Skip to content

iBiz4j Spring R7
iBiz4j Spring R7
提交 fbf40ed2 编写于 作者: zhouweidong's avatar zhouweidong
浏览文件
操作

权限调整

上级 9287dafb
隐藏空白字符变更
内嵌 并排
正在显示 包含 104 行增加140 行删除
SLN/%PUBPRJ%-provider/%PUBPRJ%-provider-%SYSAPI_PKGPATH%/src/main/java/%SYS_PKGPATH%/%SYSAPI_PKGPATH%/rest/%ITEM%Resource.java.ftl
浏览文件 @ fbf40ed2
...@@ -88,7 +88,9 @@ public class ${itemCodeName}Resource { ...@@ -88,7 +88,9 @@ public class ${itemCodeName}Resource {
@Autowired @Autowired
@Lazy @Lazy
private ${itemCodeName}Mapping ${itemCodeNameLC}Mapping; public ${itemCodeName}Mapping ${itemCodeNameLC}Mapping;
public ${deCodeName}DTO permissionDTO=new ${deCodeName}DTO();
<#-- 嵌套服务对象 --> <#-- 嵌套服务对象 -->
<#if item.getPSDEServiceAPIRSs()??> <#if item.getPSDEServiceAPIRSs()??>
...@@ -156,7 +158,7 @@ public class ${itemCodeName}Resource { ...@@ -156,7 +158,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')") @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else> <#else>
@PreAuthorize("hasPermission('','Create',{this.getEntity(),'${deStorageMode}'})") @PreAuthorize("hasPermission('','Create',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})")
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}") @ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.POST, value = "${fullPath}") @RequestMapping(method = RequestMethod.POST, value = "${fullPath}")
...@@ -167,11 +169,7 @@ public class ${itemCodeName}Resource { ...@@ -167,11 +169,7 @@ public class ${itemCodeName}Resource {
${itemCodeName}DTO dto = ${itemCodeNameLC}Mapping.toDto(domain); ${itemCodeName}DTO dto = ${itemCodeNameLC}Mapping.toDto(domain);
return ResponseEntity.status(HttpStatus.OK).body(dto); return ResponseEntity.status(HttpStatus.OK).body(dto);
} }
<#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else>
@PreAuthorize("hasPermission('','Create',{this.getEntity(),'${deStorageMode}'})")
</#if>
@ApiOperation(value = "createBatch", tags = {"${itemCodeName}" }, notes = "createBatch") @ApiOperation(value = "createBatch", tags = {"${itemCodeName}" }, notes = "createBatch")
@RequestMapping(method = RequestMethod.POST, value = "${fullPath}/batch") @RequestMapping(method = RequestMethod.POST, value = "${fullPath}/batch")
public ResponseEntity<Boolean> createBatch(${etParamsList}) { public ResponseEntity<Boolean> createBatch(${etParamsList}) {
...@@ -183,7 +181,7 @@ public class ${itemCodeName}Resource { ...@@ -183,7 +181,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')") @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else> <#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{this.getEntity(),'${deStorageMode}'})") @PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})")
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}") @ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}") @RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
...@@ -196,11 +194,6 @@ public class ${itemCodeName}Resource { ...@@ -196,11 +194,6 @@ public class ${itemCodeName}Resource {
return ResponseEntity.status(HttpStatus.OK).body(dto); return ResponseEntity.status(HttpStatus.OK).body(dto);
} }
<#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{this.getEntity(),'${deStorageMode}'})")
</#if>
@ApiOperation(value = "UpdateBatch", tags = {"${itemCodeName}" }, notes = "UpdateBatch") @ApiOperation(value = "UpdateBatch", tags = {"${itemCodeName}" }, notes = "UpdateBatch")
@RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/batch") @RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/batch")
public ResponseEntity<Boolean> updateBatch(${etParamsList}) { public ResponseEntity<Boolean> updateBatch(${etParamsList}) {
...@@ -226,7 +219,7 @@ public class ${itemCodeName}Resource { ...@@ -226,7 +219,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')") @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else> <#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{this.getEntity(),'${deStorageMode}'})") @PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO)")
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}") @ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.DELETE, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}") @RequestMapping(method = RequestMethod.DELETE, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
...@@ -246,7 +239,7 @@ public class ${itemCodeName}Resource { ...@@ -246,7 +239,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')") @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${sys.codeName}-${de.codeName}-${deaction.codeName}-all')")
<#else> <#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{this.getEntity(),'${deStorageMode}'})") @PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO)")
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}") @ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.GET, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}") @RequestMapping(method = RequestMethod.GET, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
...@@ -630,14 +623,6 @@ public class ${itemCodeName}Resource { ...@@ -630,14 +623,6 @@ public class ${itemCodeName}Resource {
</#if> </#if>
<#-- 关系接口 end --> <#-- 关系接口 end -->
/**
* 用户权限校验
* @return
*/
public ${deCodeName} getEntity(){
return new ${deCodeName}();
}
} }
</#if> </#if>
</#if> </#if>
\ No newline at end of file
SLN/%PUBPRJ%-util/src/main/java/%SYS_PKGPATH%/util/security/AuthPermissionEvaluator.java.ftl
浏览文件 @ fbf40ed2
...@@ -9,7 +9,9 @@ import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper; ...@@ -9,7 +9,9 @@ import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl; import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.mongodb.QueryBuilder; import com.mongodb.QueryBuilder;
import ${pub.getPKGCodeName()}.util.annotation.DEField; import ${pub.getPKGCodeName()}.util.annotation.DEField;
import ${pub.getPKGCodeName()}.util.domain.DTOBase;
import ${pub.getPKGCodeName()}.util.domain.EntityBase; import ${pub.getPKGCodeName()}.util.domain.EntityBase;
import ${pub.getPKGCodeName()}.util.domain.MappingBase;
import ${pub.getPKGCodeName()}.util.enums.DEPredefinedFieldType; import ${pub.getPKGCodeName()}.util.enums.DEPredefinedFieldType;
import ${pub.getPKGCodeName()}.util.filter.QueryBuildContext; import ${pub.getPKGCodeName()}.util.filter.QueryBuildContext;
import ${pub.getPKGCodeName()}.util.filter.QueryWrapperContext; import ${pub.getPKGCodeName()}.util.filter.QueryWrapperContext;
...@@ -42,10 +44,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -42,10 +44,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* 实体行为操作标识 * 实体行为操作标识
*/ */
private String DEActionType="DEACTION"; private String DEActionType="DEACTION";
<#--/**-->
<#--* 实体数据集操作标识-->
<#--*/-->
<#--private String DataSetTag="DATASET";-->
/** /**
*实体主键标识 *实体主键标识
*/ */
...@@ -79,8 +77,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -79,8 +77,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return true; return true;
List paramList = (ArrayList) params; List paramList = (ArrayList) params;
EntityBase entity = (EntityBase) paramList.get(0); String deStorageMode= (String) paramList.get(0);
String deStorageMode= (String) paramList.get(1); MappingBase mappingBase= (MappingBase) paramList.get(1);
DTOBase dtoBase = (DTOBase) paramList.get(2);
EntityBase entity = (EntityBase) mappingBase.toDomain(dtoBase);
if (StringUtils.isEmpty(entity)) if (StringUtils.isEmpty(entity))
return false; return false;
...@@ -89,20 +89,19 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -89,20 +89,19 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
JSONObject permissionList=userPermission.getJSONObject("entities"); JSONObject permissionList=userPermission.getJSONObject("entities");
String entityName = entity.getClass().getSimpleName(); String entityName = entity.getClass().getSimpleName();
//拥有全部数据访问权限时,则跳过权限检查
if(isAllData(permissionList,entityName,action)){
return true;
}
//检查是否有操作权限[create.update.delete.read]
if(!validDEActionHasPermission(permissionList,entityName,action)){
return false;
}
if(action.equalsIgnoreCase("create")){ if(action.equalsIgnoreCase("create")){
return validDEActionHasPermission(permissionList,entityName,action); return createActionPermissionValid(permissionList,entity, action);
} }
else{ else{
//拥有全部数据访问权限时,则跳过权限检查 return otherActionPermissionValidRouter(deStorageMode, entity , action , srfKey, permissionList);
if(isAllData(permissionList,entityName,action)){
return true;
}
//检查是否有操作权限[create.update.delete.read]
if(!validDEActionHasPermission(permissionList,entityName,action)){
return false;
}
//检查是否有数据权限
return deActionPermissionValidRouter(deStorageMode, entity , action , srfKey, permissionList);
} }
} }
...@@ -120,7 +119,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -120,7 +119,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if(!permissionList.containsKey(entityName)) if(!permissionList.containsKey(entityName))
return false; return false;
JSONObject entity=permissionList.getJSONObject(entityName); JSONObject entity=permissionList.getJSONObject(entityName);
if(entity.containsKey(action) && entity.getJSONArray(action).contains("ALL")) if(!entity.containsKey(DEActionType))
return false;
JSONObject dataRange=entity.getJSONObject(DEActionType);//获取实体行为对应的数据范围
if(dataRange.containsKey(action) && dataRange.getJSONArray(action).contains("all"))
return true; return true;
return false; return false;
...@@ -151,33 +153,81 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -151,33 +153,81 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return hasPermission; return hasPermission;
} }
<#--/**--> /**
<#--* 数据集合权限校验--> * 新建行为校验
<#--* @param userPermission--> * @param permissionList
<#--* @param entityName--> * @param entity
<#--* @param dataSetName--> * @param action
<#--* userPermission:{"ENTITY":{"DEACTION":{"READ":["CURORG"]},"DATASET":{"Default":["CURORG"]}}}--> * @return
<#--* @return--> */
<#--*/--> private boolean createActionPermissionValid(JSONObject permissionList,EntityBase entity, String action){
<#--private boolean validDataSetHasPermission(JSONObject userPermission,String entityName ,String dataSetName){-->
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
<#--boolean hasPermission=false;--> String keyField=permissionField.get(keyFieldTag);
<#--if(userPermission==null)--> if(StringUtils.isEmpty(keyField)){
<#--return false;--> throw new RuntimeException("权限校验失败,请检查当前实体中是否已经配置主键属性!");
<#--if(!userPermission.containsKey(entityName))--> }
<#--return false;-->
<#--JSONObject entity=userPermission.getJSONObject(entityName);//获取实体--> //获取权限表达式[全部数据、本单位、本部门等]
<#--if(!entity.containsKey(DataSetTag))--> JSONObject entityObj=permissionList.getJSONObject(entity.getClass().getSimpleName());//获取实体
<#--return false;--> JSONObject permissionType= entityObj.getJSONObject(DEActionType);
<#--JSONObject dataSetList=entity.getJSONObject(DataSetTag);//获取数据集--> JSONArray dataRangeList=permissionType.getJSONArray(action);//行为:readinsert...
<#--if(!dataSetList.containsKey(dataSetName))--> if(dataRangeList.size()==0)
<#--return false;--> return false;
<#--JSONArray dataRange=dataSetList.getJSONArray(dataSetName);//获取数据范围-->
<#--if(dataRange!=null && dataRange.size()>0){--> boolean isCreate=true;
<#--hasPermission=true;-->
<#--}--> String orgField=permissionField.get("orgfield");
<#--return hasPermission;--> String orgDeptField=permissionField.get("orgsecfield");
<#--}--> String createManField=permissionField.get("createmanfield");
AuthenticationUser authenticationUser = AuthenticationUser.getAuthenticationUser();
Map<String, Set<String>> userInfo = authenticationUser.getOrgInfo();
Set<String> orgParent = userInfo.get("parentorg");
Set<String> orgChild = userInfo.get("suborg");
Set<String> orgDeptParent = userInfo.get("parentdept");
Set<String> orgDeptChild = userInfo.get("subdept");
Object orgFieldValue=entity.get(orgField);
Object orgDeptFieldValue=entity.get(orgDeptField);
Object crateManFieldValue=entity.get(createManField);
Set<String> userOrg = new HashSet<>();
Set<String> userOrgDept = new HashSet<>();
for(int a=0;a<dataRangeList.size();a++){
String permissionCond=dataRangeList.getString(a);//权限配置条件
if(permissionCond.equals("curorg")){ //本单位
userOrg.add(authenticationUser.getOrgid());
}
else if(permissionCond.equals("porg")){//上级单位
userOrg.addAll(orgParent);
}
else if(permissionCond.equals("sorg")){//下级单位
userOrg.addAll(orgChild);
}
else if(permissionCond.equals("curorgdept")){//本部门
userOrgDept.add(authenticationUser.getMdeptid());
}
else if(permissionCond.equals("porgdept")){//上级部门
userOrgDept.addAll(orgDeptParent);
}
else if(permissionCond.equals("sorgdept")){//下级部门
userOrgDept.addAll(orgDeptChild);
}
}
if(!ObjectUtils.isEmpty(orgFieldValue) && !userOrg.contains(orgFieldValue)){
return false;
}
if(!ObjectUtils.isEmpty(orgDeptFieldValue) && !userOrgDept.contains(orgDeptFieldValue)){
return false;
}
if(!ObjectUtils.isEmpty(crateManFieldValue) && !crateManFieldValue.equals(authenticationUser.getUserid())){
return false;
}
return isCreate;
}
/** /**
* 根据实体存储模式,进行鉴权 * 根据实体存储模式,进行鉴权
...@@ -188,7 +238,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -188,7 +238,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param permissionList * @param permissionList
* @return * @return
*/ */
private boolean deActionPermissionValidRouter(String deStorageMode, EntityBase entity , String action , Object srfKey , JSONObject permissionList){ private boolean otherActionPermissionValidRouter(String deStorageMode, EntityBase entity , String action , Object srfKey , JSONObject permissionList){
if(deStorageMode.equalsIgnoreCase("sql")){ if(deStorageMode.equalsIgnoreCase("sql")){
return sqlPermissionValid(entity , action , srfKey, permissionList); return sqlPermissionValid(entity , action , srfKey, permissionList);
...@@ -284,77 +334,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -284,77 +334,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
} }
} }
<#--/**-->
<#--* 根据实体存储类型,拼接权限条件-->
<#--* @param deStorageMode-->
<#--* @param searchContext-->
<#--* @param entity-->
<#--* @param dataSetName-->
<#--* @param permissionList-->
<#--*/-->
<#--private void deDataSetFillPermissionSQLRouter(String deStorageMode , Object searchContext, EntityBase entity ,String dataSetName ,JSONObject permissionList){-->
<#--//检查是否有数据权限[单行删除]-->
<#--if(deStorageMode.equalsIgnoreCase("sql")){-->
<#--sqlPermissionBuilder(searchContext, entity , dataSetName, permissionList);-->
<#--}-->
<#--else if(deStorageMode.equalsIgnoreCase("nosql")){-->
<#--noSqlPermissionBuilder(searchContext, entity , dataSetName, permissionList);-->
<#--}-->
<#--else if(deStorageMode.equalsIgnoreCase("serviceapi")){-->
<#--}-->
<#--else {-->
<#--throw new RuntimeException(String.format("未能识别[%s]实体对应存储模式[%s]",entity.getClass().getSimpleName(),deStorageMode));-->
<#--}-->
<#--}-->
<#--/**-->
<#--* NoSQL存储模式的表格查询填充权限条件-->
<#--* @param searchContext-->
<#--* @param entity-->
<#--* @param dataSetName-->
<#--* @param permissionList-->
<#--*/-->
<#--private void noSqlPermissionBuilder(Object searchContext, EntityBase entity, String dataSetName, JSONObject permissionList) {-->
<#--if(searchContext instanceof QueryBuildContext){-->
<#--//获取权限表达式[全部数据、本单位、本部门等]-->
<#--String entityName=entity.getClass().getSimpleName();-->
<#--JSONObject entityObj=permissionList.getJSONObject(entityName);-->
<#--JSONObject permissionType=entityObj.getJSONObject(DataSetTag);-->
<#--JSONArray dataRange=permissionType.getJSONArray(dataSetName);-->
<#--if(dataRange.size()==0)-->
<#--return ;-->
<#--//根据权限表达式生成查询条件,并将查询条件设置到SearchContext-->
<#--fillNoSqlPermissionCond(dataRange,entity,((QueryBuildContext) searchContext).getSelectCond());-->
<#--}-->
<#--}-->
<#--/**-->
<#--* SQL存储模式的表格查询填充权限条件-->
<#--* @param searchContext-->
<#--* @param entity-->
<#--* @param dataSetName-->
<#--* @param permissionList-->
<#--*/-->
<#--private void sqlPermissionBuilder(Object searchContext, EntityBase entity, String dataSetName, JSONObject permissionList){-->
<#--//获取权限表达式[全部数据、本单位、本部门等]-->
<#--String entityName=entity.getClass().getSimpleName();-->
<#--JSONObject entityObj=permissionList.getJSONObject(entityName);//获取实体-->
<#--JSONObject permissionType=entityObj.getJSONObject(DataSetTag);-->
<#--JSONArray dataRange=permissionType.getJSONArray(dataSetName);//获取实体数据集-->
<#--if(dataRange.size()==0)-->
<#--return ;-->
<#--//根据权限条件获取SQL-->
<#--String permissionSQL=getPermissionSQL(entity,dataRange);-->
<#--//SQL拼接到SearchContext-->
<#--if(searchContext instanceof QueryWrapperContext){-->
<#--QueryWrapperContext queryWrapperContext = (QueryWrapperContext) searchContext;-->
<#--QueryWrapper queryWrapper = queryWrapperContext.getSelectCond();-->
<#--queryWrapper.apply(permissionSQL);-->
<#--}-->
<#--}-->
/** /**
* NoSQL存储模式的表格查询填充权限条件 * NoSQL存储模式的表格查询填充权限条件
......
Markdown 格式
0% or
您添加了 0 到此讨论。请谨慎行事。
先完成此消息的编辑!
想要评论请 注册