Skip to content

I
ibzuaa
提交 7b7d83fd 编写于 作者: sq3536's avatar sq3536
浏览文件
操作

Merge remote-tracking branch 'origin/master'

上级 b44fa6f2 9fbf01bd
隐藏空白字符变更
内嵌 并排
正在显示 包含 201 行增加394 行删除
app_web/package.json
浏览文件 @ 7b7d83fd
......@@ -25,7 +25,7 @@
"file-saver": "^2.0.2",
"font-awesome": "^4.7.0",
"ibiz-gantt-elastic": "^1.0.12",
"ibiz-vue-lib": "^0.1.6",
"ibiz-vue-lib": "^0.1.7",
"interactjs": "^1.9.4",
"moment": "^2.24.0",
"path-to-regexp": "^6.1.0",
......
app_web/src/components/ibiz-group-picker/ibiz-group-picker.vue
浏览文件 @ 7b7d83fd
......@@ -159,7 +159,7 @@ export default class IBizGroupPicker extends Vue {
* @memberof IBizGroupPicker
*/
public loadTree() {
let orgid = this.viewParam.hasfilter ? this.viewParam.filtervalue : '450000';
let orgid = this.viewParam.filtervalue?this.viewParam.filtervalue:"alls";
let get = Http.getInstance().get(`/ibzorganizations/${orgid}/suborg/ibzdepartments/picker`, true);
get.then((response: any) => {
if(response.status === 200) {
......
app_web/src/components/ibiz-group-select/ibiz-group-select.vue
浏览文件 @ 7b7d83fd
......@@ -166,10 +166,20 @@ export default class IBizGroupSelect extends Vue {
title: '分组选择'
};
const context: any = JSON.parse(JSON.stringify(this.context));
let filtervalue:string = "";
if(this.filter){
if(this.data[this.filter]){
filtervalue = this.data[this.filter];
}else if(context[this.filter]){
filtervalue = context[this.filter];
}else{
filtervalue = context.srforgid;
}
}
const param: any = {};
Object.assign(param, {
hasfilter: this.filter ? true : false,
filtervalue: this.filter ? this.data[this.filter] : '',
filtervalue: filtervalue,
multiple: this.multiple,
selects: this.selects
});
......
app_web/src/pages/uaa/sys-role-permissioncustom-view/sys-role-permissioncustom-view.vue
浏览文件 @ 7b7d83fd
......@@ -364,9 +364,13 @@
if(this.formDruipart){
this.formDruipart.subscribe((res:any) =>{
if(Object.is(res.action,'load')){
// 父数据保存时调用当前视图的点击确定事件
// 父数据保存时调用当前视图的事件
if(this.selectData.length>0){
// 选中了数据
this.onClickOk();
}else{
// 没选中数据
this.onClear();
}
}
});
......@@ -439,6 +443,10 @@
* @memberof SYS_ROLE_PERMISSIONCustomViewBase
*/
public beforeDestroy() {
// 清空选中数据
this.selectData = {};
// 清空视图选中数据
this.viewSelections = [];
this.$store.commit('viewaction/removeView', this.viewtag);
}
......@@ -473,7 +481,6 @@
if (this.selectData && this.selectData.length > 0) {
// 判断选中的数据和初始数据
if (JSON.stringify(this.selectData) == JSON.stringify(this.ininselectData)) {
this.$emit('close', null);
return;
}
this.selectData.forEach((item: any) => {
......@@ -498,15 +505,30 @@
}
}).catch((e) => {
});
} else {
this.$Notice.error({title: '错误', desc: '未选中数据!'});
}
// 清空视图选中数据,避免重复添加
this.viewSelections = [];
}
/**
* 清除
*/
private onClear(){
// 未选中数据,即没有赋予任何权限,需要清除当前角色的所有权限
if (this.selectData.length==0) {
// 保存选中的权限信息
let url = '/sysroles/'+this.srfparentkey+'/sysrolepermissions/refreshbatch';
this.$http.post(url,[]).then((response: any) => {
if (!(!response || response.status !== 200)) {
} else {
this.$Notice.error({title: '错误', desc: response.message});
return;
}
}).catch((e) => {
});
}
}
}
</script>
......
ibzuaa-boot/src/main/java/cn/ibizlab/config/DevBootSecurityConfig.java
浏览文件 @ 7b7d83fd
......@@ -102,6 +102,8 @@ public class DevBootSecurityConfig extends WebSecurityConfigurerAdapter {
.antMatchers( HttpMethod.POST,"/"+uaaLoginPath).permitAll()
.antMatchers( HttpMethod.POST,"/"+uaaLoginPath2).permitAll()
.antMatchers("/syspssystems/**/permissiondata").permitAll()
//同步系统权限资源
.antMatchers("/syspssystems/save").permitAll()
.antMatchers("/uaa/login").permitAll()
.anyRequest().authenticated()
// 防止iframe 造成跨域
......
ibzuaa-core/src/main/java/cn/ibizlab/core/uaa/extensions/domain/SysStructure.java
浏览文件 @ 7b7d83fd
......@@ -7,7 +7,6 @@ import cn.ibizlab.core.uaa.extensions.domain.Structure.FuncItem;
import cn.ibizlab.core.uaa.extensions.domain.Structure.UniResNode;
import com.alibaba.fastjson.annotation.JSONField;
import com.fasterxml.jackson.annotation.JsonProperty;
import liquibase.pro.packaged.S;
import lombok.Data;
import java.sql.Timestamp;
......
