jeecg 菜单访问权限控制,不限制权限类型(非admin用户看不到用户数据)
zhangdaihao
parent
ccec6e4375
commit
f5d116f279
|
|
@ -91,7 +91,7 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
* 在controller前拦截
|
||||
*/
|
||||
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object object) throws Exception {
|
||||
|
||||
//update-begin--Author:taoYan Date:201706028 for:注解实现排除拦截
|
||||
//判断是否被注解跳过权限认证 先判断类注解然后方法注解 都没有则走原来逻辑
|
||||
HandlerMethod handlerMethod=(HandlerMethod)object;
|
||||
JAuth jauthType =handlerMethod.getBean().getClass().getAnnotation(JAuth.class);
|
||||
|
|
@ -109,23 +109,25 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
//update-end--Author:taoYan Date:201706028 for:注解实现排除拦截
|
||||
|
||||
//update-begin--Author:dangzhenghui Date:20170627 for:TASK #2157 【bug】拦截器,需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
|
||||
Boolean isAjax=isAjax(request,response);
|
||||
|
||||
//update-end--Author:dangzhenghui Date:20170627 for:TASK #2157 【bug】拦截器,需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
|
||||
String requestPath = ResourceUtil.getRequestPath(request);// 用户访问的资源地址
|
||||
//logger.info("-----authInterceptor----requestPath------"+requestPath);
|
||||
//步骤一: 判断是否是排除拦截请求,直接返回TRUE
|
||||
|
||||
//update-begin--Author:dangzhenghui Date:20170402 for:对外接口改造 api 设置为默认对外路径不用进行登陆验证
|
||||
if (requestPath.length()>3&&"api/".equals(requestPath.substring(0,4))) {
|
||||
return true;
|
||||
}
|
||||
|
||||
//update-begin--Author:end Date:20170402 for:对外接口改造 api 设置为默认对外路径不用进行登陆验证
|
||||
if (excludeUrls.contains(requestPath)) {
|
||||
return true;
|
||||
|
||||
//update-begin--Author:zhoujf Date:20170426 for:TASK #1867 【改造】权限拦截器支持模糊匹配
|
||||
} else if(moHuContain(excludeContainUrls, requestPath)){
|
||||
return true;
|
||||
|
||||
//update-end--Author:zhoujf Date:20170426 for:TASK #1867 【改造】权限拦截器支持模糊匹配
|
||||
} else {
|
||||
//步骤二: 权限控制,优先重组请求URL(考虑online请求前缀一致问题)
|
||||
String clickFunctionId = request.getParameter("clickFunctionId");
|
||||
|
|
@ -139,23 +141,23 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
if(requestPath.equals("cgAutoListController.do?list")) {
|
||||
requestPath += "&id=" + request.getParameter("id");
|
||||
}
|
||||
|
||||
//update-start--author:scott date:20170311 for:online新请求方式,权限控制------------
|
||||
if(requestPath.endsWith("?olstylecode=")) {
|
||||
requestPath = requestPath.replace("?olstylecode=", "");
|
||||
}
|
||||
|
||||
//步骤三: 根据重组请求URL,进行权限授权判断
|
||||
if((!hasMenuAuth(requestPath,clickFunctionId,currLoginUser)) && !currLoginUser.getUserName().equals("admin")){
|
||||
|
||||
//update-begin--Author:dangzhenghui Date:20170627 for:TASK #2157 【bug】拦截器,需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
|
||||
if(isAjax){
|
||||
processAjax(response);
|
||||
}else {
|
||||
response.sendRedirect(request.getSession().getServletContext().getContextPath()+"/loginController.do?noAuth");
|
||||
}
|
||||
|
||||
//update-end--Author:dangzhenghui Date:20170627 for:TASK #2157 【bug】拦截器,需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
|
||||
return false;
|
||||
}
|
||||
|
||||
//update-end--author:scott date:20170311 for:online新请求方式,权限控制------------
|
||||
|
||||
//解决rest风格下 权限失效问题
|
||||
String functionId="";
|
||||
|
|
@ -166,27 +168,27 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
}else {
|
||||
realRequestPath=uri;
|
||||
}
|
||||
|
||||
//update-begin--author:zhoujf date:20170307 for:TASK #1745 【bug】自定义表单数据权限控制方式 1. 普通控件通过“控件名称”来控制 2. 列表控件,通过“控件名称.表头”来控制
|
||||
// if(!oConvertUtils.isEmpty(clickFunctionId)){
|
||||
// functionId = clickFunctionId;
|
||||
// }else{
|
||||
|
||||
//update-begin--author:zhoujf date:20170304 for:自定义表单页面控件权限控制-------------
|
||||
