提交 c5ed2b29 编写于 作者: zhouweidong's avatar zhouweidong

批处理权限校验

上级 9bf51114
......@@ -170,6 +170,7 @@ public class ${itemCodeName}Resource {
return ResponseEntity.status(HttpStatus.OK).body(dto);
}
<@ outputBatchPermissionAnnotation deaction.codeName deStorageMode/>
@ApiOperation(value = "createBatch", tags = {"${itemCodeName}" }, notes = "createBatch")
@RequestMapping(method = RequestMethod.POST, value = "${fullPath}/batch")
public ResponseEntity<Boolean> createBatch(${etParamsList}) {
......@@ -194,6 +195,7 @@ public class ${itemCodeName}Resource {
return ResponseEntity.status(HttpStatus.OK).body(dto);
}
<@ outputBatchPermissionAnnotation deaction.codeName deStorageMode/>
@ApiOperation(value = "UpdateBatch", tags = {"${itemCodeName}" }, notes = "UpdateBatch")
@RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/batch")
public ResponseEntity<Boolean> updateBatch(${etParamsList}) {
......@@ -209,6 +211,7 @@ public class ${itemCodeName}Resource {
return ResponseEntity.status(HttpStatus.OK).body(${deCodeNameLC}Service.save(${itemCodeNameLC}Mapping.toDomain(${itemCodeNameLC}dto)));
}
<@ outputBatchPermissionAnnotation deaction.codeName deStorageMode/>
@ApiOperation(value = "SaveBatch", tags = {"${itemCodeName}" }, notes = "SaveBatch")
@RequestMapping(method = RequestMethod.POST, value = "${fullPath}/savebatch")
public ResponseEntity<Boolean> saveBatch(${etParamsList}) {
......@@ -229,6 +232,7 @@ public class ${itemCodeName}Resource {
return ResponseEntity.status(HttpStatus.OK).body(${deCodeNameLC}Service.remove(${itemCodeNameLC + keyCNLC}));
}
<@ outputBatchPermissionAnnotation deaction.codeName deStorageMode/>
@ApiOperation(value = "RemoveBatch", tags = {"${itemCodeName}" }, notes = "RemoveBatch")
@RequestMapping(method = RequestMethod.DELETE, value = "${fullPath}/batch")
public ResponseEntity<Boolean> removeBatch(@RequestBody List<${srfjavatype(de.getKeyPSDEField().getStdDataType())}> ids) {
......@@ -433,6 +437,7 @@ public class ${itemCodeName}Resource {
return ResponseEntity.status(HttpStatus.OK).body(dto);
}
<@ outputBatchPermissionAnnotation deaction.codeName deStorageMode/>
@ApiOperation(value = "createBatch${byParams}", tags = {"${itemCodeName}" }, notes = "createBatch${byParams}")
@RequestMapping(method = RequestMethod.POST, value = "${fullPath}/batch")
public ResponseEntity<Boolean> createBatch${byParams}(${etParamsList}) {
......@@ -501,6 +506,7 @@ public class ${itemCodeName}Resource {
return ResponseEntity.status(HttpStatus.OK).body(dto);
}
<@ outputBatchPermissionAnnotation deaction.codeName deStorageMode/>
@ApiOperation(value = "UpdateBatch${byParams}", tags = {"${itemCodeName}" }, notes = "UpdateBatch${byParams}")
@RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/batch")
public ResponseEntity<Boolean> updateBatch${byParams}(${etParamsList}) {
......@@ -525,6 +531,7 @@ public class ${itemCodeName}Resource {
return ResponseEntity.status(HttpStatus.OK).body(${deCodeNameLC}Service.remove(${itemCodeNameLC + keyCNLC}));
}
<@ outputBatchPermissionAnnotation deaction.codeName deStorageMode/>
@ApiOperation(value = "RemoveBatch${byParams}", tags = {"${itemCodeName}" }, notes = "RemoveBatch${byParams}")
@RequestMapping(method = RequestMethod.DELETE, value = "${fullPath}/batch")
public ResponseEntity<Boolean> removeBatch${byParams}(@RequestBody List<${srfjavatype(de.getKeyPSDEField().getStdDataType())}> ids) {
......@@ -542,6 +549,7 @@ public class ${itemCodeName}Resource {
return ResponseEntity.status(HttpStatus.OK).body(${deCodeNameLC}Service.save(domain));
}
<@ outputBatchPermissionAnnotation deaction.codeName deStorageMode/>
@ApiOperation(value = "SaveBatch${byParams}", tags = {"${itemCodeName}" }, notes = "SaveBatch${byParams}")
@RequestMapping(method = RequestMethod.POST, value = "${fullPath}/savebatch")
public ResponseEntity<Boolean> saveBatch${byParams}(${etParamsList}) {
......@@ -662,3 +670,12 @@ public class ${itemCodeName}Resource {
<#macro outputHasAnyAuthorityAnnotation permissionTag>
//@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${permissionTag}')")
</#macro>
<#comment>输出实体批处理权限注解[hasAnyAuthority]</#comment>
<#macro outputBatchPermissionAnnotation deAction deStorageMode>
<#if deAction=='Remove'>
