支持单位授权与客户端限制
This commit is contained in:
@@ -9,6 +9,7 @@ import com.xspaceagi.system.application.dto.permission.*;
|
||||
import com.xspaceagi.system.application.service.SysDataPermissionApplicationService;
|
||||
import com.xspaceagi.system.application.service.SysGroupApplicationService;
|
||||
import com.xspaceagi.system.application.service.SysSubjectPermissionApplicationService;
|
||||
import com.xspaceagi.system.application.dto.UserDto;
|
||||
import com.xspaceagi.system.domain.model.GroupBindMenuModel;
|
||||
import com.xspaceagi.system.domain.model.MenuNode;
|
||||
import com.xspaceagi.system.domain.model.SortIndex;
|
||||
@@ -16,6 +17,7 @@ import com.xspaceagi.system.infra.dao.entity.SysDataPermission;
|
||||
import com.xspaceagi.system.infra.dao.entity.SysGroup;
|
||||
import com.xspaceagi.system.infra.dao.entity.User;
|
||||
import com.xspaceagi.system.spec.annotation.RequireResource;
|
||||
import com.xspaceagi.system.spec.common.RequestContext;
|
||||
import com.xspaceagi.system.spec.dto.PageQueryVo;
|
||||
import com.xspaceagi.system.spec.dto.ReqResult;
|
||||
import com.xspaceagi.system.spec.enums.*;
|
||||
@@ -36,6 +38,7 @@ import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import static com.xspaceagi.system.spec.enums.ResourceEnum.*;
|
||||
@@ -89,6 +92,7 @@ public class SysGroupController extends BaseController {
|
||||
|
||||
SysGroup group = new SysGroup();
|
||||
BeanUtils.copyProperties(dto, group);
|
||||
checkGroupManageScope(group.getId());
|
||||
group.setCode(null); // code不允许更新
|
||||
sysGroupApplicationService.updateGroup(group, getUser());
|
||||
return ReqResult.success();
|
||||
@@ -101,6 +105,7 @@ public class SysGroupController extends BaseController {
|
||||
if (groupId == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkGroupManageScope(groupId);
|
||||
sysGroupApplicationService.deleteGroup(groupId, getUser());
|
||||
return ReqResult.success();
|
||||
}
|
||||
@@ -112,6 +117,7 @@ public class SysGroupController extends BaseController {
|
||||
if (groupId == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkGroupManageScope(groupId);
|
||||
|
||||
SysGroup group = sysGroupApplicationService.getGroupById(groupId);
|
||||
if (group == null) {
|
||||
@@ -141,6 +147,7 @@ public class SysGroupController extends BaseController {
|
||||
if (group == null) {
|
||||
return ReqResult.error("用户组不存在");
|
||||
}
|
||||
checkGroupManageScope(group.getId());
|
||||
SysGroupDto groupDto = new SysGroupDto();
|
||||
BeanUtils.copyProperties(group, groupDto);
|
||||
|
||||
@@ -162,6 +169,7 @@ public class SysGroupController extends BaseController {
|
||||
}
|
||||
List<SortIndex> sortIndexList = dto.getItems().stream()
|
||||
.map(item -> {
|
||||
checkGroupManageScope(item.getId());
|
||||
SortIndex model = new SortIndex();
|
||||
model.setId(item.getId());
|
||||
model.setParentId(item.getParentId());
|
||||
@@ -183,6 +191,7 @@ public class SysGroupController extends BaseController {
|
||||
}
|
||||
|
||||
List<SysGroup> groupList = sysGroupApplicationService.getGroupList(sysGroup);
|
||||
groupList = filterGroupManageScope(groupList);
|
||||
if (CollectionUtils.isEmpty(groupList)) {
|
||||
return ReqResult.success();
|
||||
}
|
||||
@@ -214,6 +223,7 @@ public class SysGroupController extends BaseController {
|
||||
}
|
||||
SysGroupUserQueryDto queryDto = pageQueryVo.getQueryFilter();
|
||||
Long groupId = queryDto.getGroupId();
|
||||
checkGroupManageScope(groupId);
|
||||
String userName = queryDto.getUserName();
|
||||
long pageNo = pageQueryVo.getPageNo() != null ? pageQueryVo.getPageNo() : 1L;
