Skip to content
项目
群组
代码片段
帮助
正在加载...
帮助
提交反馈
为 GitLab 提交贡献
登录
切换导航
iBiz4j Spring R7
项目
项目
详情
动态
版本
周期分析
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
统计图
议题
0
议题
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
CI / CD
CI / CD
流水线
作业
计划
统计图
Wiki
Wiki
代码片段
代码片段
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
统计图
创建新议题
作业
提交
议题看板
打开侧边栏
iBiz-R7后台标准模板
iBiz4j Spring R7
提交
fbf40ed2
提交
fbf40ed2
编写于
5月 20, 2020
作者:
zhouweidong
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
权限调整
上级
9287dafb
变更
2
显示空白字符变更
内嵌
并排
正在显示
2 个修改的文件
包含
104 行增加
和
140 行删除
+104
-140
%ITEM%Resource.java.ftl
...YS_PKGPATH%/%SYSAPI_PKGPATH%/rest/%ITEM%Resource.java.ftl
+8
-23
AuthPermissionEvaluator.java.ftl
...S_PKGPATH%/util/security/AuthPermissionEvaluator.java.ftl
+96
-117
未找到文件。
SLN/%PUBPRJ%-provider/%PUBPRJ%-provider-%SYSAPI_PKGPATH%/src/main/java/%SYS_PKGPATH%/%SYSAPI_PKGPATH%/rest/%ITEM%Resource.java.ftl
浏览文件 @
fbf40ed2
...
...
@@ -88,7 +88,9 @@ public class ${itemCodeName}Resource {
@
Autowired
@
Lazy
private
${
itemCodeName
}
Mapping
${
itemCodeNameLC
}
Mapping
;
public
${
itemCodeName
}
Mapping
${
itemCodeNameLC
}
Mapping
;
public
${
deCodeName
}
DTO
permissionDTO
=
new
${
deCodeName
}
DTO
();
<#--
嵌套服务对象
-->
<#
if
item
.
getPSDEServiceAPIRSs
()??>
...
...
@@ -156,7 +158,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
@
PreAuthorize
(
"hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')"
)
<#
else
>
@
PreAuthorize
(
"hasPermission('','Create',{
this.getEntity(),'${deStorageMode}'
})"
)
@
PreAuthorize
(
"hasPermission('','Create',{
'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto
})"
)
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}"
)
@
RequestMapping
(
method
=
RequestMethod
.
POST
,
value
=
"${fullPath}"
)
...
...
@@ -167,11 +169,7 @@ public class ${itemCodeName}Resource {
${
itemCodeName
}
DTO
dto
=
${
itemCodeNameLC
}
Mapping
.
toDto
(
domain
);
return
ResponseEntity
.
status
(
HttpStatus
.
OK
).
body
(
dto
);
}
<#
if
noDEPrefield
>
@
PreAuthorize
(
"hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')"
)
<#
else
>
@
PreAuthorize
(
"hasPermission('','Create',{this.getEntity(),'${deStorageMode}'})"
)
</#
if
>
@
ApiOperation
(
value
=
"createBatch"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"createBatch"
)
@
RequestMapping
(
method
=
RequestMethod
.
POST
,
value
=
"${fullPath}/batch"
)
public
ResponseEntity
<
Boolean
>
createBatch
(${
etParamsList
})
{
...
...
@@ -183,7 +181,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
@
PreAuthorize
(
"hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')"
)
<#
else
>
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{
this.getEntity(),'${deStorageMode}'
})"
)
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{
'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto
})"
)
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}"
)
@
RequestMapping
(
method
=
RequestMethod
.
PUT
,
value
=
"${fullPath}/{${itemCodeNameLC + keyCNLC}}"
)
...
...
@@ -196,11 +194,6 @@ public class ${itemCodeName}Resource {
return
ResponseEntity
.
status
(
HttpStatus
.
OK
).
body
(
dto
);
}
<#
if
noDEPrefield
>
@
PreAuthorize
(
"hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')"
)
<#
else
>
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{this.getEntity(),'${deStorageMode}'})"
)
</#
if
>
@
ApiOperation
(
value
=
"UpdateBatch"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"UpdateBatch"
)
@
RequestMapping
(
method
=
RequestMethod
.
PUT
,
value
=
"${fullPath}/batch"
)
public
ResponseEntity
<
Boolean
>
updateBatch
(${
etParamsList
})
{
...
...
@@ -226,7 +219,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
@
PreAuthorize
(
"hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')"
)
<#
else
>
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{
this.getEntity(),'${deStorageMode}'}
)"
)
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{
'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO
)"
)
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}"
)
@
RequestMapping
(
method
=
RequestMethod
.
DELETE
,
value
=
"${fullPath}/{${itemCodeNameLC + keyCNLC}}"
)
...
...
@@ -246,7 +239,7 @@ public class ${itemCodeName}Resource {
<#
if
noDEPrefield
>
@
PreAuthorize
(
"hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')"
)
<#
else
>
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{
this.getEntity(),'${deStorageMode}'}
)"
)
@
PreAuthorize
(
"hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{
'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO
)"
)
</#
if
>
@
ApiOperation
(
value
=
"${deaction.getLogicName()}"
,
tags
=
{
"${itemCodeName}"
},
notes
=
"${deaction.getLogicName()}"
)
@
RequestMapping
(
method
=
RequestMethod
.
GET
,
value
=
"${fullPath}/{${itemCodeNameLC + keyCNLC}}"
)
...
...
@@ -630,14 +623,6 @@ public class ${itemCodeName}Resource {
</#
if
>
<#--
关系接口
end
-->
/**
*
用户权限校验
*
@
return
*/
public
${
deCodeName
}
getEntity
(){
return
new
${
deCodeName
}();
}
}
</#
if
>
</#
if
>
\ No newline at end of file
SLN/%PUBPRJ%-util/src/main/java/%SYS_PKGPATH%/util/security/AuthPermissionEvaluator.java.ftl
浏览文件 @
fbf40ed2
...
...
@@ -9,7 +9,9 @@ import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import
com
.
baomidou
.
mybatisplus
.
extension
.
service
.
impl
.
ServiceImpl
;
import
com
.
mongodb
.
QueryBuilder
;
import
${
pub
.
getPKGCodeName
()}.
util
.
annotation
.
DEField
;
import
${
pub
.
getPKGCodeName
()}.
util
.
domain
.
DTOBase
;
import
${
pub
.
getPKGCodeName
()}.
util
.
domain
.
EntityBase
;
import
${
pub
.
getPKGCodeName
()}.
util
.
domain
.
MappingBase
;
import
${
pub
.
getPKGCodeName
()}.
util
.
enums
.
DEPredefinedFieldType
;
import
${
pub
.
getPKGCodeName
()}.
util
.
filter
.
QueryBuildContext
;
import
${
pub
.
getPKGCodeName
()}.
util
.
filter
.
QueryWrapperContext
;
...
...
@@ -42,10 +44,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
*
实体行为操作标识
*/
private
String
DEActionType
=
"DEACTION"
;
<#--/**-->
<#--*
实体数据集操作标识
-->
<#--*/-->
<#--
private
String
DataSetTag
=
"DATASET"
;-->
/**
*
实体主键标识
*/
...
...
@@ -79,8 +77,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return
true
;
List
paramList
=
(
ArrayList
)
params
;
EntityBase
entity
=
(
EntityBase
)
paramList
.
get
(
0
);
String
deStorageMode
=
(
String
)
paramList
.
get
(
1
);
String
deStorageMode
=
(
String
)
paramList
.
get
(
0
);
MappingBase
mappingBase
=
(
MappingBase
)
paramList
.
get
(
1
);
DTOBase
dtoBase
=
(
DTOBase
)
paramList
.
get
(
2
);
EntityBase
entity
=
(
EntityBase
)
mappingBase
.
toDomain
(
dtoBase
);
if
(
StringUtils
.
isEmpty
(
entity
))
return
false
;
...
...
@@ -89,10 +89,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
JSONObject
permissionList
=
userPermission
.
getJSONObject
(
"entities"
);
String
entityName
=
entity
.
getClass
().
getSimpleName
();
if
(
action
.
equalsIgnoreCase
(
"create"
)){
return
validDEActionHasPermission
(
permissionList
,
entityName
,
action
);
}
else
{
//
拥有全部数据访问权限时,则跳过权限检查
if
(
isAllData
(
permissionList
,
entityName
,
action
)){
return
true
;
...
...
@@ -101,8 +97,11 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if
(
!validDEActionHasPermission(permissionList,entityName,action)){
return
false
;
}
//
检查是否有数据权限
return
deActionPermissionValidRouter
(
deStorageMode
,
entity
,
action
,
srfKey
,
permissionList
);
if
(
action
.
equalsIgnoreCase
(
"create"
)){
return
createActionPermissionValid
(
permissionList
,
entity
,
action
);
}
else
{
return
otherActionPermissionValidRouter
(
deStorageMode
,
entity
,
action
,
srfKey
,
permissionList
);
}
}
...
...
@@ -120,7 +119,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if
(
!permissionList.containsKey(entityName))
return
false
;
JSONObject
entity
=
permissionList
.
getJSONObject
(
entityName
);
if
(
entity
.
containsKey
(
action
)
&&
entity
.
getJSONArray
(
action
).
contains
(
"ALL"
))
if
(
!entity.containsKey(DEActionType))
return
false
;
JSONObject
dataRange
=
entity
.
getJSONObject
(
DEActionType
);//
获取实体行为对应的数据范围
if
(
dataRange
.
containsKey
(
action
)
&&
dataRange
.
getJSONArray
(
action
).
contains
(
"all"
))
return
true
;
return
false
;
...
...
@@ -151,33 +153,81 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return
hasPermission
;
}
<#--/**-->
<#--*
数据集合权限校验
-->
<#--*
@
param
userPermission
-->
<#--*
@
param
entityName
-->
<#--*
@
param
dataSetName
-->
<#--*
userPermission
:{
"ENTITY"
:{
"DEACTION"
:{
"READ"
:[
"CURORG"
]},
"DATASET"
:{
"Default"
:[
"CURORG"
]}}}-->
<#--*
@
return
-->
<#--*/-->
<#--
private
boolean
validDataSetHasPermission
(
JSONObject
userPermission
,
String
entityName
,
String
dataSetName
){-->
<#--
boolean
hasPermission
=
false
;-->
<#--
if
(
userPermission
==
null
)-->
<#--
return
false
;-->
<#--
if
(
!userPermission.containsKey(entityName))-->
<#--
return
false
;-->
<#--
JSONObject
entity
=
userPermission
.
getJSONObject
(
entityName
);//
获取实体
-->
<#--
if
(
!entity.containsKey(DataSetTag))-->
<#--
return
false
;-->
<#--
JSONObject
dataSetList
=
entity
.
getJSONObject
(
DataSetTag
);//
获取数据集
-->
<#--
if
(
!dataSetList.containsKey(dataSetName))-->
<#--
return
false
;-->
<#--
JSONArray
dataRange
=
dataSetList
.
getJSONArray
(
dataSetName
);//
获取数据范围
-->
<#--
if
(
dataRange
!=null && dataRange.size()>0){-->
<#--
hasPermission
=
true
;-->
<#--}-->
<#--
return
hasPermission
;-->
<#--}-->
/**
*
新建行为校验
*
@
param
permissionList
*
@
param
entity
*
@
param
action
*
@
return
*/
private
boolean
createActionPermissionValid
(
JSONObject
permissionList
,
EntityBase
entity
,
String
action
){
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);//
获取组织、部门预置属性
String
keyField
=
permissionField
.
get
(
keyFieldTag
);
if
(
StringUtils
.
isEmpty
(
keyField
)){
throw
new
RuntimeException
(
"权限校验失败,请检查当前实体中是否已经配置主键属性!"
);
}
//
获取权限表达式
[
全部数据、本单位、本部门等
]
JSONObject
entityObj
=
permissionList
.
getJSONObject
(
entity
.
getClass
().
getSimpleName
());//
获取实体
JSONObject
permissionType
=
entityObj
.
getJSONObject
(
DEActionType
);
JSONArray
dataRangeList
=
permissionType
.
getJSONArray
(
action
);//
行为:
read
;
insert
...
if
(
dataRangeList
.
size
()==
0
)
return
false
;
boolean
isCreate
=
true
;
String
orgField
=
permissionField
.
get
(
"orgfield"
);
String
orgDeptField
=
permissionField
.
get
(
"orgsecfield"
);
String
createManField
=
permissionField
.
get
(
"createmanfield"
);
AuthenticationUser
authenticationUser
=
AuthenticationUser
.
getAuthenticationUser
();
Map
<
String
,
Set
<
String
>>
userInfo
=
authenticationUser
.
getOrgInfo
();
Set
<
String
>
orgParent
=
userInfo
.
get
(
"parentorg"
);
Set
<
String
>
orgChild
=
userInfo
.
get
(
"suborg"
);
Set
<
String
>
orgDeptParent
=
userInfo
.
get
(
"parentdept"
);
Set
<
String
>
orgDeptChild
=
userInfo
.
get
(
"subdept"
);
Object
orgFieldValue
=
entity
.
get
(
orgField
);
Object
orgDeptFieldValue
=
entity
.
get
(
orgDeptField
);
Object
crateManFieldValue
=
entity
.
get
(
createManField
);
Set
<
String
>
userOrg
=
new
HashSet
<>();
Set
<
String
>
userOrgDept
=
new
HashSet
<>();
for
(
int
a
=
0
;
a
<
dataRangeList
.
size
();
a
++){
String
permissionCond
=
dataRangeList
.
getString
(
a
);//
权限配置条件
if
(
permissionCond
.
equals
(
"curorg"
)){
//
本单位
userOrg
.
add
(
authenticationUser
.
getOrgid
());
}
else
if
(
permissionCond
.
equals
(
"porg"
)){//
上级单位
userOrg
.
addAll
(
orgParent
);
}
else
if
(
permissionCond
.
equals
(
"sorg"
)){//
下级单位
userOrg
.
addAll
(
orgChild
);
}
else
if
(
permissionCond
.
equals
(
"curorgdept"
)){//
本部门
userOrgDept
.
add
(
authenticationUser
.
getMdeptid
());
}
else
if
(
permissionCond
.
equals
(
"porgdept"
)){//
上级部门
userOrgDept
.
addAll
(
orgDeptParent
);
}
else
if
(
permissionCond
.
equals
(
"sorgdept"
)){//
下级部门
userOrgDept
.
addAll
(
orgDeptChild
);
}
}
if
(
!ObjectUtils.isEmpty(orgFieldValue) && !userOrg.contains(orgFieldValue)){
return
false
;
}
if
(
!ObjectUtils.isEmpty(orgDeptFieldValue) && !userOrgDept.contains(orgDeptFieldValue)){
return
false
;
}
if
(
!ObjectUtils.isEmpty(crateManFieldValue) && !crateManFieldValue.equals(authenticationUser.getUserid())){
return
false
;
}
return
isCreate
;
}
/**
*
根据实体存储模式,进行鉴权
...
...
@@ -188,7 +238,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
*
@
param
permissionList
*
@
return
*/
private
boolean
de
ActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
String
action
,
Object
srfKey
,
JSONObject
permissionList
){
private
boolean
other
ActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
String
action
,
Object
srfKey
,
JSONObject
permissionList
){
if
(
deStorageMode
.
equalsIgnoreCase
(
"sql"
)){
return
sqlPermissionValid
(
entity
,
action
,
srfKey
,
permissionList
);
...
...
@@ -284,77 +334,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
}
}
<#--/**-->
<#--*
根据实体存储类型,拼接权限条件
-->
<#--*
@
param
deStorageMode
-->
<#--*
@
param
searchContext
-->
<#--*
@
param
entity
-->
<#--*
@
param
dataSetName
-->
<#--*
@
param
permissionList
-->
<#--*/-->
<#--
private
void
deDataSetFillPermissionSQLRouter
(
String
deStorageMode
,
Object
searchContext
,
EntityBase
entity
,
String
dataSetName
,
JSONObject
permissionList
){-->
<#--//
检查是否有数据权限
[
单行删除
]-->
<#--
if
(
deStorageMode
.
equalsIgnoreCase
(
"sql"
)){-->
<#--
sqlPermissionBuilder
(
searchContext
,
entity
,
dataSetName
,
permissionList
);-->
<#--}-->
<#--
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"nosql"
)){-->
<#--
noSqlPermissionBuilder
(
searchContext
,
entity
,
dataSetName
,
permissionList
);-->
<#--}-->
<#--
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"serviceapi"
)){-->
<#--}-->
<#--
else
{-->
<#--
throw
new
RuntimeException
(
String
.
format
(
"未能识别[%s]实体对应存储模式[%s]"
,
entity
.
getClass
().
getSimpleName
(),
deStorageMode
));-->
<#--}-->
<#--}-->
<#--/**-->
<#--*
为
NoSQL
存储模式的表格查询填充权限条件
-->
<#--*
@
param
searchContext
-->
<#--*
@
param
entity
-->
<#--*
@
param
dataSetName
-->
<#--*
@
param
permissionList
-->
<#--*/-->
<#--
private
void
noSqlPermissionBuilder
(
Object
searchContext
,
EntityBase
entity
,
String
dataSetName
,
JSONObject
permissionList
)
{-->
<#--
if
(
searchContext
instanceof
QueryBuildContext
){-->
<#--//
获取权限表达式
[
全部数据、本单位、本部门等
]-->
<#--
String
entityName
=
entity
.
getClass
().
getSimpleName
();-->
<#--
JSONObject
entityObj
=
permissionList
.
getJSONObject
(
entityName
);-->
<#--
JSONObject
permissionType
=
entityObj
.
getJSONObject
(
DataSetTag
);-->
<#--
JSONArray
dataRange
=
permissionType
.
getJSONArray
(
dataSetName
);-->
<#--
if
(
dataRange
.
size
()==
0
)-->
<#--
return
;-->
<#--//
根据权限表达式生成查询条件,并将查询条件设置到
SearchContext
中
-->
<#--
fillNoSqlPermissionCond
(
dataRange
,
entity
,((
QueryBuildContext
)
searchContext
).
getSelectCond
());-->
<#--}-->
<#--}-->
<#--/**-->
<#--*
为
SQL
存储模式的表格查询填充权限条件
-->
<#--*
@
param
searchContext
-->
<#--*
@
param
entity
-->
<#--*
@
param
dataSetName
-->
<#--*
@
param
permissionList
-->
<#--*/-->
<#--
private
void
sqlPermissionBuilder
(
Object
searchContext
,
EntityBase
entity
,
String
dataSetName
,
JSONObject
permissionList
){-->
<#--//
获取权限表达式
[
全部数据、本单位、本部门等
]-->
<#--
String
entityName
=
entity
.
getClass
().
getSimpleName
();-->
<#--
JSONObject
entityObj
=
permissionList
.
getJSONObject
(
entityName
);//
获取实体
-->
<#--
JSONObject
permissionType
=
entityObj
.
getJSONObject
(
DataSetTag
);-->
<#--
JSONArray
dataRange
=
permissionType
.
getJSONArray
(
dataSetName
);//
获取实体数据集
-->
<#--
if
(
dataRange
.
size
()==
0
)-->
<#--
return
;-->
<#--//
根据权限条件获取
SQL
-->
<#--
String
permissionSQL
=
getPermissionSQL
(
entity
,
dataRange
);-->
<#--//
将
SQL
拼接到
SearchContext
中
-->
<#--
if
(
searchContext
instanceof
QueryWrapperContext
){-->
<#--
QueryWrapperContext
queryWrapperContext
=
(
QueryWrapperContext
)
searchContext
;-->
<#--
QueryWrapper
queryWrapper
=
queryWrapperContext
.
getSelectCond
();-->
<#--
queryWrapper
.
apply
(
permissionSQL
);-->
<#--}-->
<#--}-->
/**
*
为
NoSQL
存储模式的表格查询填充权限条件
...
...
编辑
预览
Markdown
格式
0%
请重试
or
添加新附件
添加附件
取消
您添加了
0
人
到此讨论。请谨慎行事。
先完成此消息的编辑!
取消
想要评论请
注册
或
登录