提交 | 用户 | 时间
|
0cceb6
|
1 |
package com.jcdm.framework.aspectj; |
Y |
2 |
|
|
3 |
import java.util.ArrayList; |
|
4 |
import java.util.List; |
|
5 |
import org.aspectj.lang.JoinPoint; |
|
6 |
import org.aspectj.lang.annotation.Aspect; |
|
7 |
import org.aspectj.lang.annotation.Before; |
|
8 |
import org.springframework.stereotype.Component; |
|
9 |
import com.jcdm.common.annotation.DataScope; |
|
10 |
import com.jcdm.common.core.domain.BaseEntity; |
|
11 |
import com.jcdm.common.core.domain.entity.SysRole; |
|
12 |
import com.jcdm.common.core.domain.entity.SysUser; |
|
13 |
import com.jcdm.common.core.domain.model.LoginUser; |
|
14 |
import com.jcdm.common.core.text.Convert; |
|
15 |
import com.jcdm.common.utils.SecurityUtils; |
|
16 |
import com.jcdm.common.utils.StringUtils; |
|
17 |
import com.jcdm.framework.security.context.PermissionContextHolder; |
|
18 |
|
|
19 |
/** |
|
20 |
* 数据过滤处理 |
|
21 |
* |
|
22 |
* @author jc |
|
23 |
*/ |
|
24 |
@Aspect |
|
25 |
@Component |
|
26 |
public class DataScopeAspect |
|
27 |
{ |
|
28 |
/** |
|
29 |
* 全部数据权限 |
|
30 |
*/ |
|
31 |
public static final String DATA_SCOPE_ALL = "1"; |
|
32 |
|
|
33 |
/** |
|
34 |
* 自定数据权限 |
|
35 |
*/ |
|
36 |
public static final String DATA_SCOPE_CUSTOM = "2"; |
|
37 |
|
|
38 |
/** |
|
39 |
* 部门数据权限 |
|
40 |
*/ |
|
41 |
public static final String DATA_SCOPE_DEPT = "3"; |
|
42 |
|
|
43 |
/** |
|
44 |
* 部门及以下数据权限 |
|
45 |
*/ |
|
46 |
public static final String DATA_SCOPE_DEPT_AND_CHILD = "4"; |
|
47 |
|
|
48 |
/** |
|
49 |
* 仅本人数据权限 |
|
50 |
*/ |
|
51 |
public static final String DATA_SCOPE_SELF = "5"; |
|
52 |
|
|
53 |
/** |
|
54 |
* 数据权限过滤关键字 |
|
55 |
*/ |
|
56 |
public static final String DATA_SCOPE = "dataScope"; |
|
57 |
|
|
58 |
@Before("@annotation(controllerDataScope)") |
|
59 |
public void doBefore(JoinPoint point, DataScope controllerDataScope) throws Throwable |
|
60 |
{ |
|
61 |
clearDataScope(point); |
|
62 |
handleDataScope(point, controllerDataScope); |
|
63 |
} |
|
64 |
|
|
65 |
protected void handleDataScope(final JoinPoint joinPoint, DataScope controllerDataScope) |
|
66 |
{ |
|
67 |
// 获取当前的用户 |
|
68 |
LoginUser loginUser = SecurityUtils.getLoginUser(); |
|
69 |
if (StringUtils.isNotNull(loginUser)) |
|
70 |
{ |
|
71 |
SysUser currentUser = loginUser.getUser(); |
|
72 |
// 如果是超级管理员,则不过滤数据 |
|
73 |
if (StringUtils.isNotNull(currentUser) && !currentUser.isAdmin()) |
|
74 |
{ |
|
75 |
String permission = StringUtils.defaultIfEmpty(controllerDataScope.permission(), PermissionContextHolder.getContext()); |
|
76 |
dataScopeFilter(joinPoint, currentUser, controllerDataScope.deptAlias(), |
|
77 |
controllerDataScope.userAlias(), permission); |
|
78 |
} |
|
79 |
} |
|
80 |
} |
|
81 |
|
|
82 |
/** |
|
83 |
* 数据范围过滤 |
|
84 |
* |
|
85 |
* @param joinPoint 切点 |
|
86 |
* @param user 用户 |
|
87 |
* @param deptAlias 部门别名 |
|
88 |
* @param userAlias 用户别名 |
|
89 |
* @param permission 权限字符 |
|
90 |
*/ |
|
91 |
public static void dataScopeFilter(JoinPoint joinPoint, SysUser user, String deptAlias, String userAlias, String permission) |
|
92 |