ibzuaa-core/src/main/resources/permission/systemResource.json
浏览文件 @ 7b7d83fd
{
"systemid":"ibzuaa",
"unires":[
],
],
"entities":[
{
"dename":"SysAuthLog",
......
ibzuaa-provider/ibzuaa-provider-api/src/main/java/cn/ibizlab/api/config/apiSecurityConfig.java
浏览文件 @ 7b7d83fd
......@@ -117,6 +117,8 @@ public class apiSecurityConfig extends WebSecurityConfigurerAdapter {
.antMatchers("/"+uploadpath).permitAll()
.antMatchers("/"+previewpath+"/**").permitAll()
.antMatchers("/syspssystems/**/permissiondata").permitAll()
//同步系统权限资源
.antMatchers("/syspssystems/save").permitAll()
.antMatchers("/uaa/login").permitAll()
// 所有请求都需要认证
.anyRequest().authenticated()
......
ibzuaa-provider/ibzuaa-provider-api/src/main/java/cn/ibizlab/api/rest/SysPSSystemResource.java
浏览文件 @ 7b7d83fd
......@@ -105,7 +105,7 @@ public class SysPSSystemResource {
return ResponseEntity.status(HttpStatus.OK).body(true);
}
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','ibzuaa-SysPSSystem-Save-all')")
// @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','ibzuaa-SysPSSystem-Save-all')")
@ApiOperation(value = "Save", tags = {"SysPSSystem" }, notes = "Save")
@RequestMapping(method = RequestMethod.POST, value = "/syspssystems/save")
public ResponseEntity<Boolean> save(@RequestBody SysPSSystemDTO syspssystemdto) {
......
ibzuaa-provider/ibzuaa-provider-api/src/main/java/cn/ibizlab/api/rest/extensions/ClientAuthenticationResource.java
浏览文件 @ 7b7d83fd
package cn.ibizlab.api.rest.extensions;
import cn.ibizlab.core.uaa.service.ISysPermissionService;
import cn.ibizlab.core.uaa.extensions.service.UAACoreService;
import cn.ibizlab.util.client.IBZOUFeignClient;
import cn.ibizlab.util.security.AuthTokenUtil;
import cn.ibizlab.util.security.AuthenticationInfo;
import cn.ibizlab.util.security.AuthenticationUser;
import cn.ibizlab.util.security.AuthorizationLogin;
import cn.ibizlab.util.service.AuthenticationUserService;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.ResponseEntity;
import org.springframework.util.StringUtils;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.*;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.*;
/**
* 客户端登录认证
......@@ -36,19 +33,6 @@ public class ClientAuthenticationResource
@Autowired
private AuthTokenUtil jwtTokenUtil;
/**
* 实体操作标识
*/
private String OPPriTag="OPPRIV";
/**
* 统一资源标识
*/
private String UniResTag="UNIRES";
/**
* 菜单项标识
*/
private String AppMenuTag="APPMENU";
@Autowired
@Qualifier("IBZUSERService")
private AuthenticationUserService userDetailsService;
......@@ -56,9 +40,6 @@ public class ClientAuthenticationResource
@Autowired
private IBZOUFeignClient ouFeignClient;
@Autowired
private ISysPermissionService permissionService;
@PostMapping(value = "v7/login")
public ResponseEntity<AuthenticationInfo> login(@Validated @RequestBody AuthorizationLogin authorizationLogin){
userDetailsService.resetByUsername(authorizationLogin.getUsername());
......@@ -98,197 +79,25 @@ public class ClientAuthenticationResource
return ResponseEntity.ok().body(user);
}
@Autowired
UAACoreService uaaCoreService;
/**
* 设置用户权限
* 由于GrantedAuthority缺少无参构造,导致无法序列化,暂时通过PermissionList中转
* @param user
* @return
*/
public void setUserPermission(AuthenticationUser user) {
JSONObject permissionObj=new JSONObject();
//数据能力
String opprivSQL="SELECT\n" +
"\tT2.pssysmoduleid as sysmodule,\n" +
"\tT2.psdataentityid as dataentity,\n" +
"\tT2.pssourceid as pssourceid,\n" +
"\tT2.pssourcetype as pssourcetype,\n" +
"\tT2.psdedatarangeid as dedatarange,\n" +
"\tT1.sys_permissionid as permissionid,\n"+
"\tT1.sys_permissionname\n" +
"FROM\n" +
"\tibzrole_permission T\n" +
"INNER JOIN ibzpermission T1 ON T.SYS_PERMISSIONID = T1.SYS_PERMISSIONID\n" +
"INNER JOIN ibzpsdeoppriv T2 on T1.SYS_PERMISSIONID=t2.SYS_PSDEOPPRIVID\n" +
"WHERE\n" +
"\tT.SYS_ROLEID IN (\n" +
"\t SELECT SYS_ROLEID\n" +
"\t FROM\n" +
"\t IBZUSER_ROLE t LEFT JOIN IBZUSER t1 ON t.SYS_USERID=T1.USERID\n" +
"\t WHERE\n" +
"\t T1.USERID = #{et.param0}\n" +
"\t)\n" +
"AND T1.PERMISSIONTYPE = #{et.param1} and t1.enable=1 ";
//统一资源
String uniResSQL="SELECT\n" +
"\tt2.SYS_PSSYSUNIRESID,\n" +
"\tt2.SYS_PSSYSUNIRESNAME,\n" +
"\tT2.UNIRESCODE \n" +
"FROM\n" +
"\tibzrole_permission T\n" +
"INNER JOIN ibzpermission T1 ON T.SYS_PERMISSIONID = T1.SYS_PERMISSIONID\n" +
"INNER JOIN IBZPSSYSUNIRES T2 on T1.SYS_PERMISSIONID=t2.SYS_PSSYSUNIRESID\n" +
"WHERE\n" +
"\tT.SYS_ROLEID IN (\n" +
"\t SELECT SYS_ROLEID\n" +
"\t FROM\n" +
"\t IBZUSER_ROLE t LEFT JOIN IBZUSER t1 ON t.SYS_USERID=T1.USERID\n" +
"\t WHERE\n" +
"\t T1.USERID = #{et.param0}\n" +
"\t)\n" +
"AND T1.PERMISSIONTYPE = #{et.param1} and t1.enable=1";
//应用菜单
String appMenuSQL="SELECT\n" +