|
||||
long pageSize = pageQueryVo.getPageSize() != null ? pageQueryVo.getPageSize() : 10L;
|
||||
@@ -238,6 +248,7 @@ public class SysGroupController extends BaseController {
|
||||
if (groupId == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkGroupManageScope(groupId);
|
||||
SysDataPermission dataPermission = sysDataPermissionApplicationService.getByTarget(PermissionTargetTypeEnum.GROUP, groupId);
|
||||
SysDataPermissionBindDto result = SysDataPermissionConverter.toDto(dataPermission);
|
||||
result = result == null ? new SysDataPermissionBindDto() : result;
|
||||
@@ -282,6 +293,7 @@ public class SysGroupController extends BaseController {
|
||||
if (dto == null || dto.getGroupId() == null) {
|
||||
return ReqResult.error("用户组ID不能为空");
|
||||
}
|
||||
checkGroupManageScope(dto.getGroupId());
|
||||
SysDataPermissionBindDto bindDto = dto.getDataPermission();
|
||||
SysDataPermission dataPermission = SysDataPermissionConverter.toEntity(bindDto);
|
||||
sysGroupApplicationService.bindDataPermission(dto.getGroupId(), dataPermission, getUser());
|
||||
@@ -295,6 +307,7 @@ public class SysGroupController extends BaseController {
|
||||
if (dto == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkGroupManageScope(dto.getGroupId());
|
||||
sysGroupApplicationService.groupBindUser(dto.getGroupId(), dto.getUserIds(), getUser());
|
||||
return ReqResult.success();
|
||||
}
|
||||
@@ -306,6 +319,7 @@ public class SysGroupController extends BaseController {
|
||||
if (dto == null || dto.getGroupId() == null || dto.getUserId() == null) {
|
||||
return ReqResult.error("用户组ID和用户ID不能为空");
|
||||
}
|
||||
checkGroupManageScope(dto.getGroupId());
|
||||
sysGroupApplicationService.groupAddUser(dto.getGroupId(), dto.getUserId(), getUser());
|
||||
return ReqResult.success();
|
||||
}
|
||||
@@ -317,6 +331,7 @@ public class SysGroupController extends BaseController {
|
||||
if (dto == null || dto.getGroupId() == null || dto.getUserId() == null) {
|
||||
return ReqResult.error("用户组ID和用户ID不能为空");
|
||||
}
|
||||
checkGroupManageScope(dto.getGroupId());
|
||||
sysGroupApplicationService.groupRemoveUser(dto.getGroupId(), dto.getUserId(), getUser());
|
||||
return ReqResult.success();
|
||||
}
|
||||
@@ -328,6 +343,7 @@ public class SysGroupController extends BaseController {
|
||||
if (dto == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkGroupManageScope(dto.getGroupId());
|
||||
// 用户组不允许绑定 生态市场/系统管理
|
||||
checkForbiddenMenuCodes(dto.getMenuTree());
|
||||
|
||||
@@ -343,6 +359,7 @@ public class SysGroupController extends BaseController {
|
||||
if (groupId == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkGroupManageScope(groupId);
|
||||
// 获取处理好的菜单树(已包含资源详细信息)
|
||||
List<MenuNode> menuNodeList = sysGroupApplicationService.getMenuTreeByGroupId(groupId);
|
||||
|
||||
@@ -373,4 +390,41 @@ public class SysGroupController extends BaseController {
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private List<SysGroup> filterGroupManageScope(List<SysGroup> groupList) {
|
||||
if (isPlatformAdmin() || CollectionUtils.isEmpty(groupList)) {
|
||||
return groupList;
|
||||
}
|
||||
Set<Long> allowedGroupIds = currentUserGroupIds();
|
||||
return groupList.stream()
|
||||
.filter(group -> group.getId() != null && allowedGroupIds.contains(group.getId()))
|
||||
.collect(Collectors.toList());
|
||||
}
|
||||
|
||||
private void checkGroupManageScope(Long groupId) {
|
||||
if (isPlatformAdmin()) {
|
||||
return;
|
||||
}
|
||||
