提交 43b4aa37 编写于 作者: zhouweidong's avatar zhouweidong

补充数据查询上下级权限

上级 862e85cf
...@@ -261,7 +261,7 @@ public class ${itemCodeName}Resource { ...@@ -261,7 +261,7 @@ public class ${itemCodeName}Resource {
</#if> </#if>
<#elseif apiMethod.getActionType()=='FETCH'> <#elseif apiMethod.getActionType()=='FETCH'>
<#assign deds = apiMethod.getPSDEDataSet()> <#assign deds = apiMethod.getPSDEDataSet()>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-search${deds.codeName}-all')") @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-search${deds.codeName}-all') and hasPermission(#context,'${sys.codeName}-${de.codeName}-Get')")
<#--<@SecurityAnnotation deds/>--> <#--<@SecurityAnnotation deds/>-->
@ApiOperation(value = "获取${deds.getLogicName()}", tags = {"${deLogicName}" } ,notes = "获取${deds.getLogicName()}") @ApiOperation(value = "获取${deds.getLogicName()}", tags = {"${deLogicName}" } ,notes = "获取${deds.getLogicName()}")
@RequestMapping(method= RequestMethod.${reqMtd} , value="${fullPath}/fetch<#if (deds.getName()=='DEFAULT')>${deds.getCodeName()?lower_case}<#else>${deds.getCodeName()?lower_case}</#if>") @RequestMapping(method= RequestMethod.${reqMtd} , value="${fullPath}/fetch<#if (deds.getName()=='DEFAULT')>${deds.getCodeName()?lower_case}<#else>${deds.getCodeName()?lower_case}</#if>")
...@@ -285,7 +285,7 @@ public class ${itemCodeName}Resource { ...@@ -285,7 +285,7 @@ public class ${itemCodeName}Resource {
</#if> </#if>
} }
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-search${deds.codeName}-all')") @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-search${deds.codeName}-all') and hasPermission(#context,'${sys.codeName}-${de.codeName}-Get')")
<#--<@SecurityAnnotation deds/>--> <#--<@SecurityAnnotation deds/>-->
@ApiOperation(value = "查询${deds.getLogicName()}", tags = {"${deLogicName}" } ,notes = "查询${deds.getLogicName()}") @ApiOperation(value = "查询${deds.getLogicName()}", tags = {"${deLogicName}" } ,notes = "查询${deds.getLogicName()}")
@RequestMapping(method= RequestMethod.POST , value="${fullPath}/search<#if (deds.getName()=='DEFAULT')>${deds.getCodeName()?lower_case}<#else>${deds.getCodeName()?lower_case}</#if>") @RequestMapping(method= RequestMethod.POST , value="${fullPath}/search<#if (deds.getName()=='DEFAULT')>${deds.getCodeName()?lower_case}<#else>${deds.getCodeName()?lower_case}</#if>")
...@@ -568,7 +568,7 @@ public class ${itemCodeName}Resource { ...@@ -568,7 +568,7 @@ public class ${itemCodeName}Resource {
</#if> </#if>
<#elseif apiMethod.getActionType()=='FETCH'> <#elseif apiMethod.getActionType()=='FETCH'>
<#assign deds = apiMethod.getPSDEDataSet()> <#assign deds = apiMethod.getPSDEDataSet()>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-search${deds.codeName}-all')") @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-search${deds.codeName}-all') and hasPermission(#context,'${sys.codeName}-${de.codeName}-Get')")
<#--<@SecurityAnnotation deds/>--> <#--<@SecurityAnnotation deds/>-->
@ApiOperation(value = "${byTagParams}获取${deds.getLogicName()}", tags = {"${deLogicName}" } ,notes = "${byTagParams}获取${deds.getLogicName()}") @ApiOperation(value = "${byTagParams}获取${deds.getLogicName()}", tags = {"${deLogicName}" } ,notes = "${byTagParams}获取${deds.getLogicName()}")
@RequestMapping(method= RequestMethod.${reqMtd} , value="${fullPath}/fetch<#if (deds.getName()=='DEFAULT')>${deds.getCodeName()?lower_case}<#else>${deds.getCodeName()?lower_case}</#if>") @RequestMapping(method= RequestMethod.${reqMtd} , value="${fullPath}/fetch<#if (deds.getName()=='DEFAULT')>${deds.getCodeName()?lower_case}<#else>${deds.getCodeName()?lower_case}</#if>")
...@@ -592,7 +592,7 @@ public class ${itemCodeName}Resource { ...@@ -592,7 +592,7 @@ public class ${itemCodeName}Resource {
</#if> </#if>
} }
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-search${deds.codeName}-all')") @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-search${deds.codeName}-all') and hasPermission(#context,'${sys.codeName}-${de.codeName}-Get')")
<#--<@SecurityAnnotation deds/>--> <#--<@SecurityAnnotation deds/>-->
@ApiOperation(value = "${byTagParams}查询${deds.getLogicName()}", tags = {"${deLogicName}" } ,notes = "${byTagParams}查询${deds.getLogicName()}") @ApiOperation(value = "${byTagParams}查询${deds.getLogicName()}", tags = {"${deLogicName}" } ,notes = "${byTagParams}查询${deds.getLogicName()}")
@RequestMapping(method= RequestMethod.POST , value="${fullPath}/search<#if (deds.getName()=='DEFAULT')>${deds.getCodeName()?lower_case}<#else>${deds.getCodeName()?lower_case}</#if>") @RequestMapping(method= RequestMethod.POST , value="${fullPath}/search<#if (deds.getName()=='DEFAULT')>${deds.getCodeName()?lower_case}<#else>${deds.getCodeName()?lower_case}</#if>")
......
...@@ -3,9 +3,12 @@ TARGET=PSSYSTEM ...@@ -3,9 +3,12 @@ TARGET=PSSYSTEM
</#ibiztemplate> </#ibiztemplate>
package ${pub.getPKGCodeName()}.util.security; package ${pub.getPKGCodeName()}.util.security;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import lombok.SneakyThrows;
import ${pub.getPKGCodeName()}.util.annotation.DEField; import ${pub.getPKGCodeName()}.util.annotation.DEField;
import ${pub.getPKGCodeName()}.util.domain.EntityBase; import ${pub.getPKGCodeName()}.util.domain.EntityBase;
import ${pub.getPKGCodeName()}.util.enums.DEPredefinedFieldType; import ${pub.getPKGCodeName()}.util.enums.DEPredefinedFieldType;
import ${pub.getPKGCodeName()}.util.filter.QueryWrapperContext;
import ${pub.getPKGCodeName()}.util.helper.DEFieldCacheMap; import ${pub.getPKGCodeName()}.util.helper.DEFieldCacheMap;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.access.PermissionEvaluator;
...@@ -14,7 +17,10 @@ import org.springframework.security.core.GrantedAuthority; ...@@ -14,7 +17,10 @@ import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import org.springframework.util.ObjectUtils; import org.springframework.util.ObjectUtils;
import java.io.Serializable; import java.io.Serializable;
import java.lang.reflect.ParameterizedType;
import java.lang.reflect.Type;
import java.util.*; import java.util.*;
import java.util.function.Consumer;
/** /**
* spring security 权限管理类 * spring security 权限管理类
...@@ -26,44 +32,144 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -26,44 +32,144 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
@Value("${r'${ibiz.enablePermissionValid:false}'}") @Value("${r'${ibiz.enablePermissionValid:false}'}")
boolean enablePermissionValid; //是否开启权限校验 boolean enablePermissionValid; //是否开启权限校验
/** /**
* 实体行为鉴权 * 服务接口鉴权
* @param authentication * @param authentication 用户
* @param entity * @param entity 实体
* @param action * @param action 操作
* @return * @return
*/ */
@Override @Override
@SneakyThrows
public boolean hasPermission(Authentication authentication, Object entity, Object action) { public boolean hasPermission(Authentication authentication, Object entity, Object action) {
if(!enablePermissionValid)
//未开启权限校验、超级管理员则不进行权限检查 return true;
if(AuthenticationUser.getAuthenticationUser().getSuperuser()==1 || !enablePermissionValid) Object principal = authentication.getPrincipal();
if(ObjectUtils.isEmpty(principal))
return false;
AuthenticationUser authenticationUser= (AuthenticationUser) authentication.getPrincipal();
if(authenticationUser.getSuperuser()==1)
return true; return true;
String strAction=String.valueOf(action); String strAction=String.valueOf(action);
Set<String> userAuthorities = getAuthorities(authentication,strAction); Set<String> userAuthorities = getAuthorities(authentication,strAction);
if(userAuthorities.size()==0) if(userAuthorities.size()==0)
return false; return false;
//拥有全部数据访问权限时,则跳过权限检查
if(isAllData(strAction,userAuthorities)){ if(isAllData(strAction,userAuthorities)){
return true; return true;
} }
if(entity instanceof ArrayList){ if(entity instanceof ArrayList){
List<EntityBase> entities= (List<EntityBase>) entity; List<EntityBase> entities= (List<EntityBase>) entity;
for(EntityBase entityBase: entities){ for(EntityBase entityBase: entities){
boolean result=actionValid(entityBase, strAction ,userAuthorities); boolean result=actionValid(entityBase, strAction ,userAuthorities,authenticationUser);
if(!result){ if(!result){
return false; return false;
} }
} }
} }
else if (entity instanceof QueryWrapperContext){
QueryWrapperContext queryWrapperContext= (QueryWrapperContext) entity;
setPermissionCondToSearchContext(getEntity(queryWrapperContext),queryWrapperContext,userAuthorities,authenticationUser);
}
else{ else{
EntityBase entityBase= (EntityBase) entity; EntityBase entityBase= (EntityBase) entity;
return actionValid(entityBase , strAction ,userAuthorities); return actionValid(entityBase , strAction ,userAuthorities,authenticationUser);
} }
return true; return true;
} }
/**
* 获取实体信息
* @param qc
* @return
*/
@SneakyThrows
private EntityBase getEntity(QueryWrapperContext qc){
EntityBase entity=null;
Type type =qc.getClass().getGenericSuperclass();
if(type instanceof ParameterizedType){
ParameterizedType parameterizedType= (ParameterizedType) qc.getClass().getGenericSuperclass();
Type [] typeArr= parameterizedType.getActualTypeArguments();
if(typeArr.length>0){
Class<EntityBase> entityClass = (Class) typeArr[0];
return entityClass.newInstance();
}
}
return entity;
}
/**
* searchContext中拼接权限条件
* @param entity 实体
* @param qc 查询上下文
* @param userAuthorities 用户权限
* @param authenticationUser 当前用户
*/
@SneakyThrows
private void setPermissionCondToSearchContext(EntityBase entity, QueryWrapperContext qc , Set<String> userAuthorities ,AuthenticationUser authenticationUser){
if(entity==null)
return ;
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String orgField=permissionField.get("orgfield");
String orgDeptField=permissionField.get("orgsecfield");
String createManField=permissionField.get("createmanfield");
Map<String, Set<String>> userInfo = authenticationUser.getOrgInfo();
Set<String> orgParent = userInfo.get("parentorg");
Set<String> orgChild = userInfo.get("suborg");
Set<String> orgDeptParent = userInfo.get("parentdept");
Set<String> orgDeptChild = userInfo.get("subdept");
Set<String> userOrg = new HashSet<>();
Set<String> userOrgDept = new HashSet<>();
Set<String> userCreateMan = new HashSet<>();
for(String authority:userAuthorities){
if(authority.endsWith("curorg")){ //本单位
userOrg.add(authenticationUser.getOrgid());
}
else if(authority.endsWith("porg")){//上级单位
userOrg.addAll(orgParent);
}
else if(authority.endsWith("sorg")){//下级单位
userOrg.addAll(orgChild);
}
else if(authority.endsWith("curorgdept")){//本部门
userOrgDept.add(authenticationUser.getMdeptid());
}
else if(authority.endsWith("porgdept")){//上级部门
userOrgDept.addAll(orgDeptParent);
}
else if(authority.endsWith("sorgdept")){//下级部门
userOrgDept.addAll(orgDeptChild);
}
else if (authority.endsWith("createman")){
userCreateMan.add(authority);
}
}
if(userOrg.size()==0 && userOrgDept.size()==0 && userCreateMan.size()==0){
qc.getSelectCond().apply("1<>1");
}
else{
Consumer<QueryWrapper> consumer = qw -> {
if(userOrg.size()>0){
Consumer<QueryWrapper> org = orgQw -> {
orgQw.in(orgField,userOrg);
};
qw.or(org);
}
if(userOrgDept.size()>0){
Consumer<QueryWrapper> dept = deptQw -> {
deptQw.in(orgDeptField,userOrgDept);
};
qw.or(dept);
}
if(userCreateMan.size()>0){
Consumer<QueryWrapper> createMan = createManQw -> {
createManQw.eq(createManField,authenticationUser.getUserid());
};
qw.or(createMan);
}
};
qc.getSelectCond().and(consumer);
}
}
@Override @Override
public boolean hasPermission(Authentication authentication, Serializable id, String action, Object params) { public boolean hasPermission(Authentication authentication, Serializable id, String action, Object params) {
...@@ -109,13 +215,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -109,13 +215,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param userAuthorities * @param userAuthorities
* @return * @return
*/ */
private boolean actionValid(EntityBase entity, String action , Set<String> userAuthorities){ private boolean actionValid(EntityBase entity, String action , Set<String> userAuthorities ,AuthenticationUser authenticationUser){
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性 Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String orgField=permissionField.get("orgfield"); String orgField=permissionField.get("orgfield");
String orgDeptField=permissionField.get("orgsecfield"); String orgDeptField=permissionField.get("orgsecfield");
String createManField=permissionField.get("createmanfield"); String createManField=permissionField.get("createmanfield");
AuthenticationUser authenticationUser = AuthenticationUser.getAuthenticationUser();
Map<String, Set<String>> userInfo = authenticationUser.getOrgInfo(); Map<String, Set<String>> userInfo = authenticationUser.getOrgInfo();
Set<String> orgParent = userInfo.get("parentorg"); Set<String> orgParent = userInfo.get("parentorg");
Set<String> orgChild = userInfo.get("suborg"); Set<String> orgChild = userInfo.get("suborg");
......
Markdown 格式
0% or
您添加了 0 到此讨论。请谨慎行事。
先完成此消息的编辑!
想要评论请 注册