简化权限校验

35c235c7 · zhouweidong · 5b286bc3 · 35c235c7 · 35c235c7
--- a/SLN/%PUBPRJ%-provider/%PUBPRJ%-provider-%SYSAPI_PKGPATH%/src/main/java/%SYS_PKGPATH%/%SYSAPI_PKGPATH%/rest/%ITEM%Resource.java.ftl
+++ b/SLN/%PUBPRJ%-provider/%PUBPRJ%-provider-%SYSAPI_PKGPATH%/src/main/java/%SYS_PKGPATH%/%SYSAPI_PKGPATH%/rest/%ITEM%Resource.java.ftl
@@ -630,16 +630,16 @@ public class ${itemCodeName}Resource {
 <#macro SecurityAnnotation deaction>
    <#if noDEPrefield>
-        @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
+    @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
    <#else>
        <#if deaction.codeName?lower_case=='create' || deaction.codeName?lower_case=='save'>
-        @PreAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(#${itemCodeNameLC}dto),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
+    @PreAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(#${itemCodeNameLC}dto),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
        <#elseif deaction.codeName?lower_case=='update' || deaction.codeName?lower_case=='remove'>
-        @PreAuthorize("hasPermission(this.${deCodeNameLC}Service.get(#${itemCodeNameLC + keyCNLC}),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
+    @PreAuthorize("hasPermission(this.${deCodeNameLC}Service.get(#${itemCodeNameLC + keyCNLC}),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
        <#elseif deaction.codeName?lower_case=='get'>
-        @PostAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(returnObject.body),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
+    @PostAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(returnObject.body),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
        <#else>
-        @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
+    @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
        </#if>
    </#if>
 </#macro>
@@ -648,7 +648,7 @@ public class ${itemCodeName}Resource {
    <#if deaction.codeName?lower_case=='Remove'>
    //
    <#else>
-    //@PreAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(#${itemCodeNameLC}dtos),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
+    @PreAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(#${itemCodeNameLC}dtos),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
    </#if>
 </#macro>

--- a/SLN/%PUBPRJ%-util/src/main/java/%SYS_PKGPATH%/util/security/AuthPermissionEvaluator.java.ftl
+++ b/SLN/%PUBPRJ%-util/src/main/java/%SYS_PKGPATH%/util/security/AuthPermissionEvaluator.java.ftl
@@ -26,7 +26,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
    @Value("${r'${ibiz.enablePermissionValid:false}'}")
    boolean enablePermissionValid;  //是否开启权限校验
+    /**
+     *实体主键标识
+     */
+    private String keyFieldTag="keyfield";
    /**
     * 实体行为鉴权
     * @param authentication
@@ -42,18 +45,18 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
            return true;
        String strAction=String.valueOf(action);
-        Set<String> entityDataRange = getAuthorities(authentication,strAction);
+        Set<String> userAuthorities = getAuthorities(authentication,strAction);
-        if(entityDataRange.size()==0)
+        if(userAuthorities.size()==0)
            return false;
        //拥有全部数据访问权限时，则跳过权限检查
-        if(isAllData(strAction,entityDataRange)){
+        if(isAllData(strAction,userAuthorities)){
            return true;
        }
        if(entity instanceof  ArrayList){
            List<EntityBase> entities= (List<EntityBase>) entity;
            for(EntityBase entityBase: entities){
-                boolean result=actionValid(entityBase,strAction,entityDataRange);
+                boolean result=actionValid(entityBase, strAction ,userAuthorities);
                if(!result){
                   return false;
                }
@@ -61,7 +64,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
        }
        else{
            EntityBase entityBase= (EntityBase) entity;
-            return actionValid(entityBase,strAction,entityDataRange);
+            return actionValid(entityBase , strAction ,userAuthorities);
        }
        return true;
    }
@@ -80,15 +83,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
     */
    private Set<String> getAuthorities(Authentication authentication , String action){
        Collection authorities=authentication.getAuthorities();
-        Set<String> entityDataRange = new HashSet();
+        Set<String> userAuthorities = new HashSet();
        Iterator var2 = authorities.iterator();
        while(var2.hasNext()) {
            GrantedAuthority authority = (GrantedAuthority)var2.next();
            if(authority.getAuthority().contains(action))
-                entityDataRange.add(authority.getAuthority());
+                userAuthorities.add(authority.getAuthority());
        }
-        return entityDataRange;
+        return userAuthorities;
    }
    /**
@@ -109,10 +112,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
    /**
     * 实体行为权限校验
     * @param entity
-     * @param entityDataRange
+     * @param userAuthorities
     * @return
     */
-    private boolean actionValid(EntityBase entity, String action, Set<String> entityDataRange){
+    private boolean actionValid(EntityBase entity, String action , Set<String> userAuthorities){
        Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
        String orgField=permissionField.get("orgfield");
@@ -132,47 +135,56 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
        Set<String> userOrg = new HashSet<>();
        Set<String> userOrgDept = new HashSet<>();
-        for(String permissionCond:entityDataRange){
+        for(String authority:userAuthorities){
-            if(permissionCond.endsWith("curorg")){   //本单位
+            if(authority.endsWith("curorg")){   //本单位
                userOrg.add(authenticationUser.getOrgid());
            }
-            else if(permissionCond.endsWith("porg")){//上级单位
+            else if(authority.endsWith("porg")){//上级单位
                userOrg.addAll(orgParent);
            }
-            else if(permissionCond.endsWith("sorg")){//下级单位
+            else if(authority.endsWith("sorg")){//下级单位
                userOrg.addAll(orgChild);
            }
-            else if(permissionCond.endsWith("curorgdept")){//本部门
+            else if(authority.endsWith("curorgdept")){//本部门
                userOrgDept.add(authenticationUser.getMdeptid());
            }
-            else if(permissionCond.endsWith("porgdept")){//上级部门
+            else if(authority.endsWith("porgdept")){//上级部门
                userOrgDept.addAll(orgDeptParent);
            }
-            else if(permissionCond.endsWith("sorgdept")){//下级部门
+            else if(authority.endsWith("sorgdept")){//下级部门
                userOrgDept.addAll(orgDeptChild);
            }
        }
-        if(action.endsWith("Create")){
+        if(action.endsWith("Save")){
-            if(!ObjectUtils.isEmpty(orgFieldValue) && !userOrg.contains(orgFieldValue))
+            String keyFieldName=permissionField.get(keyFieldTag);
-                return false;
+            Object srfKey=entity.get(keyFieldName);
-            if(!ObjectUtils.isEmpty(orgDeptFieldValue) && !userOrgDept.contains(orgDeptFieldValue))
+            if(ObjectUtils.isEmpty(srfKey))
-                return false;
+                action="Create";
-            if(!ObjectUtils.isEmpty(crateManFieldValue) && !crateManFieldValue.equals(authenticationUser.getUserid()))
+            else
-                return false;
+                action="Update";
-                return true;
        }
-        else{
-            if(!ObjectUtils.isEmpty(orgFieldValue) && userOrg.contains(orgFieldValue))
-                return true;
-            if(!ObjectUtils.isEmpty(orgDeptFieldValue) && userOrgDept.contains(orgDeptFieldValue))
-                return true;
-            if(!ObjectUtils.isEmpty(crateManFieldValue) && crateManFieldValue.equals(authenticationUser.getUserid()))
-                return true;
-                return false;
+       if(action.endsWith("Create")){
-        }
+           if(!ObjectUtils.isEmpty(orgFieldValue) && !userOrg.contains(orgFieldValue))
+               return false;
+           if(!ObjectUtils.isEmpty(orgDeptFieldValue) && !userOrgDept.contains(orgDeptFieldValue))
+               return false;
+           if(!ObjectUtils.isEmpty(crateManFieldValue) && !authenticationUser.getUserid().equals(crateManFieldValue))
+               return false;
+               return true;
+       }
+       else{
+           if(!ObjectUtils.isEmpty(orgFieldValue) && userOrg.contains(orgFieldValue))
+               return true;
+           if(!ObjectUtils.isEmpty(orgDeptFieldValue) && userOrgDept.contains(orgDeptFieldValue))
+               return true;
+           if(!ObjectUtils.isEmpty(crateManFieldValue) && authenticationUser.getUserid().equals(crateManFieldValue))
+               return true;
+               return false;
+       }
    }
    /**