//@PreAuthorize("hasPermission('${deAction}',{'${deStorageMode}',this.humanMapping,this.permissionDTO,#ids})")
<#else>
//@PreAuthorize("hasPermission('${deAction}',{'${deStorageMode}',this.humanMapping,#humandtos})")
</#if>
</#macro>
......@@ -13,8 +13,6 @@ import ${pub.getPKGCodeName()}.util.domain.DTOBase;
import ${pub.getPKGCodeName()}.util.domain.EntityBase;
import ${pub.getPKGCodeName()}.util.domain.MappingBase;
import ${pub.getPKGCodeName()}.util.enums.DEPredefinedFieldType;
import ${pub.getPKGCodeName()}.util.filter.QueryBuildContext;
import ${pub.getPKGCodeName()}.util.filter.QueryWrapperContext;
import ${pub.getPKGCodeName()}.util.helper.DEFieldCacheMap;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Lazy;
......@@ -53,24 +51,83 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
@Lazy
private MongoTemplate mongoTemplate;
/**
* 批处理权限检查[createBatch:updateBatch:removeBatch]
* @param authentication
* @param DEAction
* @param params
* @return
*/
@Override
public boolean hasPermission(Authentication authentication, Object deAction, Object gridParam) {
public boolean hasPermission(Authentication authentication, Object DEAction, Object params) {
//未开启权限校验、超级管理员则不进行权限检查
if(AuthenticationUser.getAuthenticationUser().getSuperuser()==1 || !enablePermissionValid)
return true;
List paramList = (ArrayList) params;
String deStorageMode= (String) paramList.get(0);
String action=String.valueOf(DEAction);
List<String> ids=null;
EntityBase entity;
List<EntityBase> entityList = null;
JSONObject userPermission= AuthenticationUser.getAuthenticationUser().getPermissionList();
if(userPermission==null)
return false;
MappingBase mappingBase= (MappingBase) paramList.get(1);
//参数准备
if(action.equalsIgnoreCase("remove")){
entity= (EntityBase) mappingBase.toDomain(paramList.get(2));
ids= (List<String>) paramList.get(3);
}
else{
List<DTOBase> dtoList = (List<DTOBase>) paramList.get(2);
if(dtoList.size()==0)
return false;
entityList =mappingBase.toDomain(dtoList);
entity = (EntityBase) mappingBase.toDomain(dtoList.get(0));
}
if (entity==null)
return false;
JSONObject permissionList=userPermission.getJSONObject("entities");
String entityName = entity.getClass().getSimpleName();
//拥有全部数据访问权限时,则跳过权限检查
if(isAllData(entityName,action,permissionList)){
return true;
}
//检查是否有操作权限[create.update.delete.read]
if(!validDEActionHasPermission(entityName,action,permissionList)){
return false;
}
JSONArray dataRangeList=getDataRange(entityName,action,permissionList);
if(dataRangeList.size()==0)
return false;
if(action.equalsIgnoreCase("create")){
return createBatchActionPermissionValid(entityList,dataRangeList);
}
else{
if(!action.equalsIgnoreCase("remove")){
ids=getIds(entity,entityList);
}
if(ids.size()==0)
return false;
return otherBatchActionPermissionValidRouter(deStorageMode, entity ,ids, dataRangeList);
}
}
/**
* 实体行为权限检查 :用于检查当前用户是否拥有实体的新建、编辑、删除权限
*
* @param authentication
* @param srfKey 当前操作数据的主键
* @param id 当前操作数据的主键
* @param action 当前操作行为:如:[READUPDATEDELETE]
* @param params 相关参数
* @return true/false true则允许当前行为,false拒绝行为
*/
@Override
public boolean hasPermission(Authentication authentication, Serializable srfKey, String action, Object params) {
public boolean hasPermission(Authentication authentication, Serializable id, String action, Object params) {
//未开启权限校验、超级管理员则不进行权限检查
if(AuthenticationUser.getAuthenticationUser().getSuperuser()==1 || !enablePermissionValid)
......@@ -86,22 +143,118 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return false;
JSONObject userPermission= AuthenticationUser.getAuthenticationUser().getPermissionList();
if(userPermission==null)
return false;
JSONObject permissionList=userPermission.getJSONObject("entities");
String entityName = entity.getClass().getSimpleName();
//拥有全部数据访问权限时,则跳过权限检查
if(isAllData(permissionList,entityName,action)){
if(isAllData(entityName,action,permissionList)){
return true;
}
//检查是否有操作权限[create.update.delete.read]
if(!validDEActionHasPermission(permissionList,entityName,action)){
if(!validDEActionHasPermission(entityName,action,permissionList)){
return false;
}
JSONArray dataRangeList=getDataRange(entityName,action,permissionList);
if(dataRangeList.size()==0)
return false;
if(action.equalsIgnoreCase("create")){
return createActionPermissionValid(permissionList,entity, action);
return createActionPermissionValid(entity,dataRangeList);
}
else{
return otherActionPermissionValidRouter(deStorageMode, entity , action , srfKey, permissionList);
return otherActionPermissionValidRouter(deStorageMode, entity, id, dataRangeList);
}
}
/**
* 批处理新建权限校验
* @param entityList
* @param dataRangeList
* @return
*/
private boolean createBatchActionPermissionValid(List<EntityBase> entityList,JSONArray dataRangeList){
for(EntityBase entity : entityList){
boolean isCreate = createActionPermissionValid(entity ,dataRangeList);
if(!isCreate){
return false;
}
}
return true;
}
/**
* 批处理行为权限校验[get:update:delete]
* @param deStorageMode
* @param entity
* @param ids
* @param dataRangeList
* @return
*/
private boolean otherBatchActionPermissionValidRouter(String deStorageMode , EntityBase entity , List<String> ids , JSONArray dataRangeList){
if(deStorageMode.equalsIgnoreCase("sql")){
return sqlBatchPermissionValid(entity ,ids, dataRangeList);
}
else if(deStorageMode.equalsIgnoreCase("nosql")){
return noSqlBatchPermissionValid(entity, ids , dataRangeList);
}
else if(deStorageMode.equalsIgnoreCase("serviceapi")){
return true;
}
else {
throw new RuntimeException(String.format("未能识别实体对应存储模式[%s]",deStorageMode));
}
}
/**
* SQL批处理权限校验
* @param entity
* @param ids
* @param dataRangeList
* @return
*/
private boolean sqlBatchPermissionValid(EntityBase entity , List<String> ids, JSONArray dataRangeList){
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyFieldName=permissionField.get(keyFieldTag);
ServiceImpl service= SpringContextHolder.getBean(String.format("%s%s",entity.getClass().getSimpleName(),"ServiceImpl"));//获取实体service对象
//通过权限表达式来获取sql
String permissionSQL= String.format(" (%s) AND ( %s in (%s) ) ",getPermissionSQL(entity,dataRangeList),keyFieldName,getEntityKeyCond(ids)); //拼接权限条件-编辑
//执行sql进行权限检查
QueryWrapper permissionWrapper=getPermissionWrapper(permissionSQL);//构造权限条件
List list=service.list(permissionWrapper);
if(list.size() == ids.size()){
return true;
}else{
return false;
}
}
/**
* NoSQL批处理权限校验
* @param entity
* @param ids
* @param dataRange
* @return
*/
private boolean noSqlBatchPermissionValid(EntityBase entity, List<String> ids, JSONArray dataRange) {
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyFieldName=permissionField.get(keyFieldTag);
//根据权限表达式填充权限条件
QueryBuilder permissionCond=getNoSqlPermissionCond(entity,dataRange);
//权限条件拼接主键
permissionCond.and(keyFieldName).in(ids);
//执行权限检查
Query query = new BasicQuery(permissionCond.get().toString());
List list=mongoTemplate.find(query,entity.getClass());
if(list.size()==ids.size()){
return true;
}
else{
return false;
}
}
......@@ -112,7 +265,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param action
* @return
*/
private boolean isAllData(JSONObject permissionList, String entityName, String action) {
private boolean isAllData( String entityName, String action ,JSONObject permissionList) {
if(permissionList==null)
return false;
......@@ -136,7 +289,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* userPermission:{"ENTITY":{"DEACTION":{"READ":["CURORG"]},"DATASET":{"Default":["CURORG"]}}}
* @return
*/
private boolean validDEActionHasPermission(JSONObject userPermission,String entityName , String action ){
private boolean validDEActionHasPermission(String entityName , String action ,JSONObject userPermission){
boolean hasPermission=false;
if(userPermission==null)
......@@ -155,28 +308,14 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* 新建行为校验
* @param permissionList
* @param entity
* @param action
* @param dataRangeList
* @return
*/
private boolean createActionPermissionValid(JSONObject permissionList,EntityBase entity, String action){
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyField=permissionField.get(keyFieldTag);
if(StringUtils.isEmpty(keyField)){
throw new RuntimeException("权限校验失败,请检查当前实体中是否已经配置主键属性!");
}
//获取权限表达式[全部数据、本单位、本部门等]
JSONObject entityObj=permissionList.getJSONObject(entity.getClass().getSimpleName());//获取实体
JSONObject permissionType= entityObj.getJSONObject(DEActionType);
JSONArray dataRangeList=permissionType.getJSONArray(action);//行为:readinsert...