{ |
|
93 |
StringBuilder sqlString = new StringBuilder(); |
|
94 |
List<String> conditions = new ArrayList<String>(); |
|
95 |
|
|
96 |
for (SysRole role : user.getRoles()) |
|
97 |
{ |
|
98 |
String dataScope = role.getDataScope(); |
|
99 |
if (!DATA_SCOPE_CUSTOM.equals(dataScope) && conditions.contains(dataScope)) |
|
100 |
{ |
|
101 |
continue; |
|
102 |
} |
|
103 |
if (StringUtils.isNotEmpty(permission) && StringUtils.isNotEmpty(role.getPermissions()) |
|
104 |
&& !StringUtils.containsAny(role.getPermissions(), Convert.toStrArray(permission))) |
|
105 |
{ |
|
106 |
continue; |
|
107 |
} |
|
108 |
if (DATA_SCOPE_ALL.equals(dataScope)) |
|
109 |
{ |
|
110 |
sqlString = new StringBuilder(); |
|
111 |
conditions.add(dataScope); |
|
112 |
break; |
|
113 |
} |
|
114 |
else if (DATA_SCOPE_CUSTOM.equals(dataScope)) |
|
115 |
{ |
|
116 |
sqlString.append(StringUtils.format( |
|
117 |
" OR {}.dept_id IN ( SELECT dept_id FROM sys_role_dept WHERE role_id = {} ) ", deptAlias, |
|
118 |
role.getRoleId())); |
|
119 |
} |
|
120 |
else if (DATA_SCOPE_DEPT.equals(dataScope)) |
|
121 |
{ |
|
122 |
sqlString.append(StringUtils.format(" OR {}.dept_id = {} ", deptAlias, user.getDeptId())); |
|
123 |
} |
|
124 |
else if (DATA_SCOPE_DEPT_AND_CHILD.equals(dataScope)) |
|
125 |
{ |
|
126 |
sqlString.append(StringUtils.format( |
|
127 |
" OR {}.dept_id IN ( SELECT dept_id FROM sys_dept WHERE dept_id = {} or find_in_set( {} , ancestors ) )", |
|
128 |
deptAlias, user.getDeptId(), user.getDeptId())); |
|
129 |
} |
|
130 |
else if (DATA_SCOPE_SELF.equals(dataScope)) |
|
131 |
{ |
|
132 |
if (StringUtils.isNotBlank(userAlias)) |
|
133 |
{ |
|
134 |
sqlString.append(StringUtils.format(" OR {}.user_id = {} ", userAlias, user.getUserId())); |
|
135 |
} |
|
136 |
else |
|
137 |
{ |
|
138 |
// 数据权限为仅本人且没有userAlias别名不查询任何数据 |
|
139 |
sqlString.append(StringUtils.format(" OR {}.dept_id = 0 ", deptAlias)); |
|
140 |
} |
|
141 |
} |
|
142 |
conditions.add(dataScope); |
|
143 |
} |
|
144 |
|
|
145 |
// 多角色情况下,所有角色都不包含传递过来的权限字符,这个时候sqlString也会为空,所以要限制一下,不查询任何数据 |
|
146 |
if (StringUtils.isEmpty(conditions)) |
|
147 |
{ |
|
148 |
sqlString.append(StringUtils.format(" OR {}.dept_id = 0 ", deptAlias)); |
|
149 |
} |
|
150 |
|
|
151 |
if (StringUtils.isNotBlank(sqlString.toString())) |
|
152 |
{ |
|
153 |
Object params = joinPoint.getArgs()[0]; |
|
154 |
if (StringUtils.isNotNull(params) && params instanceof BaseEntity) |
|
155 |
{ |
|
156 |
BaseEntity baseEntity = (BaseEntity) params; |
|
157 |
baseEntity.getParams().put(DATA_SCOPE, " AND (" + sqlString.substring(4) + ")"); |
|
158 |
} |
|
159 |
} |
|
160 |
} |
|
161 |
|
|
162 |
/** |
|
163 |
* 拼接权限sql前先清空params.dataScope参数防止注入 |
|
164 |
*/ |
|
165 |
private void clearDataScope(final JoinPoint joinPoint) |
|
166 |
{ |
|
167 |
Object params = joinPoint.getArgs()[0]; |
|
168 |
if (StringUtils.isNotNull(params) && params instanceof BaseEntity) |
|
169 |
{ |
|
170 |
BaseEntity baseEntity = (BaseEntity) params; |
|
171 |
baseEntity.getParams().put(DATA_SCOPE, ""); |
|
172 |
} |
|
173 |
} |
|
174 |
} |