Skip to content
项目
群组
代码片段
帮助
正在加载...
帮助
提交反馈
为 GitLab 提交贡献
登录
切换导航
iBiz4j Spring R7
项目
项目
详情
动态
版本
周期分析
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
统计图
议题
0
议题
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
CI / CD
CI / CD
流水线
作业
计划
统计图
Wiki
Wiki
代码片段
代码片段
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
统计图
创建新议题
作业
提交
议题看板
打开侧边栏
iBiz-R7后台标准模板
iBiz4j Spring R7
提交
9e2009a8
提交
9e2009a8
编写于
5月 26, 2020
作者:
zhouweidong
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
简化权限校验
上级
72721eca
变更
2
显示空白字符变更
内嵌
并排
正在显示
2 个修改的文件
包含
43 行增加
和
508 行删除
+43
-508
%ITEM%Resource.java.ftl
...YS_PKGPATH%/%SYSAPI_PKGPATH%/rest/%ITEM%Resource.java.ftl
+18
-12
AuthPermissionEvaluator.java.ftl
...S_PKGPATH%/util/security/AuthPermissionEvaluator.java.ftl
+25
-496
未找到文件。
SLN/%PUBPRJ%-provider/%PUBPRJ%-provider-%SYSAPI_PKGPATH%/src/main/java/%SYS_PKGPATH%/%SYSAPI_PKGPATH%/rest/%ITEM%Resource.java.ftl
浏览文件 @
9e2009a8
...
...
@@ -46,6 +46,7 @@ import org.springframework.data.domain.Pageable;
import
org
.
springframework
.
util
.
StringUtils
;
import
org
.
springframework
.
context
.
annotation
.
Lazy
;
import
org
.
springframework
.
security
.
access
.
prepost
.
PreAuthorize
;
import
org
.
springframework
.
security
.
access
.
prepost
.
PostAuthorize
;
import
io
.
swagger
.
annotations
.
Api
;
import
io
.
swagger
.
annotations
.
ApiOperation
;
import
io
.
swagger
.
annotations
.
ApiResponse
;
...
...
@@ -145,7 +146,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
<@
outputHasAnyAuthorityAnnotation
'${sys.codeName}-${de.codeName}-${deaction.codeName}-all'
/>
<#
else
>
@
PreAuthorize
(
"hasPermission('','Create',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})"
)
<@
outputHasPermissionAnnotation
'this.${itemCodeNameLC}Mapping.toDomain(#${itemCodeNameLC}dtos)'
'${sys.codeName}-${de.codeName}-${deaction.codeName}'
/>
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}"
)
@
RequestMapping
(
method
=
RequestMethod
.
POST
,
value
=
"${fullPath}"
)
...
...
@@ -169,7 +170,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
<@
outputHasAnyAuthorityAnnotation
'${sys.codeName}-${de.codeName}-${deaction.codeName}-all'
/>
<#
else
>
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})"
)
<@
outputHasPermissionAnnotation
'this.${deCodeNameLC}Service.get(#${itemCodeNameLC + keyCNLC})'
'${sys.codeName}-${de.codeName}-${deaction.codeName}'
/>
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}"
)
@
RequestMapping
(
method
=
RequestMethod
.
PUT
,
value
=
"${fullPath}/{${itemCodeNameLC + keyCNLC}}"
)
...
...
@@ -194,7 +195,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
<@
outputHasAnyAuthorityAnnotation
'${sys.codeName}-${de.codeName}-${deaction.codeName}-all'
/>
<#
else
>
@
PreAuthorize
(
"hasPermission('','Save',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})"
)
//
@
PreAuthorize
(
"hasPermission('','Save',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})"
)
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}"
)
@
RequestMapping
(
method
=
RequestMethod
.${
reqMtd
},
value
=
"${fullPath}/${deactionCodeName?lower_case}"
)
...
...
@@ -214,7 +215,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
<@
outputHasAnyAuthorityAnnotation
'${sys.codeName}-${de.codeName}-${deaction.codeName}-all'
/>
<#
else
>
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO})"
)
<@
outputHasPermissionAnnotation
'this.${deCodeNameLC}Service.get(#${itemCodeNameLC + keyCNLC})'
'${sys.codeName}-${de.codeName}-${deaction.codeName}'
/>
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}"
)
@
RequestMapping
(
method
=
RequestMethod
.
DELETE
,
value
=
"${fullPath}/{${itemCodeNameLC + keyCNLC}}"
)
...
...
@@ -235,7 +236,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
<@
outputHasAnyAuthorityAnnotation
'${sys.codeName}-${de.codeName}-${deaction.codeName}-all'
/>
<#
else
>
@
P
reAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO}
)"
)
@
P
ostAuthorize
(
"hasPermission(this.${itemCodeNameLC}Mapping.toDomain(returnObject.body),'${sys.codeName}-${de.codeName}-${deaction.codeName}'
)"
)
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}"
)
@
RequestMapping
(
method
=
RequestMethod
.
GET
,
value
=
"${fullPath}/{${itemCodeNameLC + keyCNLC}}"
)
...
...
@@ -409,7 +410,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
<@
outputHasAnyAuthorityAnnotation
'${sys.codeName}-${de.codeName}-${deaction.codeName}-all'
/>
<#
else
>
@
PreAuthorize
(
"hasPermission('','Create',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})"
)
//
@
PreAuthorize
(
"hasPermission('','Create',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})"
)
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}${byParams}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}${byParams}"
)
@
RequestMapping
(
method
=
RequestMethod
.
POST
,
value
=
"${fullPath}"
)
...
...
@@ -438,7 +439,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
<@
outputHasAnyAuthorityAnnotation
'${sys.codeName}-${de.codeName}-${deaction.codeName}-all'
/>
<#
else
>
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})"
)
//
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})"
)
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}${byParams}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}${byParams}"
)
@
RequestMapping
(
method
=
RequestMethod
.
PUT
,
value
=
"${fullPath}/{${itemCodeNameLC + keyCNLC}}"
)
...
...
@@ -507,7 +508,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
<@
outputHasAnyAuthorityAnnotation
'${sys.codeName}-${de.codeName}-${deaction.codeName}-all'
/>
<#
else
>
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO})"
)
//
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO})"
)
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}${byParams}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}${byParams}"
)
@
RequestMapping
(
method
=
RequestMethod
.
DELETE
,
value
=
"${fullPath}/{${itemCodeNameLC + keyCNLC}}"
)
...
...
@@ -528,7 +529,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
<@
outputHasAnyAuthorityAnnotation
'${sys.codeName}-${de.codeName}-${deaction.codeName}-all'
/>
<#
else
>
@
PreAuthorize
(
"hasPermission('','Save',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})"
)
//
@
PreAuthorize
(
"hasPermission('','Save',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})"
)
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}${byParams}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}${byParams}"
)
@
RequestMapping
(
method
=
RequestMethod
.${
reqMtd
},
value
=
"${fullPath}/${deactionCodeName?lower_case}"
)
...
...
@@ -554,7 +555,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
<@
outputHasAnyAuthorityAnnotation
'${sys.codeName}-${de.codeName}-${deaction.codeName}-all'
/>
<#
else
>
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO})"
)
//
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO})"
)
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}${byParams}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}${byParams}"
)
@
RequestMapping
(
method
=
RequestMethod
.
GET
,
value
=
"${fullPath}/{${itemCodeNameLC + keyCNLC}}"
)
...
...
@@ -654,11 +655,16 @@ public class ${itemCodeName}Resource {
@
PreAuthorize
(
"hasAnyAuthority('ROLE_SUPERADMIN','${permissionTag}')"
)
</#
macro
>
<#
comment
>
输出实体资源鉴权注解
[
hasAnyAuthority
]</#
comment
>
<#
macro
outputHasPermissionAnnotation
param1
param2
>
//@
PreAuthorize
(
"hasPermission(${param1},'${param2}')"
)
</#
macro
>
<#
comment
>
输出实体批处理权限注解
[
hasAnyAuthority
]</#
comment
>
<#
macro
outputBatchPermissionAnnotation
deAction
deStorageMode
>
<#
if
deAction
==
'Remove'
>
@
PreAuthorize
(
"hasPermission('${deAction}',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO,#ids})"
)
//
@
PreAuthorize
(
"hasPermission('${deAction}',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO,#ids})"
)
<#
else
>
@
PreAuthorize
(
"hasPermission('${deAction}',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dtos})"
)
//
@
PreAuthorize
(
"hasPermission('${deAction}',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dtos})"
)
</#
if
>
</#
macro
>
SLN/%PUBPRJ%-util/src/main/java/%SYS_PKGPATH%/util/security/AuthPermissionEvaluator.java.ftl
浏览文件 @
9e2009a8
...
...
@@ -3,27 +3,16 @@ TARGET=PSSYSTEM
</#
ibiztemplate
>
package
${
pub
.
getPKGCodeName
()}.
util
.
security
;
import
com
.
baomidou
.
mybatisplus
.
core
.
conditions
.
query
.
QueryWrapper
;
import
com
.
baomidou
.
mybatisplus
.
extension
.
service
.
impl
.
ServiceImpl
;
import
com
.
mongodb
.
QueryBuilder
;
import
${
pub
.
getPKGCodeName
()}.
util
.
annotation
.
DEField
;
import
${
pub
.
getPKGCodeName
()}.
util
.
domain
.
DTOBase
;
import
${
pub
.
getPKGCodeName
()}.
util
.
domain
.
EntityBase
;
import
${
pub
.
getPKGCodeName
()}.
util
.
domain
.
MappingBase
;
import
${
pub
.
getPKGCodeName
()}.
util
.
enums
.
DEPredefinedFieldType
;
import
${
pub
.
getPKGCodeName
()}.
util
.
helper
.
DEFieldCacheMap
;
import
org
.
springframework
.
beans
.
factory
.
annotation
.
Value
;
import
org
.
springframework
.
context
.
annotation
.
Lazy
;
import
org
.
springframework
.
data
.
mongodb
.
core
.
MongoTemplate
;
import
org
.
springframework
.
data
.
mongodb
.
core
.
query
.
BasicQuery
;
import
org
.
springframework
.
data
.
mongodb
.
core
.
query
.
Query
;
import
org
.
springframework
.
security
.
access
.
PermissionEvaluator
;
import
org
.
springframework
.
security
.
core
.
Authentication
;
import
org
.
springframework
.
security
.
core
.
GrantedAuthority
;
import
org
.
springframework
.
stereotype
.
Component
;
import
org
.
springframework
.
util
.
ObjectUtils
;
import
org
.
springframework
.
util
.
StringUtils
;
import
javax
.
annotation
.
Resource
;
import
java
.
io
.
Serializable
;
import
java
.
lang
.
reflect
.
Field
;
import
java
.
util
.*;
...
...
@@ -37,273 +26,71 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
@
Value
(
"${r'${ibiz.enablePermissionValid:false}'}"
)
boolean
enablePermissionValid
;
//
是否开启权限校验
/**
*
实体主键标识
*/
private
String
keyFieldTag
=
"keyfield"
;
@
Resource
@
Lazy
private
MongoTemplate
mongoTemplate
;
/**
*
批处理权限检查
[
createBatch
:
updateBatch
:
removeBatch
]
*
实体行为鉴权
*
@
param
authentication
*
@
param
DEAction
*
@
param
params
*
@
param
entity
*
@
param
action
*
@
return
*/
@
Override
public
boolean
hasPermission
(
Authentication
authentication
,
Object
DEAction
,
Object
params
)
{
public
boolean
hasPermission
(
Authentication
authentication
,
Object
entity
,
Object
action
)
{
//
未开启权限校验、超级管理员则不进行权限检查
if
(
AuthenticationUser
.
getAuthenticationUser
().
getSuperuser
()==
1
||
!enablePermissionValid)
return
true
;
List
paramList
=
(
ArrayList
)
params
;
String
deStorageMode
=
(
String
)
paramList
.
get
(
0
);
String
action
=
String
.
valueOf
(
DEAction
);
List
<
String
>
ids
=
null
;
EntityBase
entity
;
List
<
EntityBase
>
entityList
=
null
;
MappingBase
mappingBase
=
(
MappingBase
)
paramList
.
get
(
1
);
//
参数准备
if
(
action
.
equalsIgnoreCase
(
"remove"
)){
entity
=
(
EntityBase
)
mappingBase
.
toDomain
(
paramList
.
get
(
2
));
ids
=
(
List
<
String
>)
paramList
.
get
(
3
);
}
else
{
List
<
DTOBase
>
dtoList
=
(
List
<
DTOBase
>)
paramList
.
get
(
2
);
if
(
dtoList
.
size
()==
0
)
return
false
;
entityList
=
mappingBase
.
toDomain
(
dtoList
);
entity
=
(
EntityBase
)
mappingBase
.
toDomain
(
dtoList
.
get
(
0
));
}
if
(
entity
==
null
)
return
false
;
Set
<
String
>
entityDataRange
=
getAuthorities
(
authentication
,
entity
.
getClass
().
getSimpleName
(),
action
);
String
strAction
=
String
.
valueOf
(
action
);
Set
<
String
>
entityDataRange
=
getAuthorities
(
authentication
,
strAction
);
if
(
entityDataRange
.
size
()==
0
)
return
false
;
//
拥有全部数据访问权限时,则跳过权限检查
if
(
isAllData
(
a
ction
,
entityDataRange
)){
if
(
isAllData
(
strA
ction
,
entityDataRange
)){
return
true
;
}
if
(
action
.
equalsIgnoreCase
(
"create"
)){
return
createBatchActionPermissionValid
(
entityList
,
entityDataRange
);
if
(
entity
instanceof
ArrayList
){
List
<
EntityBase
>
entities
=
(
List
<
EntityBase
>)
entity
;
for
(
EntityBase
entityBase
:
entities
){
boolean
result
=
actionValid
(
entityBase
,
entityDataRange
);
if
(
!result){
return
false
;
}
else
if
(
action
.
equalsIgnoreCase
(
"save"
)){
return
saveBatchActionPermissionValid
(
deStorageMode
,
entityList
,
entityDataRange
);
}
else
{
if
(
!action.equalsIgnoreCase("remove")){
ids
=
getIds
(
entity
,
entityList
);
}
if
(
ids
.
size
()==
0
)
return
false
;
return
otherBatchActionPermissionValidRouter
(
deStorageMode
,
entity
,
ids
,
entityDataRange
);
else
{
EntityBase
entityBase
=
(
EntityBase
)
entity
;
return
actionValid
(
entityBase
,
entityDataRange
);
}
return
true
;
}
/**
*
实体行为权限检查
:用于检查当前用户是否拥有实体的新建、编辑、删除权限
*
*
@
param
authentication
*
@
param
id
当前操作数据的主键
*
@
param
action
当前操作行为:如:
[
READ
、
UPDATE
、
DELETE
]
*
@
param
params
相关参数
*
@
return
true
/
false
true
则允许当前行为,
false
拒绝行为
*/
@
Override
public
boolean
hasPermission
(
Authentication
authentication
,
Serializable
id
,
String
action
,
Object
params
)
{
//
未开启权限校验、超级管理员则不进行权限检查
if
(
AuthenticationUser
.
getAuthenticationUser
().
getSuperuser
()==
1
||
!enablePermissionValid)
return
true
;
List
paramList
=
(
ArrayList
)
params
;
String
deStorageMode
=
(
String
)
paramList
.
get
(
0
);
MappingBase
mappingBase
=
(
MappingBase
)
paramList
.
get
(
1
);
DTOBase
dtoBase
=
(
DTOBase
)
paramList
.
get
(
2
);
EntityBase
entity
=
(
EntityBase
)
mappingBase
.
toDomain
(
dtoBase
);
if
(
StringUtils
.
isEmpty
(
entity
))
return
false
;
Set
<
String
>
entityDataRange
=
getAuthorities
(
authentication
,
entity
.
getClass
().
getSimpleName
(),
action
);
if
(
entityDataRange
.
size
()==
0
)
return
false
;
//
拥有全部数据访问权限时,则跳过权限检查
if
(
isAllData
(
action
,
entityDataRange
)){
return
true
;
}
if
(
action
.
equalsIgnoreCase
(
"save"
)){
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
String
keyFieldName
=
permissionField
.
get
(
keyFieldTag
);
Object
srfKey
=
entity
.
get
(
keyFieldName
);
if
(
ObjectUtils
.
isEmpty
(
srfKey
))
action
=
"create"
;
else
action
=
"update"
;
}
if
(
action
.
equalsIgnoreCase
(
"create"
)){
return
createActionPermissionValid
(
entity
,
entityDataRange
);
}
else
{
return
otherActionPermissionValidRouter
(
deStorageMode
,
entity
,
id
,
entityDataRange
);
}
}
/**
*
获取用户权限资源
*
@
param
authentication
*
@
param
entityName
*
@
param
action
*
@
return
*/
private
Set
<
String
>
getAuthorities
(
Authentication
authentication
,
String
entityName
,
String
action
){
private
Set
<
String
>
getAuthorities
(
Authentication
authentication
,
String
action
){
Collection
authorities
=
authentication
.
getAuthorities
();
Set
<
String
>
entityDataRange
=
new
HashSet
();
Iterator
var2
=
authorities
.
iterator
();
while
(
var2
.
hasNext
())
{
GrantedAuthority
authority
=
(
GrantedAuthority
)
var2
.
next
();
if
(
authority
.
getAuthority
().
contains
(
String
.
format
(
"%s-%s-"
,
entityName
,
action
)
))
if
(
authority
.
getAuthority
().
contains
(
action
))
entityDataRange
.
add
(
authority
.
getAuthority
());
}
return
entityDataRange
;
}
/**
*
批
save
校验
*
@
param
deStorageMode
*
@
param
entityList
*
@
param
entityDataRange
*
@
return
*/
private
boolean
saveBatchActionPermissionValid
(
String
deStorageMode
,
List
<
EntityBase
>
entityList
,
Set
<
String
>
entityDataRange
)
{
if
(
entityList
==
null
||
entityList
.
size
()==
0
)
return
false
;
EntityBase
tempEntity
=
entityList
.
get
(
0
);
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
tempEntity
);
String
keyFieldName
=
permissionField
.
get
(
keyFieldTag
);
List
createList
=
new
ArrayList
();
List
<
String
>
updateList
=
new
ArrayList
();
for
(
EntityBase
entity
:
entityList
){
Object
id
=
entity
.
get
(
keyFieldName
);
if
(
ObjectUtils
.
isEmpty
(
id
))
createList
.
add
(
entity
);
else
updateList
.
add
(
String
.
valueOf
(
id
));
}
if
(
updateList
.
size
()>
0
){
boolean
isUpdate
=
otherBatchActionPermissionValidRouter
(
deStorageMode
,
tempEntity
,
updateList
,
entityDataRange
);
if
(
!isUpdate)
return
false
;
}
if
(
createList
.
size
()>
0
){
boolean
isCreate
=
createBatchActionPermissionValid
(
entityList
,
entityDataRange
);
if
(
!isCreate)
return
false
;
}
return
true
;
}
/**
*
批处理新建权限校验
*
@
param
entityList
*
@
param
entityDataRange
*
@
return
*/
private
boolean
createBatchActionPermissionValid
(
List
<
EntityBase
>
entityList
,
Set
<
String
>
entityDataRange
){
for
(
EntityBase
entity
:
entityList
){
boolean
isCreate
=
createActionPermissionValid
(
entity
,
entityDataRange
);
if
(
!isCreate){
return
false
;
}
}
return
true
;
}
/**
*
批处理行为权限校验
[
get
:
update
:
delete
]
*
@
param
deStorageMode
*
@
param
entity
*
@
param
ids
*
@
param
entityDataRange
*
@
return
*/
private
boolean
otherBatchActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
List
<
String
>
ids
,
Set
<
String
>
entityDataRange
){
if
(
deStorageMode
.
equalsIgnoreCase
(
"sql"
)){
return
sqlBatchPermissionValid
(
entity
,
ids
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"nosql"
)){
return
noSqlBatchPermissionValid
(
entity
,
ids
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"serviceapi"
)){
return
true
;
}
else
{
throw
new
RuntimeException
(
String
.
format
(
"未能识别实体对应存储模式[%s]"
,
deStorageMode
));
}
}
/**
*
SQL
批处理权限校验
*
@
param
entity
*
@
param
ids
*
@
param
entityDataRange
*
@
return
*/
private
boolean
sqlBatchPermissionValid
(
EntityBase
entity
,
List
<
String
>
ids
,
Set
<
String
>
entityDataRange
){
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);//
获取组织、部门预置属性
String
keyFieldName
=
permissionField
.
get
(
keyFieldTag
);
ServiceImpl
service
=
SpringContextHolder
.
getBean
(
String
.
format
(
"%s%s"
,
entity
.
getClass
().
getSimpleName
(),
"ServiceImpl"
));//
获取实体
service
对象
//
通过权限表达式来获取
sql
String
permissionSQL
=
String
.
format
(
" (%s) AND ( %s in (%s) ) "
,
getPermissionSQL
(
entity
,
entityDataRange
),
keyFieldName
,
getEntityKeyCond
(
ids
));
//
拼接权限条件
-
编辑
//
执行
sql
进行权限检查
QueryWrapper
permissionWrapper
=
getPermissionWrapper
(
permissionSQL
);//
构造权限条件
List
list
=
service
.
list
(
permissionWrapper
);
if
(
list
.
size
()
==
ids
.
size
()){
return
true
;
}
else
{
return
false
;
}
}
/**
*
NoSQL
批处理权限校验
*
@
param
entity
*
@
param
ids
*
@
param
entityDataRange
*
@
return
*/
private
boolean
noSqlBatchPermissionValid
(
EntityBase
entity
,
List
<
String
>
ids
,
Set
<
String
>
entityDataRange
)
{
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);//
获取组织、部门预置属性
String
keyFieldName
=
permissionField
.
get
(
keyFieldTag
);
//
根据权限表达式填充权限条件
QueryBuilder
permissionCond
=
getNoSqlPermissionCond
(
entity
,
entityDataRange
);
//
权限条件拼接主键
permissionCond
.
and
(
keyFieldName
).
in
(
ids
);
//
执行权限检查
Query
query
=
new
BasicQuery
(
permissionCond
.
get
().
toString
());
List
list
=
mongoTemplate
.
find
(
query
,
entity
.
getClass
());
if
(
list
.
size
()==
ids
.
size
()){
return
true
;
}
else
{
return
false
;
}
}
/**
*
是否为全部数据
*
@
param
action
...
...
@@ -320,14 +107,13 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
}
/**
*
新建行为
校验
*
实体行为权限
校验
*
@
param
entity
*
@
param
entityDataRange
*
@
return
*/
private
boolean
createActionPermiss
ionValid
(
EntityBase
entity
,
Set
<
String
>
entityDataRange
){
private
boolean
act
ionValid
(
EntityBase
entity
,
Set
<
String
>
entityDataRange
){
boolean
isCreate
=
true
;
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);//
获取组织、部门预置属性
String
orgField
=
permissionField
.
get
(
"orgfield"
);
String
orgDeptField
=
permissionField
.
get
(
"orgsecfield"
);
...
...
@@ -377,204 +163,8 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return
false
;
}
return
isCreate
;
}
/**
*
根据实体存储模式,进行鉴权
*
@
param
deStorageMode
*
@
param
entity
*
@
param
id
*
@
param
entityDataRange
*
@
return
*/
private
boolean
otherActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
Object
id
,
Set
<
String
>
entityDataRange
){
if
(
deStorageMode
.
equalsIgnoreCase
(
"sql"
)){
return
sqlPermissionValid
(
entity
,
id
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"nosql"
)){
return
noSqlPermissionValid
(
entity
,
id
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"serviceapi"
)){
return
true
;
}
else
{
throw
new
RuntimeException
(
String
.
format
(
"未能识别[%s]实体对应存储模式[%s]"
,
entity
.
getClass
().
getSimpleName
(),
deStorageMode
));
}
}
/**
*
sql
存储模式实体行为鉴权
*
@
param
entity
*
@
param
id
*
@
param
entityDataRange
*
@
return
*/
private
boolean
sqlPermissionValid
(
EntityBase
entity
,
Object
id
,
Set
<
String
>
entityDataRange
){
ServiceImpl
service
=
SpringContextHolder
.
getBean
(
String
.
format
(
"%s%s"
,
entity
.
getClass
().
getSimpleName
(),
"ServiceImpl"
));//
获取实体
service
对象
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);//
获取组织、部门预置属性
//
通过权限表达式来获取
sql
String
permissionSQL
=
String
.
format
(
" (%s) AND (%s='%s')"
,
getPermissionSQL
(
entity
,
entityDataRange
),
permissionField
.
get
(
keyFieldTag
),
id
);
//
拼接权限条件
-
编辑
//
执行
sql
进行权限检查
QueryWrapper
permissionWrapper
=
getPermissionWrapper
(
permissionSQL
);//
构造权限条件
List
list
=
service
.
list
(
permissionWrapper
);
if
(
list
.
size
()>
0
){
return
true
;
}
else
{
return
false
;
}
}
/**
*
NoSQL
实体行为鉴权
*
@
param
entity
*
@
param
id
*
@
param
entityDataRange
*
@
return
*/
private
boolean
noSqlPermissionValid
(
EntityBase
entity
,
Object
id
,
Set
<
String
>
entityDataRange
)
{
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);//
获取组织、部门预置属性
String
keyField
=
permissionField
.
get
(
keyFieldTag
);
//
根据权限表达式填充权限条件
QueryBuilder
permissionCond
=
getNoSqlPermissionCond
(
entity
,
entityDataRange
);
//
权限条件拼接主键
permissionCond
.
and
(
keyField
).
is
(
id
);
//
执行权限检查
Query
query
=
new
BasicQuery
(
permissionCond
.
get
().
toString
());
List
list
=
mongoTemplate
.
find
(
query
,
entity
.
getClass
());
if
(
list
.
size
()>
0
){
return
true
;
}
else
{
return
false
;
}
}
/**
*
为
NoSQL
存储模式的表格查询填充权限条件
*
@
param
entity
*
@
param
entityDataRange
*
@
return
*/
private
QueryBuilder
getNoSqlPermissionCond
(
EntityBase
entity
,
Set
<
String
>
entityDataRange
){
QueryBuilder
permissionSQL
=
new
QueryBuilder
();
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);//
获取组织、部门预置属性
String
orgField
=
permissionField
.
get
(
"orgfield"
);
String
orgDeptField
=
permissionField
.
get
(
"orgsecfield"
);
String
createManField
=
permissionField
.
get
(
"createmanfield"
);
AuthenticationUser
authenticationUser
=
AuthenticationUser
.
getAuthenticationUser
();
Map
<
String
,
Set
<
String
>>
userInfo
=
authenticationUser
.
getOrgInfo
();
Set
<
String
>
orgParent
=
userInfo
.
get
(
"parentorg"
);
Set
<
String
>
orgChild
=
userInfo
.
get
(
"suborg"
);
Set
<
String
>
orgDeptParent
=
userInfo
.
get
(
"parentdept"
);
Set
<
String
>
orgDeptChild
=
userInfo
.
get
(
"subdept"
);
for
(
String
permissionCond
:
entityDataRange
){
if
(
permissionCond
.
endsWith
(
"curorg"
)){
//
本单位
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgField
).
is
(
AuthenticationUser
.
getAuthenticationUser
().
getOrgid
()).
get
());
}
else
if
(
permissionCond
.
endsWith
(
"porg"
)){//
上级单位
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgField
).
in
(
formatStringArr
(
orgParent
)).
get
());
}
else
if
(
permissionCond
.
endsWith
(
"sorg"
)){//
下级单位
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgField
).
in
(
formatStringArr
(
orgChild
)).
get
());
}
else
if
(
permissionCond
.
endsWith
(
"createman"
)){//
建立人
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
createManField
).
is
(
AuthenticationUser
.
getAuthenticationUser
().
getUserid
()).
get
());
}
else
if
(
permissionCond
.
endsWith
(
"curorgdept"
)){//
本部门
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgDeptField
).
is
(
AuthenticationUser
.
getAuthenticationUser
().
getMdeptid
()).
get
());
}
else
if
(
permissionCond
.
endsWith
(
"porgdept"
)){//
上级部门
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgDeptField
).
in
(
formatStringArr
(
orgDeptParent
)).
get
());
}
else
if
(
permissionCond
.
endsWith
(
"sorgdept"
)){//
下级部门
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgDeptField
).
in
(
formatStringArr
(
orgDeptChild
)).
get
());
}
else
if
(
permissionCond
.
endsWith
(
"all"
)){
permissionSQL
.
or
(
new
QueryBuilder
().
get
());
}
}
return
permissionSQL
;
}
/**
*
SQL
获取权限条件
*
@
param
entity
*
@
param
entityDataRange
*
@
return
*/
private
String
getPermissionSQL
(
EntityBase
entity
,
Set
<
String
>
entityDataRange
){
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);//
获取组织、部门预置属性
String
nPermissionSQL
=
"1<>1"
;
String
orgField
=
permissionField
.
get
(
"orgfield"
);
String
orgDeptField
=
permissionField
.
get
(
"orgsecfield"
);
String
createManField
=
permissionField
.
get
(
"createmanfield"
);
StringBuffer
permissionSQL
=
new
StringBuffer
();
AuthenticationUser
authenticationUser
=
AuthenticationUser
.
getAuthenticationUser
();
Map
<
String
,
Set
<
String
>>
userInfo
=
authenticationUser
.
getOrgInfo
();
Set
<
String
>
orgParent
=
userInfo
.
get
(
"parentorg"
);
Set
<
String
>
orgChild
=
userInfo
.
get
(
"suborg"
);
Set
<
String
>
orgDeptParent
=
userInfo
.
get
(
"parentdept"
);
Set
<
String
>
orgDeptChild
=
userInfo
.
get
(
"subdept"
);
for
(
String
permissionCond
:
entityDataRange
){
permissionSQL
.
append
(
"OR"
);
if
(
permissionCond
.
endsWith
(
"curorg"
)){
//
本单位
permissionSQL
.
append
(
String
.
format
(
"(%s='%s')"
,
orgField
,
AuthenticationUser
.
getAuthenticationUser
().
getOrgid
()));
}
else
if
(
permissionCond
.
endsWith
(
"porg"
)){//
上级单位
permissionSQL
.
append
(
String
.
format
(
" %s in(%s) "
,
orgField
,
formatStringArr
(
orgParent
)));
}
else
if
(
permissionCond
.
endsWith
(
"sorg"
)){//
下级单位
permissionSQL
.
append
(
String
.
format
(
" %s in(%s) "
,
orgField
,
formatStringArr
(
orgChild
)));
}
else
if
(
permissionCond
.
endsWith
(
"createman"
)){//
建立人
permissionSQL
.
append
(
String
.
format
(
"(%s='%s')"
,
createManField
,
AuthenticationUser
.
getAuthenticationUser
().
getUserid
()));
}
else
if
(
permissionCond
.
endsWith
(
"curorgdept"
)){//
本部门
permissionSQL
.
append
(
String
.
format
(
"(%s='%s')"
,
orgDeptField
,
AuthenticationUser
.
getAuthenticationUser
().
getMdeptid
()));
}
else
if
(
permissionCond
.
endsWith
(
"porgdept"
)){//
上级部门
permissionSQL
.
append
(
String
.
format
(
" %s in (%s) "
,
orgDeptField
,
formatStringArr
(
orgDeptParent
)));
}
else
if
(
permissionCond
.
endsWith
(
"sorgdept"
)){//
下级部门
permissionSQL
.
append
(
String
.
format
(
" %s in (%s) "
,
orgDeptField
,
formatStringArr
(
orgDeptChild
)));
}
else
if
(
permissionCond
.
endsWith
(
"all"
)){//
全部数据
permissionSQL
.
append
(
"(1=1)"
);
}
else
{
permissionSQL
.
append
(
nPermissionSQL
);
}
}
if
(
StringUtils
.
isEmpty
(
permissionSQL
.
toString
()))
return
""
;
String
resultCond
=
parseResult
(
permissionSQL
,
"OR"
);
return
resultCond
;
}
/**
*
构造
wrapper
*
@
param
whereCond
*
@
return
*/
private
QueryWrapper
getPermissionWrapper
(
String
whereCond
){
QueryWrapper
permissionWrapper
=
new
QueryWrapper
();
if
(
!StringUtils.isEmpty(whereCond)){
permissionWrapper
.
apply
(
whereCond
);
}
return
permissionWrapper
;
}
/**
*
获取实体权限字段
orgid
/
orgsecid
...
...
@@ -627,65 +217,4 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
}
return
deFieldMap
;
}
/**
*
转换
[
a
,
b
]
格式字符串到
'a'
,
'b'
格式
*
@
return
*/
private
String
formatStringArr
(
Set
<
String
>
array
)
{
String
[]
arr
=
array
.
toArray
(
new
String
[
array
.
size
()]);
return
"'"
+
String
.
join
(
"','"
,
arr
)
+
"'"
;
}
/**
*
格式转换
*
@
param
cond
*
@
param
operator
*
@
return
*/
private
String
parseResult
(
StringBuffer
cond
,
String
operator
)
{
String
resultCond
=
cond
.
toString
();
if
(
resultCond
.
startsWith
(
operator
))
resultCond
=
resultCond
.
replaceFirst
(
operator
,
""
);
if
(
resultCond
.
endsWith
(
operator
))
resultCond
=
resultCond
.
substring
(
0
,
resultCond
.
lastIndexOf
(
operator
));
return
resultCond
;
}
/**
*
转换
[
a
,
b
]
格式字符串到
'a'
,
'b'
格式
*
*
@
return
*/
private
String
getEntityKeyCond
(
List
<
String
>
array
)
{
String
[]
arr
=
array
.
toArray
(
new
String
[
array
.
size
()]);
return
"'"
+
String
.
join
(
"','"
,
arr
)
+
"'"
;
}
/**
*
获取实体主键集合
*
@
param
entityBase
*
@
param
entityList
*
@
return
*/
private
List
<
String
>
getIds
(
EntityBase
entityBase
,
List
<
EntityBase
>
entityList
)
{
List
<
String
>
entityKeyList
=
new
ArrayList
<>();
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entityBase
);//
获取组织、部门预置属性
String
keyFieldName
=
permissionField
.
get
(
keyFieldTag
);
if
(
StringUtils
.
isEmpty
(
keyFieldName
))
return
entityKeyList
;
for
(
EntityBase
entity
:
entityList
){
Object
objEntityKey
=
entity
.
get
(
keyFieldName
);
if
(
!ObjectUtils.isEmpty(objEntityKey)){
entityKeyList
.
add
(
String
.
valueOf
(
objEntityKey
));
}
}
return
entityKeyList
;
}
}
\ No newline at end of file
编辑
预览
Markdown
格式
0%
请重试
or
添加新附件
添加附件
取消
您添加了
0
人
到此讨论。请谨慎行事。
先完成此消息的编辑!
取消
想要评论请
注册
或
登录