Jcdm-Mes-Plus.git

wujian

2024-02-22 268beb4ebc1e5b8d4ad715b71cd64a0944073a87

提交 \| 用户 \| 时间
268beb	1	package com.jcdm.framework.aspectj;
W	2
	3	import java.util.ArrayList;
	4	import java.util.List;
	5	import org.aspectj.lang.JoinPoint;
	6	import org.aspectj.lang.annotation.Aspect;
	7	import org.aspectj.lang.annotation.Before;
	8	import org.springframework.stereotype.Component;
	9	import com.jcdm.common.annotation.DataScope;
	10	import com.jcdm.common.core.domain.BaseEntity;
	11	import com.jcdm.common.core.domain.entity.SysRole;
	12	import com.jcdm.common.core.domain.entity.SysUser;
	13	import com.jcdm.common.core.domain.model.LoginUser;
	14	import com.jcdm.common.core.text.Convert;
	15	import com.jcdm.common.utils.SecurityUtils;
	16	import com.jcdm.common.utils.StringUtils;
	17	import com.jcdm.framework.security.context.PermissionContextHolder;
	18
	19	/**
	20	* 数据过滤处理
	21	*
	22	* @author jc
	23	*/
	24	@Aspect
	25	@Component
	26	public class DataScopeAspect
	27	{
	28	/**
	29	* 全部数据权限
	30	*/
	31	public static final String DATA_SCOPE_ALL = "1";
	32
	33	/**
	34	* 自定数据权限
	35	*/
	36	public static final String DATA_SCOPE_CUSTOM = "2";
	37
	38	/**
	39	* 部门数据权限
	40	*/
	41	public static final String DATA_SCOPE_DEPT = "3";
	42
	43	/**
	44	* 部门及以下数据权限
	45	*/
	46	public static final String DATA_SCOPE_DEPT_AND_CHILD = "4";
	47
	48	/**
	49	* 仅本人数据权限
	50	*/
	51	public static final String DATA_SCOPE_SELF = "5";
	52
	53	/**
	54	* 数据权限过滤关键字
	55	*/
	56	public static final String DATA_SCOPE = "dataScope";
	57
	58	@Before("@annotation(controllerDataScope)")
	59	public void doBefore(JoinPoint point, DataScope controllerDataScope) throws Throwable
	60	{
	61	clearDataScope(point);
	62	handleDataScope(point, controllerDataScope);
	63	}
	64
	65	protected void handleDataScope(final JoinPoint joinPoint, DataScope controllerDataScope)
	66	{
	67	// 获取当前的用户
	68	LoginUser loginUser = SecurityUtils.getLoginUser();
	69	if (StringUtils.isNotNull(loginUser))
	70	{
	71	SysUser currentUser = loginUser.getUser();
	72	// 如果是超级管理员，则不过滤数据
	73	if (StringUtils.isNotNull(currentUser) && !currentUser.isAdmin())
	74	{
	75	String permission = StringUtils.defaultIfEmpty(controllerDataScope.permission(), PermissionContextHolder.getContext());
	76	dataScopeFilter(joinPoint, currentUser, controllerDataScope.deptAlias(),
	77	controllerDataScope.userAlias(), permission);
	78	}
	79	}
	80	}
	81
	82	/**
	83	* 数据范围过滤
	84	*
	85	* @param joinPoint 切点
	86	* @param user 用户
	87	* @param deptAlias 部门别名
	88	* @param userAlias 用户别名
	89	* @param permission 权限字符
	90	*/
	91	public static void dataScopeFilter(JoinPoint joinPoint, SysUser user, String deptAlias, String userAlias, String permission)
	92	{
	93	StringBuilder sqlString = new StringBuilder();
	94	List<String> conditions = new ArrayList<String>();
	95
	96	for (SysRole role : user.getRoles())
	97	{
	98	String dataScope = role.getDataScope();
	99	if (!DATA_SCOPE_CUSTOM.equals(dataScope) && conditions.contains(dataScope))
	100	{
	101	continue;
	102	}
	103	if (StringUtils.isNotEmpty(permission) && StringUtils.isNotEmpty(role.getPermissions())
	104	&& !StringUtils.containsAny(role.getPermissions(), Convert.toStrArray(permission)))
	105	{
	106	continue;
	107	}
	108	if (DATA_SCOPE_ALL.equals(dataScope))
	109	{
	110	sqlString = new StringBuilder();
	111	conditions.add(dataScope);
	112	break;
	113	}
	114	else if (DATA_SCOPE_CUSTOM.equals(dataScope))
	115	{
	116	sqlString.append(StringUtils.format(
	117	" OR {}.dept_id IN ( SELECT dept_id FROM sys_role_dept WHERE role_id = {} ) ", deptAlias,
	118	role.getRoleId()));
	119	}
	120	else if (DATA_SCOPE_DEPT.equals(dataScope))
	121	{
	122	sqlString.append(StringUtils.format(" OR {}.dept_id = {} ", deptAlias, user.getDeptId()));
	123	}
	124	else if (DATA_SCOPE_DEPT_AND_CHILD.equals(dataScope))
	125	{
	126	sqlString.append(StringUtils.format(
	127	" OR {}.dept_id IN ( SELECT dept_id FROM sys_dept WHERE dept_id = {} or find_in_set( {} , ancestors ) )",
	128	deptAlias, user.getDeptId(), user.getDeptId()));
	129	}
	130	else if (DATA_SCOPE_SELF.equals(dataScope))
	131	{
	132	if (StringUtils.isNotBlank(userAlias))
	133	{
	134	sqlString.append(StringUtils.format(" OR {}.user_id = {} ", userAlias, user.getUserId()));
	135	}
	136	else
	137	{
	138	// 数据权限为仅本人且没有userAlias别名不查询任何数据
	139	sqlString.append(StringUtils.format(" OR {}.dept_id = 0 ", deptAlias));
	140	}
	141	}
	142	conditions.add(dataScope);
	143	}
	144
	145	// 多角色情况下，所有角色都不包含传递过来的权限字符，这个时候sqlString也会为空，所以要限制一下,不查询任何数据
	146	if (StringUtils.isEmpty(conditions))
	147	{
	148	sqlString.append(StringUtils.format(" OR {}.dept_id = 0 ", deptAlias));
	149	}
	150
	151	if (StringUtils.isNotBlank(sqlString.toString()))
	152	{
	153	Object params = joinPoint.getArgs()[0];
	154	if (StringUtils.isNotNull(params) && params instanceof BaseEntity)
	155	{
	156	BaseEntity baseEntity = (BaseEntity) params;
	157	baseEntity.getParams().put(DATA_SCOPE, " AND (" + sqlString.substring(4) + ")");
	158	}
	159	}
	160	}
	161
	162	/**
	163	* 拼接权限sql前先清空params.dataScope参数防止注入
	164	*/
	165	private void clearDataScope(final JoinPoint joinPoint)
	166	{
	167	Object params = joinPoint.getArgs()[0];
	168	if (StringUtils.isNotNull(params) && params instanceof BaseEntity)
	169	{
	170	BaseEntity baseEntity = (BaseEntity) params;
	171	baseEntity.getParams().put(DATA_SCOPE, "");
	172	}
	173	}
	174	}