if(realRequestPath.indexOf("autoFormController/af/")>-1 && realRequestPath.indexOf("?")!=-1){
|
||||
realRequestPath = realRequestPath.substring(0, realRequestPath.indexOf("?"));
|
||||
}
|
||||
|
||||
//update-end--author:scott date:20170304 for:自定义表单页面控件权限控制---------------
|
||||
List<TSFunction> functions = systemService.findByProperty(TSFunction.class, "functionUrl", realRequestPath);
|
||||
if (functions.size()>0){
|
||||
functionId = functions.get(0).getId();
|
||||
}
|
||||
// }
|
||||
|
||||
//update-begin--author:zhoujf date:20170307 for:TASK #1745 【bug】自定义表单数据权限控制方式 1. 普通控件通过“控件名称”来控制 2. 列表控件,通过“控件名称.表头”来控制
|
||||
//Step.1 第一部分处理页面表单和列表的页面控件权限(页面表单字段+页面按钮等控件)
|
||||
if(!oConvertUtils.isEmpty(functionId)){
|
||||
|
||||
//update-begin-author:taoYan date:20170829 for:admin不作数据权限控制
|
||||
if(!currLoginUser.getUserName().equals("admin")){
|
||||
//获取菜单对应的页面控制权限(包括表单字段和操作按钮)
|
||||
|
||||
//update-begin-author:taoYan date:20170814 for:TASK #2207 【权限bug】多个角色权限(并集问题),因为是反的控制,导致有admin的最大权限反而受小权限控制
|
||||
List<TSOperation> operations = systemService.getOperationsByUserIdAndFunctionId(currLoginUser.getId(), functionId);
|
||||
request.setAttribute(Globals.NOAUTO_OPERATIONCODES, operations);
|
||||
if(operations==null){
|
||||
|
|
@ -199,13 +201,15 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
request.setAttribute(Globals.OPERATIONCODES, operationCodes);
|
||||
}
|
||||
}
|
||||
|
||||
//update-end-author:taoYan date:20170829 for:admin不作数据权限控制
|
||||
|
||||
//Set<String> operationCodes = systemService.getOperationCodesByUserIdAndFunctionId(currLoginUser.getId(), functionId);
|
||||
//request.setAttribute(Globals.OPERATIONCODES, operationCodes);
|
||||
//}
|
||||
//if(!oConvertUtils.isEmpty(functionId)){
|
||||
|
||||
//update-begin--Author:scott Date:20170330 for:[online表单按钮\链接权限]jeecg 统一规则采用反的控制,授权的进行按钮或者字段 隐藏\禁用--------------------
|
||||
|
||||
// List<TSOperation> allOperation=this.systemService.findByProperty(TSOperation.class, "TSFunction.id", functionId);
|
||||
// List<TSOperation> newall = new ArrayList<TSOperation>();
|
||||
// if(allOperation.size()>0){
|
||||
|
|
@ -213,9 +217,10 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
// //s=s.replaceAll(" ", "");
|
||||
// newall.add(s);
|
||||
// }
|
||||
|
||||
// //---author:jg_xugj----start-----date:20151210--------for:#781 【oracle兼容】兼容问题fun.operation!='' 在oracle 数据下不正确
|
||||
// String hasOperSql="SELECT operation FROM t_s_role_function fun, t_s_role_user role WHERE " +
|
||||
// "fun.functionid='"+functionId+"' AND fun.operation is not null AND fun.roleid=role.roleid AND role.userid='"+currLoginUser.getId()+"' ";
|
||||
// //---author:jg_xugj----end-----date:20151210--------for:#781 【oracle兼容】兼容问题fun.operation!='' 在oracle 数据下不正确
|
||||
// List<String> hasOperList = this.systemService.findListbySql(hasOperSql);
|
||||
// for(String operationIds:hasOperList){
|
||||
// for(String operationId:operationIds.split(",")){
|
||||
|
|
@ -241,7 +246,8 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
}
|
||||
}
|
||||
request.setAttribute(Globals.NOAUTO_OPERATIONCODES, newall);*/
|
||||
|
||||
//update-end--Author:scott Date:20170330 for:[online表单按钮权限\链接]jeecg 统一规则采用反的控制,授权的进行按钮或者字段 隐藏\禁用--------------------
|
||||
//update-end-author:taoYan date:20170814 for:TASK #2207 【权限bug】多个角色权限(并集问题),因为是反的控制,导致有admin的最大权限反而受小权限控制
|
||||
|
||||
//Step.2 第二部分处理列表数据级权限 (菜单数据规则集合)
|
||||
List<TSDataRule> MENU_DATA_AUTHOR_RULES = new ArrayList<TSDataRule>();
|
||||
|
|
@ -250,7 +256,7 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
|
||||
//数据权限规则的查询
|
||||
//查询所有的当前这个用户所对应的角色和菜单的datarule的数据规则id
|
||||
|
||||
//update-begin-author:taoYan date:20170829 for:admin不作数据权限控制
|
||||
if(!currLoginUser.getUserName().equals("admin")){