if(dataRangeList.size()==0)
return false;
private boolean createActionPermissionValid(EntityBase entity, JSONArray dataRangeList){
boolean isCreate=true;
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String orgField=permissionField.get("orgfield");
String orgDeptField=permissionField.get("orgsecfield");
String createManField=permissionField.get("createmanfield");
......@@ -233,18 +372,17 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* 根据实体存储模式,进行鉴权
* @param deStorageMode
* @param entity
* @param action
* @param srfKey
* @param permissionList
* @param id
* @param dataRangeList
* @return
*/
private boolean otherActionPermissionValidRouter(String deStorageMode, EntityBase entity , String action , Object srfKey , JSONObject permissionList){
private boolean otherActionPermissionValidRouter(String deStorageMode, EntityBase entity , Object id , JSONArray dataRangeList){
if(deStorageMode.equalsIgnoreCase("sql")){
return sqlPermissionValid(entity , action , srfKey, permissionList);
return sqlPermissionValid(entity , id, dataRangeList);
}
else if(deStorageMode.equalsIgnoreCase("nosql")){
return noSqlPermissionValid(entity , action , srfKey, permissionList);
return noSqlPermissionValid(entity , id, dataRangeList);
}
else if(deStorageMode.equalsIgnoreCase("serviceapi")){
return true;
......@@ -257,32 +395,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* sql存储模式实体行为鉴权
* @param entity
* @param action
* @param srfKey
* @param permissionList
* @param id
* @param dataRangeList
* @return
*/
private boolean sqlPermissionValid(EntityBase entity , String action , Object srfKey, JSONObject permissionList){
String entityName=entity.getClass().getSimpleName();
ServiceImpl service= SpringContextHolder.getBean(String.format("%s%s",entityName,"ServiceImpl"));//获取实体service对象
private boolean sqlPermissionValid(EntityBase entity , Object id, JSONArray dataRangeList){
ServiceImpl service= SpringContextHolder.getBean(String.format("%s%s",entity.getClass().getSimpleName(),"ServiceImpl"));//获取实体service对象
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyField=permissionField.get(keyFieldTag);
if(StringUtils.isEmpty(keyField)){
throw new RuntimeException("权限校验失败,请检查当前实体中是否已经配置主键属性!");
}
//获取权限表达式[全部数据、本单位、本部门等]
JSONObject entityObj=permissionList.getJSONObject(entity.getClass().getSimpleName());//获取实体
JSONObject permissionType= entityObj.getJSONObject(DEActionType);
JSONArray opprivList=permissionType.getJSONArray(action);//行为:readinsert...
if(opprivList.size()==0)
return false;
//通过权限表达式来获取sql
String tempPermissionSQL=getPermissionSQL(entity,opprivList);
String permissionSQL= String.format(" (%s) AND (%s='%s')",tempPermissionSQL,keyField,srfKey); //拼接权限条件-编辑
String permissionSQL= String.format(" (%s) AND (%s='%s')",getPermissionSQL(entity,dataRangeList),permissionField.get(keyFieldTag),id); //拼接权限条件-编辑
//执行sql进行权限检查
QueryWrapper permissionWrapper=getPermissionWrapper(permissionSQL);//构造权限条件
List list=service.list(permissionWrapper);
......@@ -297,32 +419,18 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* NoSQL实体行为鉴权
* @param entity
* @param action
* @param srfKey
* @param permissionList
* @param id
* @param dataRangeList
* @return
*/
private boolean noSqlPermissionValid(EntityBase entity, String action, Object srfKey, JSONObject permissionList) {
private boolean noSqlPermissionValid(EntityBase entity, Object id, JSONArray dataRangeList) {
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyField=permissionField.get(keyFieldTag);
if(StringUtils.isEmpty(keyField)){
throw new RuntimeException("权限校验失败,请检查当前实体中是否已经配置主键属性!");
}
//获取权限表达式[全部数据、本单位、本部门等]
JSONObject entityObj=permissionList.getJSONObject(entity.getClass().getSimpleName());//获取实体
JSONObject permissionType= entityObj.getJSONObject(DEActionType);
JSONArray dataRange=permissionType.getJSONArray(action);//行为:readinsert...
if(dataRange.size()==0)
return false;
//根据权限表达式填充权限条件
QueryBuilder permissionCond=new QueryBuilder();
fillNoSqlPermissionCond(dataRange,entity,permissionCond);
QueryBuilder permissionCond=getNoSqlPermissionCond(entity,dataRangeList);
//权限条件拼接主键
permissionCond.and(keyField).is(srfKey);
permissionCond.and(keyField).is(id);
//执行权限检查
Query query = new BasicQuery(permissionCond.get().toString());
List list=mongoTemplate.find(query,entity.getClass());
......@@ -337,12 +445,13 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* NoSQL存储模式的表格查询填充权限条件
* @param oppriList
* @param entity
* @param permissionSQL
* @param dataRangeList
* @return
*/
private void fillNoSqlPermissionCond(JSONArray oppriList, EntityBase entity, QueryBuilder permissionSQL){
private QueryBuilder getNoSqlPermissionCond( EntityBase entity ,JSONArray dataRangeList ){
QueryBuilder permissionSQL=new QueryBuilder();
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String orgField=permissionField.get("orgfield");
String orgDeptField=permissionField.get("orgsecfield");
......@@ -354,8 +463,8 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set<String> orgDeptParent = userInfo.get("parentdept");
Set<String> orgDeptChild = userInfo.get("subdept");
for(int i=0;i<oppriList.size();i++){
String permissionCond=oppriList.getString(i);//权限配置条件
for(int i=0;i<dataRangeList.size();i++){
String permissionCond=dataRangeList.getString(i);//权限配置条件
if(permissionCond.equals("curorg")){ //本单位
permissionSQL.or(new QueryBuilder().and(orgField).is(AuthenticationUser.getAuthenticationUser().getOrgid()).get());
}
......@@ -381,6 +490,8 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
permissionSQL.or(new QueryBuilder().get());
}
}
return permissionSQL;
}
/**
......@@ -533,4 +644,53 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return resultCond;
}
/**
* 转换[a,b]格式字符串到 'a','b'格式
*
* @return
*/
private String getEntityKeyCond(List<String> array) {
String[] arr = array.toArray(new String[array.size()]);
return "'" + String.join("','", arr) + "'";
}
/**
* 获取数据范围
* @param entityName
* @param action
* @param permissionList
* @return
*/
private JSONArray getDataRange(String entityName, String action , JSONObject permissionList){
//获取权限表达式[全部数据、本单位、本部门等]
JSONObject entityObj=permissionList.getJSONObject(entityName);//获取实体
JSONObject permissionType= entityObj.getJSONObject(DEActionType);
JSONArray dataRangeList=permissionType.getJSONArray(action);//行为:readinsert...
return dataRangeList;
}
/**
* 获取实体主键集合
* @param entityBase
* @param entityList
* @return
*/
private List<String> getIds(EntityBase entityBase ,List<EntityBase> entityList) {
List<String> entityKeyList=new ArrayList<>();
Map<String,String> permissionField=getPermissionField(entityBase);//获取组织、部门预置属性
String keyFieldName=permissionField.get(keyFieldTag);
if(StringUtils.isEmpty(keyFieldName))
return entityKeyList;
for(EntityBase entity: entityList){
Object objEntityKey = entity.get(keyFieldName);
if(!ObjectUtils.isEmpty(objEntityKey)){
entityKeyList.add(String.valueOf(objEntityKey));
}
}
return entityKeyList;
}
}
\ No newline at end of file
Markdown 格式
0% or
您添加了 0 到此讨论。请谨慎行事。
先完成此消息的编辑!
想要评论请 注册