提交 fbf40ed2 编写于 作者: zhouweidong's avatar zhouweidong

权限调整

上级 9287dafb
......@@ -88,7 +88,9 @@ public class ${itemCodeName}Resource {
@Autowired
@Lazy
private ${itemCodeName}Mapping ${itemCodeNameLC}Mapping;
public ${itemCodeName}Mapping ${itemCodeNameLC}Mapping;
public ${deCodeName}DTO permissionDTO=new ${deCodeName}DTO();
<#-- 嵌套服务对象 -->
<#if item.getPSDEServiceAPIRSs()??>
......@@ -156,7 +158,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else>
@PreAuthorize("hasPermission('','Create',{this.getEntity(),'${deStorageMode}'})")
@PreAuthorize("hasPermission('','Create',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})")
</#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.POST, value = "${fullPath}")
......@@ -167,11 +169,7 @@ public class ${itemCodeName}Resource {
${itemCodeName}DTO dto = ${itemCodeNameLC}Mapping.toDto(domain);
return ResponseEntity.status(HttpStatus.OK).body(dto);
}
<#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else>
@PreAuthorize("hasPermission('','Create',{this.getEntity(),'${deStorageMode}'})")
</#if>
@ApiOperation(value = "createBatch", tags = {"${itemCodeName}" }, notes = "createBatch")
@RequestMapping(method = RequestMethod.POST, value = "${fullPath}/batch")
public ResponseEntity<Boolean> createBatch(${etParamsList}) {
......@@ -183,7 +181,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{this.getEntity(),'${deStorageMode}'})")
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})")
</#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
......@@ -196,11 +194,6 @@ public class ${itemCodeName}Resource {
return ResponseEntity.status(HttpStatus.OK).body(dto);
}
<#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{this.getEntity(),'${deStorageMode}'})")
</#if>
@ApiOperation(value = "UpdateBatch", tags = {"${itemCodeName}" }, notes = "UpdateBatch")
@RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/batch")
public ResponseEntity<Boolean> updateBatch(${etParamsList}) {
......@@ -226,7 +219,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{this.getEntity(),'${deStorageMode}'})")
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO)")
</#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.DELETE, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
......@@ -246,7 +239,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{this.getEntity(),'${deStorageMode}'})")
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO)")
</#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.GET, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
......@@ -630,14 +623,6 @@ public class ${itemCodeName}Resource {
</#if>
<#-- 关系接口 end -->
/**
* 用户权限校验
* @return
*/
public ${deCodeName} getEntity(){
return new ${deCodeName}();
}
}
</#if>
</#if>
\ No newline at end of file
......@@ -9,7 +9,9 @@ import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.mongodb.QueryBuilder;
import ${pub.getPKGCodeName()}.util.annotation.DEField;
import ${pub.getPKGCodeName()}.util.domain.DTOBase;
import ${pub.getPKGCodeName()}.util.domain.EntityBase;
import ${pub.getPKGCodeName()}.util.domain.MappingBase;
import ${pub.getPKGCodeName()}.util.enums.DEPredefinedFieldType;
import ${pub.getPKGCodeName()}.util.filter.QueryBuildContext;
import ${pub.getPKGCodeName()}.util.filter.QueryWrapperContext;
......@@ -42,10 +44,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* 实体行为操作标识
*/
private String DEActionType="DEACTION";
<#--/**-->
<#--* 实体数据集操作标识-->
<#--*/-->
<#--private String DataSetTag="DATASET";-->
/**
*实体主键标识
*/
......@@ -79,8 +77,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return true;
List paramList = (ArrayList) params;
EntityBase entity = (EntityBase) paramList.get(0);
String deStorageMode= (String) paramList.get(1);
String deStorageMode= (String) paramList.get(0);
MappingBase mappingBase= (MappingBase) paramList.get(1);
DTOBase dtoBase = (DTOBase) paramList.get(2);
EntityBase entity = (EntityBase) mappingBase.toDomain(dtoBase);
if (StringUtils.isEmpty(entity))
return false;
......@@ -89,10 +89,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
JSONObject permissionList=userPermission.getJSONObject("entities");
String entityName = entity.getClass().getSimpleName();
if(action.equalsIgnoreCase("create")){
return validDEActionHasPermission(permissionList,entityName,action);
}
else{
//拥有全部数据访问权限时,则跳过权限检查
if(isAllData(permissionList,entityName,action)){
return true;
......@@ -101,8 +97,11 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if(!validDEActionHasPermission(permissionList,entityName,action)){
return false;
}
//检查是否有数据权限
return deActionPermissionValidRouter(deStorageMode, entity , action , srfKey, permissionList);
if(action.equalsIgnoreCase("create")){
return createActionPermissionValid(permissionList,entity, action);
}
else{
return otherActionPermissionValidRouter(deStorageMode, entity , action , srfKey, permissionList);
}
}
......@@ -120,7 +119,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if(!permissionList.containsKey(entityName))
return false;
JSONObject entity=permissionList.getJSONObject(entityName);
if(entity.containsKey(action) && entity.getJSONArray(action).contains("ALL"))
if(!entity.containsKey(DEActionType))
return false;
JSONObject dataRange=entity.getJSONObject(DEActionType);//获取实体行为对应的数据范围
if(dataRange.containsKey(action) && dataRange.getJSONArray(action).contains("all"))
return true;
return false;
......@@ -151,33 +153,81 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return hasPermission;
}
<#--/**-->
<#--* 数据集合权限校验-->
<#--* @param userPermission-->
<#--* @param entityName-->
<#--* @param dataSetName-->
<#--* userPermission:{"ENTITY":{"DEACTION":{"READ":["CURORG"]},"DATASET":{"Default":["CURORG"]}}}-->
<#--* @return-->
<#--*/-->
<#--private boolean validDataSetHasPermission(JSONObject userPermission,String entityName ,String dataSetName){-->
<#--boolean hasPermission=false;-->
<#--if(userPermission==null)-->
<#--return false;-->
<#--if(!userPermission.containsKey(entityName))-->
<#--return false;-->
<#--JSONObject entity=userPermission.getJSONObject(entityName);//获取实体-->
<#--if(!entity.containsKey(DataSetTag))-->
<#--return false;-->
<#--JSONObject dataSetList=entity.getJSONObject(DataSetTag);//获取数据集-->
<#--if(!dataSetList.containsKey(dataSetName))-->
<#--return false;-->
<#--JSONArray dataRange=dataSetList.getJSONArray(dataSetName);//获取数据范围-->
<#--if(dataRange!=null && dataRange.size()>0){-->
<#--hasPermission=true;-->
<#--}-->
<#--return hasPermission;-->
<#--}-->
/**
* 新建行为校验
* @param permissionList
* @param entity
* @param action
* @return
*/
private boolean createActionPermissionValid(JSONObject permissionList,EntityBase entity, String action){
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyField=permissionField.get(keyFieldTag);
if(StringUtils.isEmpty(keyField)){
throw new RuntimeException("权限校验失败,请检查当前实体中是否已经配置主键属性!");
}
//获取权限表达式[全部数据、本单位、本部门等]
JSONObject entityObj=permissionList.getJSONObject(entity.getClass().getSimpleName());//获取实体
JSONObject permissionType= entityObj.getJSONObject(DEActionType);
JSONArray dataRangeList=permissionType.getJSONArray(action);//行为:readinsert...
if(dataRangeList.size()==0)
return false;
boolean isCreate=true;
String orgField=permissionField.get("orgfield");
String orgDeptField=permissionField.get("orgsecfield");
String createManField=permissionField.get("createmanfield");
AuthenticationUser authenticationUser = AuthenticationUser.getAuthenticationUser();
Map<String, Set<String>> userInfo = authenticationUser.getOrgInfo();
Set<String> orgParent = userInfo.get("parentorg");
Set<String> orgChild = userInfo.get("suborg");
Set<String> orgDeptParent = userInfo.get("parentdept");
Set<String> orgDeptChild = userInfo.get("subdept");
Object orgFieldValue=entity.get(orgField);
Object orgDeptFieldValue=entity.get(orgDeptField);
Object crateManFieldValue=entity.get(createManField);
Set<String> userOrg = new HashSet<>();
Set<String> userOrgDept = new HashSet<>();
for(int a=0;a<dataRangeList.size();a++){
String permissionCond=dataRangeList.getString(a);//权限配置条件
if(permissionCond.equals("curorg")){ //本单位
userOrg.add(authenticationUser.getOrgid());
}
else if(permissionCond.equals("porg")){//上级单位
userOrg.addAll(orgParent);
}
else if(permissionCond.equals("sorg")){//下级单位
userOrg.addAll(orgChild);
}
else if(permissionCond.equals("curorgdept")){//本部门
userOrgDept.add(authenticationUser.getMdeptid());
}
else if(permissionCond.equals("porgdept")){//上级部门
userOrgDept.addAll(orgDeptParent);
}
else if(permissionCond.equals("sorgdept")){//下级部门
userOrgDept.addAll(orgDeptChild);
}
}
if(!ObjectUtils.isEmpty(orgFieldValue) && !userOrg.contains(orgFieldValue)){
return false;
}
if(!ObjectUtils.isEmpty(orgDeptFieldValue) && !userOrgDept.contains(orgDeptFieldValue)){
return false;
}
if(!ObjectUtils.isEmpty(crateManFieldValue) && !crateManFieldValue.equals(authenticationUser.getUserid())){
return false;
}
return isCreate;
}
/**
* 根据实体存储模式,进行鉴权
......@@ -188,7 +238,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param permissionList
* @return
*/
private boolean deActionPermissionValidRouter(String deStorageMode, EntityBase entity , String action , Object srfKey , JSONObject permissionList){
private boolean otherActionPermissionValidRouter(String deStorageMode, EntityBase entity , String action , Object srfKey , JSONObject permissionList){
if(deStorageMode.equalsIgnoreCase("sql")){
return sqlPermissionValid(entity , action , srfKey, permissionList);
......@@ -284,77 +334,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
}
}
<#--/**-->
<#--* 根据实体存储类型,拼接权限条件-->
<#--* @param deStorageMode-->
<#--* @param searchContext-->
<#--* @param entity-->
<#--* @param dataSetName-->
<#--* @param permissionList-->
<#--*/-->
<#--private void deDataSetFillPermissionSQLRouter(String deStorageMode , Object searchContext, EntityBase entity ,String dataSetName ,JSONObject permissionList){-->
<#--//检查是否有数据权限[单行删除]-->
<#--if(deStorageMode.equalsIgnoreCase("sql")){-->
<#--sqlPermissionBuilder(searchContext, entity , dataSetName, permissionList);-->
<#--}-->
<#--else if(deStorageMode.equalsIgnoreCase("nosql")){-->
<#--noSqlPermissionBuilder(searchContext, entity , dataSetName, permissionList);-->
<#--}-->
<#--else if(deStorageMode.equalsIgnoreCase("serviceapi")){-->
<#--}-->
<#--else {-->
<#--throw new RuntimeException(String.format("未能识别[%s]实体对应存储模式[%s]",entity.getClass().getSimpleName(),deStorageMode));-->
<#--}-->
<#--}-->
<#--/**-->
<#--* NoSQL存储模式的表格查询填充权限条件-->
<#--* @param searchContext-->
<#--* @param entity-->
<#--* @param dataSetName-->
<#--* @param permissionList-->
<#--*/-->
<#--private void noSqlPermissionBuilder(Object searchContext, EntityBase entity, String dataSetName, JSONObject permissionList) {-->
<#--if(searchContext instanceof QueryBuildContext){-->
<#--//获取权限表达式[全部数据、本单位、本部门等]-->
<#--String entityName=entity.getClass().getSimpleName();-->
<#--JSONObject entityObj=permissionList.getJSONObject(entityName);-->
<#--JSONObject permissionType=entityObj.getJSONObject(DataSetTag);-->
<#--JSONArray dataRange=permissionType.getJSONArray(dataSetName);-->
<#--if(dataRange.size()==0)-->
<#--return ;-->
<#--//根据权限表达式生成查询条件,并将查询条件设置到SearchContext-->
<#--fillNoSqlPermissionCond(dataRange,entity,((QueryBuildContext) searchContext).getSelectCond());-->
<#--}-->
<#--}-->
<#--/**-->
<#--* SQL存储模式的表格查询填充权限条件-->
<#--* @param searchContext-->
<#--* @param entity-->
<#--* @param dataSetName-->
<#--* @param permissionList-->
<#--*/-->
<#--private void sqlPermissionBuilder(Object searchContext, EntityBase entity, String dataSetName, JSONObject permissionList){-->
<#--//获取权限表达式[全部数据、本单位、本部门等]-->
<#--String entityName=entity.getClass().getSimpleName();-->
<#--JSONObject entityObj=permissionList.getJSONObject(entityName);//获取实体-->
<#--JSONObject permissionType=entityObj.getJSONObject(DataSetTag);-->
<#--JSONArray dataRange=permissionType.getJSONArray(dataSetName);//获取实体数据集-->
<#--if(dataRange.size()==0)-->
<#--return ;-->
<#--//根据权限条件获取SQL-->
<#--String permissionSQL=getPermissionSQL(entity,dataRange);-->
<#--//SQL拼接到SearchContext-->
<#--if(searchContext instanceof QueryWrapperContext){-->
<#--QueryWrapperContext queryWrapperContext = (QueryWrapperContext) searchContext;-->
<#--QueryWrapper queryWrapper = queryWrapperContext.getSelectCond();-->
<#--queryWrapper.apply(permissionSQL);-->
<#--}-->
<#--}-->
/**
* NoSQL存储模式的表格查询填充权限条件
......
Markdown 格式
0% or
您添加了 0 到此讨论。请谨慎行事。
先完成此消息的编辑!
想要评论请 注册