|
||||
//Globals.BUTTON_AUTHORITY_CHECK
|
||||
Set<String> dataruleCodes = systemService.getOperationCodesByUserIdAndDataId(currLoginUser.getId(), functionId);
|
||||
|
|
@ -261,7 +267,7 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
MENU_DATA_AUTHOR_RULE_SQL += SysContextSqlConvert.setSqlModel(dataRule);
|
||||
}
|
||||
}
|
||||
|
||||
//update-end-author:taoYan date:20170829 for:admin不作数据权限控制
|
||||
JeecgDataAutorUtils.installDataSearchConditon(request, MENU_DATA_AUTHOR_RULES);//菜单数据规则集合
|
||||
JeecgDataAutorUtils.installDataSearchConditon(request, MENU_DATA_AUTHOR_RULE_SQL);//菜单数据规则sql
|
||||
|
||||
|
|
@ -275,7 +281,8 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
//update-start--author:scott date:20170225 for:重构权限判断,提高效率---------------
|
||||
/**
|
||||
* 判断用户是否有菜单访问权限
|
||||
* @param requestPath
|
||||
|
|
@ -285,11 +292,9 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
*/
|
||||
private boolean hasMenuAuth(String requestPath,String clickFunctionId,TSUser currLoginUser){
|
||||
String userid = currLoginUser.getId();
|
||||
|
||||
//step.1 先判断请求是否配置菜单,没有配置菜单默认不作权限控制
|
||||
|
||||
String hasMenuSql = "select count(*) from t_s_function where functionurl = '"+requestPath+"'";
|
||||
|
||||
//update-start--author:scott -------- date:20170330 -------- for:菜单访问权限由模糊匹配改成精确匹配TODO ---------------
|
||||
//step.1 先判断请求是否配置菜单,没有配置菜单默认不作权限控制[注意:这里不限制权限类型菜单]
|
||||
String hasMenuSql = "select count(*) from t_s_function where functiontype = 0 and functionurl = '"+requestPath+"'";
|
||||
Long hasMenuCount = systemService.getCountForJdbc(hasMenuSql);
|
||||
if(hasMenuCount<=0){
|
||||
return true;
|
||||
|
|
@ -313,9 +318,9 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
}else{
|
||||
return true;
|
||||
}
|
||||
|
||||
//update-end--author:scott -------- date:20170330 -------- :菜单访问权限由模糊匹配改成精确匹配TODO ---------------
|
||||
}
|
||||
|
||||
//update-end--author:scott date:20170225 for:重构权限判断,提高效率---------------
|
||||
|
||||
/**
|
||||
* 转发
|
||||
|
|
@ -330,14 +335,14 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
}
|
||||
|
||||
private void forward(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
|
||||
//update-start--Author:scott Date:20160803 for:无登陆情况跳转登陆页
|
||||
//超时,未登陆页面跳转
|
||||
//response.sendRedirect(request.getServletContext().getContextPath()+"/loginController.do?login");
|
||||
|
||||
// update-start--Author:chenjin Date:20160828 for:TASK #1324 【bug】Session超时后,重新登录页面显示在标签里,让它重新显示登录页面
|
||||
response.sendRedirect(request.getSession().getServletContext().getContextPath()+"/webpage/login/timeout.jsp");
|
||||
|
||||
// update-end--Author:chenjin Date:20160828 for:TASK #1324 【bug】Session超时后,重新登录页面显示在标签里,让它重新显示登录页面
|
||||
//request.getRequestDispatcher("loginController.do?login").forward(request, response);
|
||||
|
||||
//update-start--Author:scott Date:20160803 for:无登陆情况跳转登陆页
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -362,7 +367,7 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
private boolean isAjax(HttpServletRequest request, HttpServletResponse response){
|
||||
return oConvertUtils.isNotEmpty(request.getHeader("X-Requested-With"));
|
||||
}
|
||||
|
||||
//update-begin--Author:dangzhenghui Date:20170627 for:TASK #2157 【bug】拦截器,需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
|
||||
private void processAjax(HttpServletResponse response){
|
||||
AjaxJson json = new AjaxJson();
|
||||
json.setSuccess(false);
|
||||
|
|
@ -378,5 +383,5 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|||
pw.close();
|
||||
}
|
||||
}
|
||||
|
||||
//update-end--Author:dangzhenghui Date:20170627 for:TASK #2157 【bug】拦截器,需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue