| 提交 | 用户 | 时间 | ||
| a6316e | 1 | package com.billion.framework.aspectj; |
| A | 2 | |
| 3 | import java.util.ArrayList; | |
| 4 | import java.util.List; | |
| 5 | import org.aspectj.lang.JoinPoint; | |
| 6 | import org.aspectj.lang.annotation.Aspect; | |
| 7 | import org.aspectj.lang.annotation.Before; | |
| 8 | import org.springframework.stereotype.Component; | |
| 9 | import com.billion.common.annotation.DataScope; | |
| 10 | import com.billion.common.constant.UserConstants; | |
| 11 | import com.billion.common.core.domain.BaseEntity; | |
| 12 | import com.billion.common.core.domain.entity.SysRole; | |
| 13 | import com.billion.common.core.domain.entity.SysUser; | |
| 14 | import com.billion.common.core.domain.model.LoginUser; | |
| 15 | import com.billion.common.core.text.Convert; | |
| 16 | import com.billion.common.utils.SecurityUtils; | |
| 17 | import com.billion.common.utils.StringUtils; | |
| 18 | import com.billion.framework.security.context.PermissionContextHolder; | |
| 19 | ||
| 20 | /** | |
| 21 | * 数据过滤处理 | |
| 22 | * | |
| 23 | * @author ruoyi | |
| 24 | */ | |
| 25 | @Aspect | |
| 26 | @Component | |
| 27 | public class DataScopeAspect | |
| 28 | { | |
| 29 | /** | |
| 30 | * 全部数据权限 | |
| 31 | */ | |
| 32 | public static final String DATA_SCOPE_ALL = "1"; | |
| 33 | ||
| 34 | /** | |
| 35 | * 自定数据权限 | |
| 36 | */ | |
| 37 | public static final String DATA_SCOPE_CUSTOM = "2"; | |
| 38 | ||
| 39 | /** | |
| 40 | * 部门数据权限 | |
| 41 | */ | |
| 42 | public static final String DATA_SCOPE_DEPT = "3"; | |
| 43 | ||
| 44 | /** | |
| 45 | * 部门及以下数据权限 | |
| 46 | */ | |
| 47 | public static final String DATA_SCOPE_DEPT_AND_CHILD = "4"; | |
| 48 | ||
| 49 | /** | |
| 50 | * 仅本人数据权限 | |
| 51 | */ | |
| 52 | public static final String DATA_SCOPE_SELF = "5"; | |
| 53 | ||
| 54 | /** | |
| 55 | * 数据权限过滤关键字 | |
| 56 | */ | |
| 57 | public static final String DATA_SCOPE = "dataScope"; | |
| 58 | ||
| 59 | @Before("@annotation(controllerDataScope)") | |
| 60 | public void doBefore(JoinPoint point, DataScope controllerDataScope) throws Throwable | |
| 61 | { | |
| 62 | clearDataScope(point); | |
| 63 | handleDataScope(point, controllerDataScope); | |
| 64 | } | |
| 65 | ||
| 66 | protected void handleDataScope(final JoinPoint joinPoint, DataScope controllerDataScope) | |
| 67 | { | |
| 68 | // 获取当前的用户 | |
| 69 | LoginUser loginUser = SecurityUtils.getLoginUser(); | |
| 70 | if (StringUtils.isNotNull(loginUser)) | |
| 71 | { | |
| 72 | SysUser currentUser = loginUser.getUser(); | |
| 73 | // 如果是超级管理员,则不过滤数据 | |
| 74 | if (StringUtils.isNotNull(currentUser) && !currentUser.isAdmin()) | |
| 75 | { | |
| 76 | String permission = StringUtils.defaultIfEmpty(controllerDataScope.permission(), PermissionContextHolder.getContext()); | |
| 77 | dataScopeFilter(joinPoint, currentUser, controllerDataScope.deptAlias(), controllerDataScope.userAlias(), permission); | |
| 78 | } | |
| 79 | } | |
| 80 | } | |
| 81 | ||
| 82 | /** | |
| 83 | * 数据范围过滤 | |
| 84 | * | |
| 85 | * @param joinPoint 切点 | |
| 86 | * @param user 用户 | |
| 87 | * @param deptAlias 部门别名 | |
| 88 | * @param userAlias 用户别名 | |
| 89 | * @param permission 权限字符 | |
| 90 | */ | |
| 91 | public static void dataScopeFilter(JoinPoint joinPoint, SysUser user, String deptAlias, String userAlias, String permission) | |
| 92 | { | |
| 93 | StringBuilder sqlString = new StringBuilder(); | |
| 94 | List<String> conditions = new ArrayList<String>(); | |
| 95 | List<String> scopeCustomIds = new ArrayList<String>(); | |
| 96 | user.getRoles().forEach(role -> { | |
| 97 | if (DATA_SCOPE_CUSTOM.equals(role.getDataScope()) && StringUtils.equals(role.getStatus(), UserConstants.ROLE_NORMAL) && StringUtils.containsAny(role.getPermissions(), Convert.toStrArray(permission))) | |
| 98 | { | |
| 99 | scopeCustomIds.add(Convert.toStr(role.getRoleId())); | |
| 100 | } | |
| 101 | }); | |
| 102 | ||
| 103 | for (SysRole role : user.getRoles()) | |
| 104 | { | |
| 105 | String dataScope = role.getDataScope(); | |
| 106 | if (conditions.contains(dataScope) || StringUtils.equals(role.getStatus(), UserConstants.ROLE_DISABLE)) | |
| 107 | { | |
| 108 | continue; | |
| 109 | } | |
| 110 | if (!StringUtils.containsAny(role.getPermissions(), Convert.toStrArray(permission))) | |
| 111 | { | |
| 112 | continue; | |
| 113 | } | |
| 114 | if (DATA_SCOPE_ALL.equals(dataScope)) | |
| 115 | { | |
| 116 | sqlString = new StringBuilder(); | |
| 117 | conditions.add(dataScope); | |
| 118 | break; | |
| 119 | } | |
| 120 | else if (DATA_SCOPE_CUSTOM.equals(dataScope)) | |
| 121 | { | |
| 122 | if (scopeCustomIds.size() > 1) | |
| 123 | { | |
| 124 | // 多个自定数据权限使用in查询,避免多次拼接。 | |
| 125 | sqlString.append(StringUtils.format(" OR {}.dept_id IN ( SELECT dept_id FROM sys_role_dept WHERE role_id in ({}) ) ", deptAlias, String.join(",", scopeCustomIds))); | |
| 126 | } | |
| 127 | else | |
| 128 | { | |
| 129 | sqlString.append(StringUtils.format(" OR {}.dept_id IN ( SELECT dept_id FROM sys_role_dept WHERE role_id = {} ) ", deptAlias, role.getRoleId())); | |
| 130 | } | |
| 131 | } | |
| 132 | else if (DATA_SCOPE_DEPT.equals(dataScope)) | |
| 133 | { | |
| 134 | sqlString.append(StringUtils.format(" OR {}.dept_id = {} ", deptAlias, user.getDeptId())); | |
| 135 | } | |
| 136 | else if (DATA_SCOPE_DEPT_AND_CHILD.equals(dataScope)) | |
| 137 | { | |
| 138 | sqlString.append(StringUtils.format(" OR {}.dept_id IN ( SELECT dept_id FROM sys_dept WHERE dept_id = {} or find_in_set( {} , ancestors ) )", deptAlias, user.getDeptId(), user.getDeptId())); | |
| 139 | } | |
| 140 | else if (DATA_SCOPE_SELF.equals(dataScope)) | |
| 141 | { | |
| 142 | if (StringUtils.isNotBlank(userAlias)) | |
| 143 | { | |
| 144 | sqlString.append(StringUtils.format(" OR {}.user_id = {} ", userAlias, user.getUserId())); | |
| 145 | } | |
| 146 | else | |
| 147 | { | |
| 148 | // 数据权限为仅本人且没有userAlias别名不查询任何数据 | |
| 149 | sqlString.append(StringUtils.format(" OR {}.dept_id = 0 ", deptAlias)); | |
| 150 | } | |
| 151 | } | |
| 152 | conditions.add(dataScope); | |
| 153 | } | |
| 154 | ||
| 155 | // 角色都不包含传递过来的权限字符,这个时候sqlString也会为空,所以要限制一下,不查询任何数据 | |
| 156 | if (StringUtils.isEmpty(conditions)) | |
| 157 | { | |
| 158 | sqlString.append(StringUtils.format(" OR {}.dept_id = 0 ", deptAlias)); | |
| 159 | } | |
| 160 | ||
| 161 | if (StringUtils.isNotBlank(sqlString.toString())) | |
| 162 | { | |
| 163 | Object params = joinPoint.getArgs()[0]; | |
| 164 | if (StringUtils.isNotNull(params) && params instanceof BaseEntity) | |
| 165 | { | |
| 166 | BaseEntity baseEntity = (BaseEntity) params; | |
| 167 | baseEntity.getParams().put(DATA_SCOPE, " AND (" + sqlString.substring(4) + ")"); | |
| 168 | } | |
| 169 | } | |
| 170 | } | |
| 171 | ||
| 172 | /** | |
| 173 | * 拼接权限sql前先清空params.dataScope参数防止注入 | |
| 174 | */ | |
| 175 | private void clearDataScope(final JoinPoint joinPoint) | |
| 176 | { | |
| 177 | Object params = joinPoint.getArgs()[0]; | |
| 178 | if (StringUtils.isNotNull(params) && params instanceof BaseEntity) | |
| 179 | { | |
| 180 | BaseEntity baseEntity = (BaseEntity) params; | |
| 181 | baseEntity.getParams().put(DATA_SCOPE, ""); | |
| 182 | } | |
| 183 | } | |
| 184 | } | |