"\tt2.PSAPPMENUITEMID as MENUITEMID,\n" +
"\tt2.SYS_PSAPPMENUITEMNAME AS MENUITEMNAME \n" +
"FROM\n" +
"\tibzrole_permission T\n" +
"INNER JOIN ibzpermission T1 ON T.SYS_PERMISSIONID = T1.SYS_PERMISSIONID\n" +
"INNER JOIN ibzpsappmenuitem T2 on T1.SYS_PERMISSIONID=t2.SYS_PSAPPMENUITEMID\n" +
"WHERE\n" +
"\tT.SYS_ROLEID IN (\n" +
"\t SELECT SYS_ROLEID\n" +
"\t FROM\n" +
"\t IBZUSER_ROLE t LEFT JOIN IBZUSER t1 ON t.SYS_USERID=T1.USERID\n" +
"\t WHERE\n" +
"\t T1.USERID = #{et.param0}\n" +
"\t)\n" +
"AND T1.PERMISSIONTYPE = #{et.param1} and t1.enable=1";
Map opprivParam=new HashMap();
opprivParam.put("param0",user.getUserid());
opprivParam.put("param1",OPPriTag);
Map uniresParam=new HashMap();
uniresParam.put("param0",user.getUserid());
uniresParam.put("param1",UniResTag);
Map appMenuParam=new HashMap();
appMenuParam.put("param0",user.getUserid());
appMenuParam.put("param1",AppMenuTag);
List<JSONObject> entitiesList= permissionService.select(opprivSQL,opprivParam); //查询用户权限下数据能力
List<JSONObject> uniResList= permissionService.select(uniResSQL,uniresParam); //查询用户权限下的统一资源
List<JSONObject> appMenuItemList= permissionService.select(appMenuSQL,appMenuParam); //查询用户权限下的菜单项
JSONObject entities=getEntitiesList(entitiesList);
JSONArray uniRes=getUniRes(uniResList);
JSONArray appMenuItem=getAppMenuItem(appMenuItemList);
permissionObj.put("entities",entities);
permissionObj.put("unires",uniRes);
permissionObj.put("appmenu",appMenuItem);
permissionObj.put("authorities",getAuthoritiesArray(user,entitiesList));
user.setPermissionList(permissionObj);
}
/**
* 获取用户资源
* @return
*/
private JSONArray getAuthoritiesArray(AuthenticationUser user,List<JSONObject> dataRangeArray) {
JSONArray authoritiesArray =new JSONArray();
if(dataRangeArray.size()>0){
for(int a=0;a<dataRangeArray.size();a++){
JSONObject dataRangeObj=dataRangeArray.get(a);
String dataRangeId=dataRangeObj.getString("dedatarange");
String permissionId=dataRangeObj.getString("permissionid");
if( !StringUtils.isEmpty(dataRangeId) && !StringUtils.isEmpty(permissionId) && dataRangeId.equalsIgnoreCase("all") ){
authoritiesArray.add(permissionId);
}
}
}
Collection<GrantedAuthority> userAuthorities=uaaCoreService.getAuthoritiesByUserId(user.getUserid());
Set<String> authorities = AuthorityUtils.authorityListToSet(userAuthorities);
if(user.getSuperuser()==1){
authoritiesArray.add("ROLE_SUPERADMIN");
}
return authoritiesArray;
}
/**
* 获取应用菜单
* @param menuItemList
* @return
*/
private JSONArray getAppMenuItem(List<JSONObject> menuItemList) {
JSONArray menuItemArr=new JSONArray();
for(int a=0;a<menuItemList.size();a++){
JSONObject menuItem=menuItemList.get(a);
JSONObject newMenuItem=new JSONObject();
newMenuItem.put("appid",menuItem.getString("MENUITEMID"));
newMenuItem.put("appmenuid",menuItem.getString("MENUITEMNAME"));
newMenuItem.put("menuitemid",menuItem.getString("MENUITEMID"));
newMenuItem.put("menuitemname",menuItem.getString("MENUITEMNAME"));
menuItemArr.add(newMenuItem);
}
return menuItemArr;
}
/**
* 获取统一资源
* @param uniResList
* @return
*/
private JSONArray getUniRes(List<JSONObject> uniResList) {
JSONArray uniResArr=new JSONArray();
for(int a=0;a<uniResList.size();a++){
JSONObject uniRes=uniResList.get(a);
JSONObject newUniRes=new JSONObject();
newUniRes.put("unirescode",uniRes.getString("UNIRESCODE"));
newUniRes.put("uniresname",uniRes.getString("SYS_PSSYSUNIRESNAME"));
uniResArr.add(newUniRes);
}
return uniResArr;
}
/**
* 拼接实体行为资源
* @param role_permissions
* @return
*/
private JSONObject getEntitiesList(List<JSONObject> role_permissions) {
JSONObject permission_entity= new JSONObject();
for (Map rolePermission : role_permissions) {
JSONObject obj = JSONObject.parseObject(JSONObject.toJSON(rolePermission).toString());
String entityName = obj.getString("dataentity");
String dataRangeName = obj.getString("dedatarange");
String sourceName = obj.getString("pssourceid");
String sourceType=obj.getString("pssourcetype");
JSONObject entity = new JSONObject();
JSONObject permission = new JSONObject();
JSONArray dataRange = new JSONArray();
if (permission_entity.containsKey(entityName))//实体合并
entity = permission_entity.getJSONObject(entityName);
if (entity.containsKey(sourceType))//数据能力合并
permission = entity.getJSONObject(sourceType);
if(permission.containsKey(sourceName))
dataRange=permission.getJSONArray(sourceName);
dataRange.add(dataRangeName);
permission.put(sourceName,dataRange);
entity.put(sourceType, permission);
permission_entity.put(entityName, entity);
authorities.add("ROLE_SUPERADMIN");
}
return permission_entity;
JSONObject permission =new JSONObject();
permission.put("authorities",authorities);
user.setPermissionList(permission);
}
/**
......
ibzuaa-util/src/main/java/cn/ibizlab/util/client/IBZUAAFallback.java
浏览文件 @ 7b7d83fd
......@@ -9,8 +9,8 @@ import com.alibaba.fastjson.JSONObject;
public class IBZUAAFallback implements IBZUAAFeignClient {
@Override
public boolean pushSystemPermissionData(String systemid,JSONObject systemPermissionData) {
return false;
public Boolean syncSysAuthority(JSONObject system) {
return null;
}
@Override
......
ibzuaa-util/src/main/java/cn/ibizlab/util/client/IBZUAAFeignClient.java
浏览文件 @ 7b7d83fd
......@@ -10,13 +10,12 @@ import com.alibaba.fastjson.JSONObject;
public interface IBZUAAFeignClient
{
/**
* 推送系统权限数据到uaa
* @param systemid
* @param systemPermissionData
* 同步系统资源到uaa
* @param system 系统资源信息
* @return
*/
@PostMapping("/syspssystems/{systemid}/permissiondata")
boolean pushSystemPermissionData(@PathVariable("systemid") String systemid,@RequestBody JSONObject systemPermissionData);
@PostMapping("/syspssystems/save")
Boolean syncSysAuthority(@RequestBody JSONObject system);
/**
* 用户登录
......
ibzuaa-util/src/main/java/cn/ibizlab/util/job/PermissionSyncJob.java
浏览文件 @ 7b7d83fd
......@@ -36,10 +36,14 @@ public class PermissionSyncJob implements ApplicationRunner {
Thread.sleep(10000);
InputStream permission= this.getClass().getResourceAsStream("/permission/systemResource.json"); //获取当前系统所有实体资源能力
String permissionResult = IOUtils.toString(permission,"UTF-8");
if(client.pushSystemPermissionData(systemId,JSONObject.parseObject(permissionResult))){
JSONObject system= new JSONObject();
system.put("pssystemid",systemId);
system.put("pssystemname",systemId);
system.put("sysstructure",JSONObject.parseObject(permissionResult));
if(client.syncSysAuthority(system)){
log.info("向[UAA]同步系统资源成功");
}else{
log.info(String.format("向[UAA]同步系统资源失败"));
log.error("向[UAA]同步系统资源失败");
}
}
catch (Exception ex) {
......
ibzuaa-util/src/main/java/cn/ibizlab/util/rest/AppController.java
浏览文件 @ 7b7d83fd
package cn.ibizlab.util.rest;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject;
import cn.ibizlab.util.security.AuthenticationUser;
import cn.ibizlab.util.service.AuthenticationUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.ObjectUtils;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.beans.factory.annotation.Autowired;
import cn.ibizlab.util.security.AuthenticationUser;
import cn.ibizlab.util.service.AuthenticationUserService;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
@RestController
@RequestMapping(value = "")
......@@ -27,14 +30,20 @@ public class AppController {
public ResponseEntity<JSONObject> getAppData() {
JSONObject appData = new JSONObject() ;
JSONArray uniRes=new JSONArray();
JSONArray appMenu=new JSONArray();
Set<String> appMenu = new HashSet();
Set<String> uniRes = new HashSet();
if(enablePermissionValid){
JSONObject userPermission=AuthenticationUser.getAuthenticationUser().getPermissionList();
if(!ObjectUtils.isEmpty(userPermission)){
uniRes = userPermission.getJSONArray("unires");
appMenu = userPermission.getJSONArray("appmenu");
}
Collection<GrantedAuthority> authorities=AuthenticationUser.getAuthenticationUser().getAuthorities();
Iterator it = authorities.iterator();
while(it.hasNext()) {
GrantedAuthority authority = (GrantedAuthority)it.next();
String strAuthority=authority.getAuthority();
if(strAuthority.startsWith("UNIRES"))
uniRes.add(strAuthority);
else if(strAuthority.startsWith("APPMENU"))
appMenu.add(strAuthority);
}
}
appData.put("unires",uniRes);
appData.put("appmenu",appMenu);
......
ibzuaa-util/src/main/java/cn/ibizlab/util/security/AuthPermissionEvaluator.java
浏览文件 @ 7b7d83fd
package cn.ibizlab.util.security;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.mongodb.QueryBuilder;
......@@ -18,6 +16,7 @@ import org.springframework.data.mongodb.core.query.BasicQuery;
import org.springframework.data.mongodb.core.query.Query;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;
......@@ -35,10 +34,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
@Value("${ibiz.enablePermissionValid:false}")
boolean enablePermissionValid; //是否开启权限校验
/**
* 实体行为操作标识
*/
private String DEActionType="DEACTION";
/**
*实体主键标识
*/
......@@ -67,9 +62,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
List<String> ids=null;
EntityBase entity;
List<EntityBase> entityList = null;
JSONObject userPermission= AuthenticationUser.getAuthenticationUser().getPermissionList();
if(userPermission==null)
return false;
MappingBase mappingBase= (MappingBase) paramList.get(1);
//参数准备
if(action.equalsIgnoreCase("remove")){
......@@ -86,26 +78,19 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if (entity==null)
return false;
JSONObject permissionList=userPermission.getJSONObject("entities");
String entityName = entity.getClass().getSimpleName();
Set<String> entityDataRange = getAuthorities(authentication,entity.getClass().getSimpleName(),action);
if(entityDataRange.size()==0)
return false;
//拥有全部数据访问权限时,则跳过权限检查
if(isAllData(entityName,action,permissionList)){
if(isAllData(action,entityDataRange)){
return true;
}
//检查是否有操作权限[create.update.delete.read]
if(!validDEActionHasPermission(entityName,action,permissionList)){
return false;
}
JSONArray dataRangeList=getDataRange(entityName,action,permissionList);
if(dataRangeList.size()==0)
return false;
if(action.equalsIgnoreCase("create")){
return createBatchActionPermissionValid(entityList,dataRangeList);
return createBatchActionPermissionValid(entityList,entityDataRange);
}
else if(action.equalsIgnoreCase("save")){
return saveBatchActionPermissionValid(deStorageMode, entityList, dataRangeList);
return saveBatchActionPermissionValid(deStorageMode, entityList, entityDataRange);
}
else{
if(!action.equalsIgnoreCase("remove")){
......@@ -113,7 +98,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
}
if(ids.size()==0)
return false;
return otherBatchActionPermissionValidRouter(deStorageMode, entity ,ids, dataRangeList);
return otherBatchActionPermissionValidRouter(deStorageMode, entity ,ids, entityDataRange);
}
}
......@@ -142,23 +127,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if (StringUtils.isEmpty(entity))
return false;
JSONObject userPermission= AuthenticationUser.getAuthenticationUser().getPermissionList();
if(userPermission==null)
Set<String> entityDataRange = getAuthorities(authentication,entity.getClass().getSimpleName(),action);
if(entityDataRange.size()==0)
return false;
JSONObject permissionList=userPermission.getJSONObject("entities");
String entityName = entity.getClass().getSimpleName();
//拥有全部数据访问权限时,则跳过权限检查
if(isAllData(entityName,action,permissionList)){
if(isAllData(action,entityDataRange)){
return true;
}
//检查是否有操作权限[create.update.delete.read]
if(!validDEActionHasPermission(entityName,action,permissionList)){
return false;
}
JSONArray dataRangeList=getDataRange(entityName,action,permissionList);
if(dataRangeList.size()==0)
return false;
if(action.equalsIgnoreCase("save")){
Map<String,String> permissionField=getPermissionField(entity);
......@@ -170,21 +147,41 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
action="update";
}
if(action.equalsIgnoreCase("create")){
return createActionPermissionValid(entity,dataRangeList);
return createActionPermissionValid(entity,entityDataRange);
}
else{
return otherActionPermissionValidRouter(deStorageMode, entity, id, dataRangeList);
return otherActionPermissionValidRouter(deStorageMode, entity, id, entityDataRange);
}
}
/**
* 获取用户权限资源
* @param authentication
* @param entityName
* @param action
* @return
*/
private Set<String> getAuthorities(Authentication authentication,String entityName,String action){
Collection authorities=authentication.getAuthorities();
Set<String> entityDataRange = new HashSet();
Iterator var2 = authorities.iterator();
while(var2.hasNext()) {
GrantedAuthority authority = (GrantedAuthority)var2.next();
if(authority.getAuthority().contains(String.format("%s-%s-",entityName,action)))
entityDataRange.add(authority.getAuthority());
}
return entityDataRange;
}
/**
* 批save校验
* @param deStorageMode
* @param entityList
* @param dataRangeList
* @param entityDataRange
* @return
*/
private boolean saveBatchActionPermissionValid(String deStorageMode, List<EntityBase> entityList, JSONArray dataRangeList) {
private boolean saveBatchActionPermissionValid(String deStorageMode, List<EntityBase> entityList, Set<String> entityDataRange) {
if(entityList==null || entityList.size()==0)
return false;
......@@ -202,12 +199,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
updateList.add(String.valueOf(id));
}
if(updateList.size()>0){
boolean isUpdate = otherBatchActionPermissionValidRouter(deStorageMode, tempEntity ,updateList, dataRangeList);
boolean isUpdate = otherBatchActionPermissionValidRouter(deStorageMode, tempEntity ,updateList, entityDataRange);
if(!isUpdate)
return false;
}
if(createList.size()>0){
boolean isCreate=createBatchActionPermissionValid(entityList,dataRangeList);
boolean isCreate=createBatchActionPermissionValid(entityList,entityDataRange);
if(!isCreate)
return false;
}
......@@ -217,12 +214,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* 批处理新建权限校验
* @param entityList
* @param dataRangeList
* @param entityDataRange
* @return
*/
private boolean createBatchActionPermissionValid(List<EntityBase> entityList,JSONArray dataRangeList){
private boolean createBatchActionPermissionValid(List<EntityBase> entityList,Set<String> entityDataRange){
for(EntityBase entity : entityList){
boolean isCreate = createActionPermissionValid(entity ,dataRangeList);
boolean isCreate = createActionPermissionValid(entity ,entityDataRange);
if(!isCreate){
return false;
}
......@@ -235,16 +232,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param deStorageMode
* @param entity
* @param ids
* @param dataRangeList
* @param entityDataRange
* @return
*/
private boolean otherBatchActionPermissionValidRouter(String deStorageMode , EntityBase entity , List<String> ids , JSONArray dataRangeList){
private boolean otherBatchActionPermissionValidRouter(String deStorageMode , EntityBase entity , List<String> ids , Set<String> entityDataRange){
if(deStorageMode.equalsIgnoreCase("sql")){
return sqlBatchPermissionValid(entity ,ids, dataRangeList);
return sqlBatchPermissionValid(entity ,ids, entityDataRange);
}
else if(deStorageMode.equalsIgnoreCase("nosql")){
return noSqlBatchPermissionValid(entity, ids , dataRangeList);
return noSqlBatchPermissionValid(entity, ids , entityDataRange);
}
else if(deStorageMode.equalsIgnoreCase("serviceapi")){
return true;
......@@ -258,16 +255,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* SQL批处理权限校验
* @param entity
* @param ids
* @param dataRangeList
* @param entityDataRange
* @return
*/
private boolean sqlBatchPermissionValid(EntityBase entity , List<String> ids, JSONArray dataRangeList){
private boolean sqlBatchPermissionValid(EntityBase entity , List<String> ids, Set<String> entityDataRange){
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyFieldName=permissionField.get(keyFieldTag);
ServiceImpl service= SpringContextHolder.getBean(String.format("%s%s",entity.getClass().getSimpleName(),"ServiceImpl"));//获取实体service对象
//通过权限表达式来获取sql
String permissionSQL= String.format(" (%s) AND ( %s in (%s) ) ",getPermissionSQL(entity,dataRangeList),keyFieldName,getEntityKeyCond(ids)); //拼接权限条件-编辑
String permissionSQL= String.format(" (%s) AND ( %s in (%s) ) ",getPermissionSQL(entity,entityDataRange),keyFieldName,getEntityKeyCond(ids)); //拼接权限条件-编辑
//执行sql进行权限检查
QueryWrapper permissionWrapper=getPermissionWrapper(permissionSQL);//构造权限条件
List list=service.list(permissionWrapper);
......@@ -282,15 +279,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* NoSQL批处理权限校验
* @param entity
* @param ids
* @param dataRange
* @param entityDataRange
* @return
*/
private boolean noSqlBatchPermissionValid(EntityBase entity, List<String> ids, JSONArray dataRange) {
private boolean noSqlBatchPermissionValid(EntityBase entity, List<String> ids, Set<String> entityDataRange) {
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyFieldName=permissionField.get(keyFieldTag);
//根据权限表达式填充权限条件
QueryBuilder permissionCond=getNoSqlPermissionCond(entity,dataRange);
QueryBuilder permissionCond=getNoSqlPermissionCond(entity,entityDataRange);
//权限条件拼接主键
permissionCond.and(keyFieldName).in(ids);
//执行权限检查
......@@ -306,59 +303,26 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* 是否为全部数据
* @param permissionList
* @param entityName
* @param action
* @return
*/
private boolean isAllData( String entityName, String action ,JSONObject permissionList) {
if(permissionList==null)
return false;
if(!permissionList.containsKey(entityName))
return false;
JSONObject entity=permissionList.getJSONObject(entityName);
if(!entity.containsKey(DEActionType))
return false;
JSONObject dataRange=entity.getJSONObject(DEActionType);//获取实体行为对应的数据范围
if(dataRange.containsKey(action) && dataRange.getJSONArray(action).contains("all"))
return true;
return false;
}
/**
* 实体行为权限校验
* @param userPermission
* @param entityName
* @param action
* userPermission:{"ENTITY":{"DEACTION":{"READ":["CURORG"]},"DATASET":{"Default":["CURORG"]}}}
* @param entityDataRange
* @return
*/
private boolean validDEActionHasPermission(String entityName , String action ,JSONObject userPermission){
boolean hasPermission=false;
if(userPermission==null)
return false;
if(!userPermission.containsKey(entityName))
return false;
JSONObject entity=userPermission.getJSONObject(entityName);//获取实体
if(!entity.containsKey(DEActionType))
return false;
JSONObject dataRange=entity.getJSONObject(DEActionType);//获取实体行为对应的数据范围
if(dataRange.containsKey(action)){
hasPermission=true;
private boolean isAllData(String action , Set<String> entityDataRange) {
for(String dataRange : entityDataRange ){
if(dataRange.endsWith(String.format("%s-all",action))){
return true;
}
}
return hasPermission;
return false;
}
/**
* 新建行为校验
* @param entity
* @param dataRangeList
* @param entityDataRange
* @return
*/
private boolean createActionPermissionValid(EntityBase entity, JSONArray dataRangeList){
private boolean createActionPermissionValid(EntityBase entity, Set<String> entityDataRange){
boolean isCreate=true;
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
......@@ -379,24 +343,23 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set<String> userOrg = new HashSet<>();
Set<String> userOrgDept = new HashSet<>();
for(int a=0;a<dataRangeList.size();a++){
String permissionCond=dataRangeList.getString(a);//权限配置条件
if(permissionCond.equals("curorg")){ //本单位
for(String permissionCond:entityDataRange){
if(permissionCond.endsWith("curorg")){ //本单位
userOrg.add(authenticationUser.getOrgid());
}
else if(permissionCond.equals("porg")){//上级单位
else if(permissionCond.endsWith("porg")){//上级单位
userOrg.addAll(orgParent);
}
else if(permissionCond.equals("sorg")){//下级单位
else if(permissionCond.endsWith("sorg")){//下级单位
userOrg.addAll(orgChild);
}
else if(permissionCond.equals("curorgdept")){//本部门
else if(permissionCond.endsWith("curorgdept")){//本部门
userOrgDept.add(authenticationUser.getMdeptid());
}
else if(permissionCond.equals("porgdept")){//上级部门
else if(permissionCond.endsWith("porgdept")){//上级部门
userOrgDept.addAll(orgDeptParent);
}
else if(permissionCond.equals("sorgdept")){//下级部门
else if(permissionCond.endsWith("sorgdept")){//下级部门
userOrgDept.addAll(orgDeptChild);
}
}
......@@ -419,16 +382,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param deStorageMode
* @param entity
* @param id
* @param dataRangeList
* @param entityDataRange
* @return
*/
private boolean otherActionPermissionValidRouter(String deStorageMode, EntityBase entity , Object id , JSONArray dataRangeList){
private boolean otherActionPermissionValidRouter(String deStorageMode, EntityBase entity , Object id , Set<String> entityDataRange){
if(deStorageMode.equalsIgnoreCase("sql")){
return sqlPermissionValid(entity , id, dataRangeList);
return sqlPermissionValid(entity , id, entityDataRange);
}
else if(deStorageMode.equalsIgnoreCase("nosql")){
return noSqlPermissionValid(entity , id, dataRangeList);
return noSqlPermissionValid(entity , id, entityDataRange);
}
else if(deStorageMode.equalsIgnoreCase("serviceapi")){
return true;
......@@ -442,15 +405,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* sql存储模式实体行为鉴权
* @param entity
* @param id
* @param dataRangeList
* @param entityDataRange
* @return
*/
private boolean sqlPermissionValid(EntityBase entity , Object id, JSONArray dataRangeList){
private boolean sqlPermissionValid(EntityBase entity , Object id, Set<String> entityDataRange){
ServiceImpl service= SpringContextHolder.getBean(String.format("%s%s",entity.getClass().getSimpleName(),"ServiceImpl"));//获取实体service对象
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
//通过权限表达式来获取sql
String permissionSQL= String.format(" (%s) AND (%s='%s')",getPermissionSQL(entity,dataRangeList),permissionField.get(keyFieldTag),id); //拼接权限条件-编辑
String permissionSQL= String.format(" (%s) AND (%s='%s')",getPermissionSQL(entity,entityDataRange),permissionField.get(keyFieldTag),id); //拼接权限条件-编辑
//执行sql进行权限检查
QueryWrapper permissionWrapper=getPermissionWrapper(permissionSQL);//构造权限条件
List list=service.list(permissionWrapper);
......@@ -466,15 +429,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* NoSQL实体行为鉴权
* @param entity
* @param id
* @param dataRangeList
* @param entityDataRange
* @return
*/
private boolean noSqlPermissionValid(EntityBase entity, Object id, JSONArray dataRangeList) {
private boolean noSqlPermissionValid(EntityBase entity, Object id, Set<String> entityDataRange) {
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyField=permissionField.get(keyFieldTag);
//根据权限表达式填充权限条件
QueryBuilder permissionCond=getNoSqlPermissionCond(entity,dataRangeList);
QueryBuilder permissionCond=getNoSqlPermissionCond(entity,entityDataRange);
//权限条件拼接主键
permissionCond.and(keyField).is(id);
//执行权限检查
......@@ -492,10 +455,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* 为NoSQL存储模式的表格查询填充权限条件
* @param entity
* @param dataRangeList
* @param entityDataRange
* @return
*/
private QueryBuilder getNoSqlPermissionCond( EntityBase entity ,JSONArray dataRangeList ){
private QueryBuilder getNoSqlPermissionCond( EntityBase entity ,Set<String> entityDataRange){
QueryBuilder permissionSQL=new QueryBuilder();
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
......@@ -509,30 +472,29 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set<String> orgDeptParent = userInfo.get("parentdept");
Set<String> orgDeptChild = userInfo.get("subdept");
for(int i=0;i<dataRangeList.size();i++){
String permissionCond=dataRangeList.getString(i);//权限配置条件
if(permissionCond.equals("curorg")){ //本单位
for(String permissionCond:entityDataRange){
if(permissionCond.endsWith("curorg")){ //本单位
permissionSQL.or(new QueryBuilder().and(orgField).is(AuthenticationUser.getAuthenticationUser().getOrgid()).get());
}
else if(permissionCond.equals("porg")){//上级单位
else if(permissionCond.endsWith("porg")){//上级单位
permissionSQL.or(new QueryBuilder().and(orgField).in(formatStringArr(orgParent)).get());
}
else if(permissionCond.equals("sorg")){//下级单位
else if(permissionCond.endsWith("sorg")){//下级单位
permissionSQL.or(new QueryBuilder().and(orgField).in(formatStringArr(orgChild)).get());
}
else if(permissionCond.equals("createman")){//建立人
else if(permissionCond.endsWith("createman")){//建立人
permissionSQL.or(new QueryBuilder().and(createManField).is(AuthenticationUser.getAuthenticationUser().getUserid()).get());
}
else if(permissionCond.equals("curorgdept")){//本部门
else if(permissionCond.endsWith("curorgdept")){//本部门
permissionSQL.or(new QueryBuilder().and(orgDeptField).is(AuthenticationUser.getAuthenticationUser().getMdeptid()).get());
}
else if(permissionCond.equals("porgdept")){//上级部门
else if(permissionCond.endsWith("porgdept")){//上级部门
permissionSQL.or(new QueryBuilder().and(orgDeptField).in(formatStringArr(orgDeptParent)).get());
}
else if(permissionCond.equals("sorgdept")){//下级部门
else if(permissionCond.endsWith("sorgdept")){//下级部门
permissionSQL.or(new QueryBuilder().and(orgDeptField).in(formatStringArr(orgDeptChild)).get());
}
else if(permissionCond.equals("all")){
else if(permissionCond.endsWith("all")){
permissionSQL.or(new QueryBuilder().get());
}
}
......@@ -543,10 +505,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* SQL获取权限条件
* @param entity
* @param oppriList
* @param entityDataRange
* @return
*/
private String getPermissionSQL(EntityBase entity, JSONArray oppriList){
private String getPermissionSQL(EntityBase entity, Set<String> entityDataRange){
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String nPermissionSQL = "1<>1";
......@@ -561,31 +523,30 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set<String> orgDeptParent = userInfo.get("parentdept");
Set<String> orgDeptChild = userInfo.get("subdept");
for(int i=0;i<oppriList.size();i++){
for(String permissionCond: entityDataRange){
permissionSQL.append("OR");
String permissionCond=oppriList.getString(i);//权限配置条件
if(permissionCond.equals("curorg")){ //本单位
if(permissionCond.endsWith("curorg")){ //本单位
permissionSQL.append(String.format("(%s='%s')",orgField,AuthenticationUser.getAuthenticationUser().getOrgid()));
}
else if(permissionCond.equals("porg")){//上级单位
else if(permissionCond.endsWith("porg")){//上级单位
permissionSQL.append(String.format(" %s in(%s) ", orgField, formatStringArr(orgParent)));
}
else if(permissionCond.equals("sorg")){//下级单位
else if(permissionCond.endsWith("sorg")){//下级单位
permissionSQL.append(String.format(" %s in(%s) ", orgField, formatStringArr(orgChild)));
}
else if(permissionCond.equals("createman")){//建立人
else if(permissionCond.endsWith("createman")){//建立人
permissionSQL.append(String.format("(%s='%s')",createManField,AuthenticationUser.getAuthenticationUser().getUserid()));
}
else if(permissionCond.equals("curorgdept")){//本部门
else if(permissionCond.endsWith("curorgdept")){//本部门
permissionSQL.append(String.format("(%s='%s')",orgDeptField,AuthenticationUser.getAuthenticationUser().getMdeptid()));
}
else if(permissionCond.equals("porgdept")){//上级部门
else if(permissionCond.endsWith("porgdept")){//上级部门
permissionSQL.append(String.format(" %s in (%s) ", orgDeptField, formatStringArr(orgDeptParent)));
}
else if(permissionCond.equals("sorgdept")){//下级部门
else if(permissionCond.endsWith("sorgdept")){//下级部门
permissionSQL.append(String.format(" %s in (%s) ", orgDeptField, formatStringArr(orgDeptChild)));
}
else if(permissionCond.equals("all")){//全部数据
else if(permissionCond.endsWith("all")){//全部数据
permissionSQL.append("(1=1)");
}
else{
......@@ -701,21 +662,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return "'" + String.join("','", arr) + "'";
}
/**
* 获取数据范围
* @param entityName
* @param action
* @param permissionList
* @return
*/
private JSONArray getDataRange(String entityName, String action , JSONObject permissionList){
//获取权限表达式[全部数据、本单位、本部门等]
JSONObject entityObj=permissionList.getJSONObject(entityName);//获取实体
JSONObject permissionType= entityObj.getJSONObject(DEActionType);
JSONArray dataRangeList=permissionType.getJSONArray(action);//行为:read;insert...
return dataRangeList;
}
/**
* 获取实体主键集合
* @param entityBase
......
ibzuaa-util/src/main/java/cn/ibizlab/util/service/IBZUSERServiceImpl.java
浏览文件 @ 7b7d83fd
......@@ -7,6 +7,7 @@ import cn.ibizlab.util.errors.BadRequestAlertException;
import cn.ibizlab.util.helper.CachedBeanCopier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Primary;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import cn.ibizlab.util.mapper.IBZUSERMapper;
......@@ -72,6 +73,9 @@ public class IBZUSERServiceImpl extends ServiceImpl<IBZUSERMapper, IBZUSER> impl
public AuthenticationUser createUserDetails(IBZUSER user) {
AuthenticationUser userdatail = new AuthenticationUser();
CachedBeanCopier.copy(user,userdatail);
if(userdatail.getSuperuser()==1){
userdatail.setAuthorities(AuthorityUtils.createAuthorityList("ROLE_SUPERADMIN"));
}
return userdatail;
}
}
\ No newline at end of file
Markdown 格式
0% or
您添加了 0 到此讨论。请谨慎行事。
先完成此消息的编辑!
想要评论请 注册