odcc/CpzIdc.git

yanzhaofeige

5 days ago 37f8463032c06236bfd098133c31cda51217b00f

commit \| author \| age
43dc29	1	package com.odcc.cpzidc.framework.aspectj;
Y	2
	3	import java.util.ArrayList;
	4	import java.util.List;
	5	import org.aspectj.lang.JoinPoint;
	6	import org.aspectj.lang.annotation.Aspect;
	7	import org.aspectj.lang.annotation.Before;
	8	import org.springframework.stereotype.Component;
	9	import com.odcc.cpzidc.common.annotation.DataScope;
	10	import com.odcc.cpzidc.common.constant.UserConstants;
	11	import com.odcc.cpzidc.common.core.domain.BaseEntity;
	12	import com.odcc.cpzidc.common.core.domain.entity.SysRole;
	13	import com.odcc.cpzidc.common.core.domain.entity.SysUser;
	14	import com.odcc.cpzidc.common.core.domain.model.LoginUser;
	15	import com.odcc.cpzidc.common.core.text.Convert;
	16	import com.odcc.cpzidc.common.utils.SecurityUtils;
	17	import com.odcc.cpzidc.common.utils.StringUtils;
	18	import com.odcc.cpzidc.framework.security.context.PermissionContextHolder;
	19
	20	/**
	21	* 数据过滤处理
	22	*
	23	* @author ruoyi
	24	*/
	25	@Aspect
	26	@Component
	27	public class DataScopeAspect
	28	{
	29	/**
	30	* 全部数据权限
	31	*/
	32	public static final String DATA_SCOPE_ALL = "1";
	33
	34	/**
	35	* 自定数据权限
	36	*/
	37	public static final String DATA_SCOPE_CUSTOM = "2";
	38
	39	/**
	40	* 部门数据权限
	41	*/
	42	public static final String DATA_SCOPE_DEPT = "3";
	43
	44	/**
	45	* 部门及以下数据权限
	46	*/
	47	public static final String DATA_SCOPE_DEPT_AND_CHILD = "4";
	48
	49	/**
	50	* 仅本人数据权限
	51	*/
	52	public static final String DATA_SCOPE_SELF = "5";
	53
	54	/**
	55	* 数据权限过滤关键字
	56	*/
	57	public static final String DATA_SCOPE = "dataScope";
	58
	59	@Before("@annotation(controllerDataScope)")
	60	public void doBefore(JoinPoint point, DataScope controllerDataScope) throws Throwable
	61	{
	62	clearDataScope(point);
	63	handleDataScope(point, controllerDataScope);
	64	}
	65
	66	protected void handleDataScope(final JoinPoint joinPoint, DataScope controllerDataScope)
	67	{
	68	// 获取当前的用户
	69	LoginUser loginUser = SecurityUtils.getLoginUser();
	70	if (StringUtils.isNotNull(loginUser))
	71	{
	72	SysUser currentUser = loginUser.getUser();
	73	// 如果是超级管理员，则不过滤数据
	74	if (StringUtils.isNotNull(currentUser) && !currentUser.isAdmin())
	75	{
	76	String permission = StringUtils.defaultIfEmpty(controllerDataScope.permission(), PermissionContextHolder.getContext());
	77	dataScopeFilter(joinPoint, currentUser, controllerDataScope.deptAlias(), controllerDataScope.userAlias(), permission);
	78	}
	79	}
	80	}
	81
	82	/**
	83	* 数据范围过滤
	84	*
	85	* @param joinPoint 切点
	86	* @param user 用户
	87	* @param deptAlias 部门别名
	88	* @param userAlias 用户别名
	89	* @param permission 权限字符
	90	*/
	91	public static void dataScopeFilter(JoinPoint joinPoint, SysUser user, String deptAlias, String userAlias, String permission)
	92	{
	93	StringBuilder sqlString = new StringBuilder();
	94	List<String> conditions = new ArrayList<String>();
	95	List<String> scopeCustomIds = new ArrayList<String>();
	96	user.getRoles().forEach(role -> {
	97	if (DATA_SCOPE_CUSTOM.equals(role.getDataScope()) && StringUtils.equals(role.getStatus(), UserConstants.ROLE_NORMAL) && StringUtils.containsAny(role.getPermissions(), Convert.toStrArray(permission)))
	98	{
	99	scopeCustomIds.add(Convert.toStr(role.getRoleId()));
	100	}
	101	});
	102
	103	for (SysRole role : user.getRoles())
	104	{
	105	String dataScope = role.getDataScope();
	106	if (conditions.contains(dataScope) \|\| StringUtils.equals(role.getStatus(), UserConstants.ROLE_DISABLE))
	107	{
	108	continue;
	109	}
	110	if (!StringUtils.containsAny(role.getPermissions(), Convert.toStrArray(permission)))
	111	{
	112	continue;
	113	}
	114	if (DATA_SCOPE_ALL.equals(dataScope))
	115	{
	116	sqlString = new StringBuilder();
	117	conditions.add(dataScope);
	118	break;
	119	}
	120	else if (DATA_SCOPE_CUSTOM.equals(dataScope))
	121	{
	122	if (scopeCustomIds.size() > 1)
	123	{
	124	// 多个自定数据权限使用in查询，避免多次拼接。
	125	sqlString.append(StringUtils.format(" OR {}.dept_id IN ( SELECT dept_id FROM sys_role_dept WHERE role_id in ({}) ) ", deptAlias, String.join(",", scopeCustomIds)));
	126	}
	127	else
	128	{
	129	sqlString.append(StringUtils.format(" OR {}.dept_id IN ( SELECT dept_id FROM sys_role_dept WHERE role_id = {} ) ", deptAlias, role.getRoleId()));
	130	}
	131	}
	132	else if (DATA_SCOPE_DEPT.equals(dataScope))
	133	{
	134	sqlString.append(StringUtils.format(" OR {}.dept_id = {} ", deptAlias, user.getDeptId()));
	135	}
	136	else if (DATA_SCOPE_DEPT_AND_CHILD.equals(dataScope))
	137	{
	138	sqlString.append(StringUtils.format(" OR {}.dept_id IN ( SELECT dept_id FROM sys_dept WHERE dept_id = {} or find_in_set( {} , ancestors ) )", deptAlias, user.getDeptId(), user.getDeptId()));
	139	}
	140	else if (DATA_SCOPE_SELF.equals(dataScope))
	141	{
	142	if (StringUtils.isNotBlank(userAlias))
	143	{
	144	sqlString.append(StringUtils.format(" OR {}.user_id = {} ", userAlias, user.getUserId()));
	145	}
	146	else
	147	{
	148	// 数据权限为仅本人且没有userAlias别名不查询任何数据
	149	sqlString.append(StringUtils.format(" OR {}.dept_id = 0 ", deptAlias));
	150	}
	151	}
	152	conditions.add(dataScope);
	153	}
	154
	155	// 角色都不包含传递过来的权限字符，这个时候sqlString也会为空，所以要限制一下,不查询任何数据
	156	if (StringUtils.isEmpty(conditions))
	157	{
	158	sqlString.append(StringUtils.format(" OR {}.dept_id = 0 ", deptAlias));
	159	}
	160
	161	if (StringUtils.isNotBlank(sqlString.toString()))
	162	{
	163	Object params = joinPoint.getArgs()[0];
	164	if (StringUtils.isNotNull(params) && params instanceof BaseEntity)
	165	{
	166	BaseEntity baseEntity = (BaseEntity) params;
	167	baseEntity.getParams().put(DATA_SCOPE, " AND (" + sqlString.substring(4) + ")");
	168	}
	169	}
	170	}
	171
	172	/**
	173	* 拼接权限sql前先清空params.dataScope参数防止注入
	174	*/
	175	private void clearDataScope(final JoinPoint joinPoint)
	176	{
	177	Object params = joinPoint.getArgs()[0];
	178	if (StringUtils.isNotNull(params) && params instanceof BaseEntity)
	179	{
	180	BaseEntity baseEntity = (BaseEntity) params;
	181	baseEntity.getParams().put(DATA_SCOPE, "");
	182	}
	183	}
	184	}