN111093197B (en) * 2019-12-31 2021-08-27 北大方正集团有限公司 Authority authentication method, authority authentication system and computer readable storage medium
CN111756753B (en) * 2020-06-28 2022-09-23 中国平安财产保险股份有限公司 Authority verification method and system
CN113051611B (en) * 2021-03-15 2022-04-29 上海商汤智能科技有限公司 Authority control method of online file and related product

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110363026A (en) * 2019-07-19 2019-10-22 深圳前海微众银行股份有限公司 File operation method, device, equipment, system and computer readable storage medium
CN112487450A (en) * 2020-11-30 2021-03-12 银盛支付服务股份有限公司 File server access grading method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"File View: Secure Model in Intranet,";Y.Liang 等;《2009 International Conference on Networking and Digital Society》;20090531;第198-201页 *
"云计算环境下文件管理与访问控制";张欣晨;《中国优秀硕士学位论文全文数据库 信息科技辑》;20160615(第2016-06期);第I138-30页 *

Also Published As

Publication number Publication date
CN113051611A (en) 2021-06-29
WO2022193494A1 (en) 2022-09-22
KR20220130088A (en) 2022-09-26

Similar Documents

Publication Publication Date Title
US11770368B2 (en) Techniques for shared private data objects in a trusted execution environment
CN111488598B (en) Access control method, device, computer equipment and storage medium
CA2448853C (en) Methods and systems for authentication of a user for sub-locations of a network location
AU2009323748B2 (en) Secure transaction authentication
US11019068B2 (en) Quorum-based access management
CN112073400A (en) Access control method, system and device and computing equipment
US7509497B2 (en) System and method for providing security to an application
EP3014847B1 (en) Secure hybrid file-sharing system
WO2021184755A1 (en) Application access method and apparatus, and electronic device and storage medium
US9043891B2 (en) Preserving privacy with digital identities
US20210099431A1 (en) Synthetic identity and network egress for user privacy
CN105379223A (en) Validating the identity of a mobile application for mobile application management
EP3794485B1 (en) Method and network node for managing access to a blockchain
CN113051611B (en) Authority control method of online file and related product
CN116915493A (en) Secure login method, device, system, computer equipment and storage medium
CN115801317A (en) Service providing method, system, device, storage medium and electronic equipment
WO2022042746A1 (en) Key management method and apparatus
CN117097508A (en) Method and device for cross-device security management of NFT (network File transfer protocol)
KR20230089559A (en) Blockchain-based fido authentication system
CN114090996A (en) Multi-party system mutual trust authentication method and device
KR101066729B1 (en) Methods and systems for authentication of a user for sub-locations of a network location
CN114444060A (en) Authority verification method, device and system and storage medium
CN116865984A (en) Service data processing method and related equipment
CN101601022A (en) The supply of digital identity representations

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40045908

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant