Skip to content

iBiz4j Spring R7
iBiz4j Spring R7
提交 35c235c7 编写于 作者: zhouweidong's avatar zhouweidong
浏览文件
操作

简化权限校验

上级 5b286bc3
隐藏空白字符变更
内嵌 并排
正在显示 包含 54 行增加42 行删除
SLN/%PUBPRJ%-provider/%PUBPRJ%-provider-%SYSAPI_PKGPATH%/src/main/java/%SYS_PKGPATH%/%SYSAPI_PKGPATH%/rest/%ITEM%Resource.java.ftl
浏览文件 @ 35c235c7
......@@ -630,16 +630,16 @@ public class ${itemCodeName}Resource {
<#macro SecurityAnnotation deaction>
<#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else>
<#if deaction.codeName?lower_case=='create' || deaction.codeName?lower_case=='save'>
@PreAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(#${itemCodeNameLC}dto),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
@PreAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(#${itemCodeNameLC}dto),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
<#elseif deaction.codeName?lower_case=='update' || deaction.codeName?lower_case=='remove'>
@PreAuthorize("hasPermission(this.${deCodeNameLC}Service.get(#${itemCodeNameLC + keyCNLC}),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
@PreAuthorize("hasPermission(this.${deCodeNameLC}Service.get(#${itemCodeNameLC + keyCNLC}),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
<#elseif deaction.codeName?lower_case=='get'>
@PostAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(returnObject.body),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
@PostAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(returnObject.body),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
<#else>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
</#if>
</#if>
</#macro>
......@@ -648,7 +648,7 @@ public class ${itemCodeName}Resource {
<#if deaction.codeName?lower_case=='Remove'>
//
<#else>
//@PreAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(#${itemCodeNameLC}dtos),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
@PreAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(#${itemCodeNameLC}dtos),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
</#if>
</#macro>
......
SLN/%PUBPRJ%-util/src/main/java/%SYS_PKGPATH%/util/security/AuthPermissionEvaluator.java.ftl
浏览文件 @ 35c235c7
......@@ -26,7 +26,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
@Value("${r'${ibiz.enablePermissionValid:false}'}")
boolean enablePermissionValid; //是否开启权限校验
/**
*实体主键标识
*/
private String keyFieldTag="keyfield";
/**
* 实体行为鉴权
* @param authentication
......@@ -42,18 +45,18 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return true;
String strAction=String.valueOf(action);
Set<String> entityDataRange = getAuthorities(authentication,strAction);
if(entityDataRange.size()==0)
Set<String> userAuthorities = getAuthorities(authentication,strAction);
if(userAuthorities.size()==0)
return false;
//拥有全部数据访问权限时,则跳过权限检查
if(isAllData(strAction,entityDataRange)){
if(isAllData(strAction,userAuthorities)){
return true;
}
if(entity instanceof ArrayList){
List<EntityBase> entities= (List<EntityBase>) entity;
for(EntityBase entityBase: entities){
boolean result=actionValid(entityBase,strAction,entityDataRange);
boolean result=actionValid(entityBase, strAction ,userAuthorities);
if(!result){
return false;
}
......@@ -61,7 +64,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
}
else{
EntityBase entityBase= (EntityBase) entity;
return actionValid(entityBase,strAction,entityDataRange);
return actionValid(entityBase , strAction ,userAuthorities);
}
return true;
}
......@@ -80,15 +83,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
*/
private Set<String> getAuthorities(Authentication authentication , String action){
Collection authorities=authentication.getAuthorities();
Set<String> entityDataRange = new HashSet();
Set<String> userAuthorities = new HashSet();
Iterator var2 = authorities.iterator();
while(var2.hasNext()) {
GrantedAuthority authority = (GrantedAuthority)var2.next();
if(authority.getAuthority().contains(action))
entityDataRange.add(authority.getAuthority());
userAuthorities.add(authority.getAuthority());
}
return entityDataRange;
return userAuthorities;
}
/**
......@@ -109,10 +112,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* 实体行为权限校验
* @param entity
* @param entityDataRange
* @param userAuthorities
* @return
*/
private boolean actionValid(EntityBase entity, String action, Set<String> entityDataRange){
private boolean actionValid(EntityBase entity, String action , Set<String> userAuthorities){
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String orgField=permissionField.get("orgfield");
......@@ -132,47 +135,56 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set<String> userOrg = new HashSet<>();
Set<String> userOrgDept = new HashSet<>();
for(String permissionCond:entityDataRange){
if(permissionCond.endsWith("curorg")){ //本单位
for(String authority:userAuthorities){
if(authority.endsWith("curorg")){ //本单位
userOrg.add(authenticationUser.getOrgid());
}
else if(permissionCond.endsWith("porg")){//上级单位
else if(authority.endsWith("porg")){//上级单位
userOrg.addAll(orgParent);
}
else if(permissionCond.endsWith("sorg")){//下级单位
else if(authority.endsWith("sorg")){//下级单位
userOrg.addAll(orgChild);
}
else if(permissionCond.endsWith("curorgdept")){//本部门
else if(authority.endsWith("curorgdept")){//本部门
userOrgDept.add(authenticationUser.getMdeptid());
}
else if(permissionCond.endsWith("porgdept")){//上级部门
else if(authority.endsWith("porgdept")){//上级部门
userOrgDept.addAll(orgDeptParent);
}
else if(permissionCond.endsWith("sorgdept")){//下级部门
else if(authority.endsWith("sorgdept")){//下级部门
userOrgDept.addAll(orgDeptChild);
}
}
if(action.endsWith("Create")){
if(!ObjectUtils.isEmpty(orgFieldValue) && !userOrg.contains(orgFieldValue))
return false;
if(!ObjectUtils.isEmpty(orgDeptFieldValue) && !userOrgDept.contains(orgDeptFieldValue))
return false;
if(!ObjectUtils.isEmpty(crateManFieldValue) && !crateManFieldValue.equals(authenticationUser.getUserid()))
return false;
return true;
if(action.endsWith("Save")){
String keyFieldName=permissionField.get(keyFieldTag);
Object srfKey=entity.get(keyFieldName);
if(ObjectUtils.isEmpty(srfKey))
action="Create";
else
action="Update";
}
else{
if(!ObjectUtils.isEmpty(orgFieldValue) && userOrg.contains(orgFieldValue))
return true;
if(!ObjectUtils.isEmpty(orgDeptFieldValue) && userOrgDept.contains(orgDeptFieldValue))
return true;
if(!ObjectUtils.isEmpty(crateManFieldValue) && crateManFieldValue.equals(authenticationUser.getUserid()))
return true;
return false;
}
if(action.endsWith("Create")){
if(!ObjectUtils.isEmpty(orgFieldValue) && !userOrg.contains(orgFieldValue))
return false;
if(!ObjectUtils.isEmpty(orgDeptFieldValue) && !userOrgDept.contains(orgDeptFieldValue))
return false;
if(!ObjectUtils.isEmpty(crateManFieldValue) && !authenticationUser.getUserid().equals(crateManFieldValue))
return false;
return true;
}
else{
if(!ObjectUtils.isEmpty(orgFieldValue) && userOrg.contains(orgFieldValue))
return true;
if(!ObjectUtils.isEmpty(orgDeptFieldValue) && userOrgDept.contains(orgDeptFieldValue))
return true;
if(!ObjectUtils.isEmpty(crateManFieldValue) && authenticationUser.getUserid().equals(crateManFieldValue))
return true;
return false;
}
}
/**
......
Markdown 格式
0% or
您添加了 0 到此讨论。请谨慎行事。
先完成此消息的编辑!
想要评论请 注册