if (groupId == null || !currentUserGroupIds().contains(groupId)) {
|
||||
throw BizException.of(ErrorCodeEnum.PERMISSION_DENIED, BizExceptionCodeEnum.permissionDenied);
|
||||
}
|
||||
}
|
||||
|
||||
private Set<Long> currentUserGroupIds() {
|
||||
return sysGroupApplicationService.getEffectiveGroupListByUserId(getCurrentUserDto().getId()).stream()
|
||||
.map(SysGroup::getId)
|
||||
.collect(Collectors.toSet());
|
||||
}
|
||||
|
||||
private boolean isPlatformAdmin() {
|
||||
return getCurrentUserDto().getRole() == User.Role.Admin;
|
||||
}
|
||||
|
||||
private UserDto getCurrentUserDto() {
|
||||
UserDto userDto = (UserDto) RequestContext.get().getUser();
|
||||
if (userDto == null) {
|
||||
throw BizException.of(ErrorCodeEnum.UNAUTHORIZED, BizExceptionCodeEnum.systemUserNotLoggedInWeb);
|
||||
}
|
||||
return userDto;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
package com.xspaceagi.system.web.controller.permission;
|
||||
|
||||
import com.xspaceagi.system.application.dto.UserDto;
|
||||
import com.xspaceagi.system.application.dto.permission.*;
|
||||
import com.xspaceagi.system.application.service.SysDataPermissionApplicationService;
|
||||
import com.xspaceagi.system.application.service.SysGroupApplicationService;
|
||||
@@ -7,10 +8,15 @@ import com.xspaceagi.system.application.service.SysRoleApplicationService;
|
||||
import com.xspaceagi.system.application.service.impl.SysUserPermissionCacheServiceImpl;
|
||||
import com.xspaceagi.system.infra.dao.entity.SysGroup;
|
||||
import com.xspaceagi.system.infra.dao.entity.SysRole;
|
||||
import com.xspaceagi.system.infra.dao.entity.User;
|
||||
import com.xspaceagi.system.sdk.service.dto.UserDataPermissionDto;
|
||||
import com.xspaceagi.system.spec.annotation.RequireResource;
|
||||
import com.xspaceagi.system.spec.annotation.SaasAdmin;
|
||||
import com.xspaceagi.system.spec.common.RequestContext;
|
||||
import com.xspaceagi.system.spec.dto.ReqResult;
|
||||
import com.xspaceagi.system.spec.enums.ErrorCodeEnum;
|
||||
import com.xspaceagi.system.spec.exception.BizException;
|
||||
import com.xspaceagi.system.spec.exception.BizExceptionCodeEnum;
|
||||
import com.xspaceagi.system.spec.utils.I18nUtil;
|
||||
import com.xspaceagi.system.web.controller.base.BaseController;
|
||||
import io.swagger.v3.oas.annotations.Operation;
|
||||
@@ -22,6 +28,7 @@ import org.springframework.beans.BeanUtils;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import static com.xspaceagi.system.spec.enums.ResourceEnum.*;
|
||||
@@ -48,6 +55,7 @@ public class SysUserController extends BaseController {
|
||||
if (userId == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkUserManageScope(userId);
|
||||
|
||||
List<SysRole> roleList = sysRoleApplicationService.getRoleListByUserId(userId);
|
||||
if (CollectionUtils.isEmpty(roleList)) {
|
||||
@@ -70,6 +78,8 @@ public class SysUserController extends BaseController {
|
||||
if (dto == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkUserManageScope(dto.getUserId());
|
||||
checkRoleBindScope(dto.getRoleIds());
|
||||
sysRoleApplicationService.userBindRole(dto.getUserId(), dto.getRoleIds(), getUser());
|
||||
return ReqResult.success();
|
||||
}
|
||||
@@ -81,6 +91,7 @@ public class SysUserController extends BaseController {
|
||||
if (userId == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkUserManageScope(userId);
|
||||
List<SysGroup> groupList = sysGroupApplicationService.getGroupListByUserId(userId);
|
||||
if (CollectionUtils.isEmpty(groupList)) {
|
||||
return ReqResult.success();
|
||||
@@ -102,6 +113,8 @@ public class SysUserController extends BaseController {
|
||||
if (dto == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkUserManageScope(dto.getUserId());
|
||||
checkGroupBindScope(dto.getGroupIds());
|
||||
sysGroupApplicationService.userBindGroup(dto.getUserId(), dto.getGroupIds(), getUser());
|
||||
return ReqResult.success();
|
||||
}
|
||||
@@ -113,6 +126,7 @@ public class SysUserController extends BaseController {
|
||||
if (userId == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkUserManageScope(userId);
|
||||
List<MenuNodeDto> menuTree = sysUserPermissionCacheService.getUserMenuTree(userId);
|
||||
|
||||
I18nUtil.replaceSystemMessage(menuTree);
|
||||
@@ -126,10 +140,66 @@ public class SysUserController extends BaseController {
|
||||
if (userId == null) {
|
||||
return ReqResult.error("参数不能为空");
|
||||
}
|
||||
checkUserManageScope(userId);
|
||||
UserDataPermissionDto dataPermission = sysDataPermissionApplicationService.getUserDataPermission(userId);
|
||||
return ReqResult.success(dataPermission);
|
||||
}
|
||||
|
||||
private void checkUserManageScope(Long userId) {
|
||||
if (isPlatformAdmin()) {
|
||||
return;
|
||||
}
|
||||
Set<Long> allowedGroupIds = currentUserGroupIds();
|
||||
boolean inScope = sysGroupApplicationService.getEffectiveGroupListByUserId(userId).stream()
|
||||
.map(SysGroup::getId)
|
||||
.anyMatch(allowedGroupIds::contains);
|
||||
if (!inScope) {
|
||||
throw BizException.of(ErrorCodeEnum.PERMISSION_DENIED, BizExceptionCodeEnum.permissionDenied);
|
||||
}
|
||||
}
|
||||
|
||||
private void checkGroupBindScope(List<Long> groupIds) {
|
||||
if (isPlatformAdmin() || CollectionUtils.isEmpty(groupIds)) {
|
||||
return;
|
||||
}
|
||||
Set<Long> allowedGroupIds = currentUserGroupIds();
|
||||
boolean allInScope = groupIds.stream().allMatch(allowedGroupIds::contains);
|
||||
if (!allInScope) {
|
||||
throw BizException.of(ErrorCodeEnum.PERMISSION_DENIED, BizExceptionCodeEnum.permissionDenied);
|
||||
}
|
||||
}
|
||||
|
||||
private void checkRoleBindScope(List<Long> roleIds) {
|
||||
if (isPlatformAdmin() || CollectionUtils.isEmpty(roleIds)) {
|
||||
return;
|
||||
}
|
||||
Set<Long> allowedRoleIds = sysRoleApplicationService.getRoleListByUserId(getCurrentUserDto().getId()).stream()
|
||||
.map(SysRole::getId)
|
||||
.collect(Collectors.toSet());
|
||||
boolean allInScope = roleIds.stream().allMatch(allowedRoleIds::contains);
|
||||
if (!allInScope) {
|
||||
throw BizException.of(ErrorCodeEnum.PERMISSION_DENIED, BizExceptionCodeEnum.permissionDenied);
|
||||
}
|
||||
}
|
||||
|
||||
private Set<Long> currentUserGroupIds() {
|
||||
return sysGroupApplicationService.getEffectiveGroupListByUserId(getCurrentUserDto().getId()).stream()
|
||||
.map(SysGroup::getId)
|
||||
.collect(Collectors.toSet());
|
||||
}
|
||||
|
||||
private boolean isPlatformAdmin() {
|
||||
return getCurrentUserDto().getRole() == User.Role.Admin;
|
||||
}
|
||||
|
||||
private UserDto getCurrentUserDto() {
|
||||
UserDto userDto = (UserDto) RequestContext.get().getUser();
|
||||
if (userDto == null) {
|
||||
throw BizException.of(ErrorCodeEnum.UNAUTHORIZED, BizExceptionCodeEnum.systemUserNotLoggedInWeb);
|
||||
}
|
||||
return userDto;
|
||||
}
|
||||
|
||||
@SaasAdmin
|
||||
@Operation(summary = "清除指定用户权限缓存")
|
||||
@GetMapping("/cache/clear-user")
|
||||
@@ -148,4 +218,4 @@ public class SysUserController extends BaseController {
|
||||
sysUserPermissionCacheService.clearCacheAllByTenant(tenantId);
|
||||
return ReqResult.success();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user