优化数据权限控制

2026-05-31 18:03:52 +08:00 · 2018-12-29 16:33:34 +08:00
parent 74bf14817c
commit 183bbb8b34
4 changed files with 15 additions and 10 deletions
--- a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/access/FieldFilterDataAccessHandler.java
+++ b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/access/FieldFilterDataAccessHandler.java
@@ -17,6 +17,7 @@ import org.springframework.http.ResponseEntity;

 import java.lang.reflect.InvocationTargetException;
 import java.util.Collection;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;

@@ -87,7 +88,7 @@ public class FieldFilterDataAccessHandler implements DataAccessHandler {

    @SuppressWarnings("all")
    protected boolean doQueryAccess(FieldFilterDataAccessConfig access, AuthorizingContext context) {
-        if (context.getDefinition().getPhased() == Phased.before) {
+        if (context.getDefinition().getDataAccessDefinition().getPhased() == Phased.before) {
            QueryParamEntity entity = context.getParamContext().getParams()
                    .values().stream()
                    .filter(QueryParamEntity.class::isInstance)
@@ -97,7 +98,8 @@ public class FieldFilterDataAccessHandler implements DataAccessHandler {
                logger.warn("try validate query access, but query entity is null or not instance of org.hswebframework.web.commons.entity.Entity");
                return true;
            }
-            entity.excludes(access.getFields().toArray(new String[access.getFields().size()]));
+            Set<String> denyFields = access.getFields();
+            entity.excludes(denyFields.toArray(new String[denyFields.size()]));
        } else {
            Object result = InvokeResultUtils.convertRealResult(context.getParamContext().getInvokeResult());
            if (result instanceof Collection) {
--- a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/access/FieldScopeDataAccessHandler.java
+++ b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/access/FieldScopeDataAccessHandler.java
@@ -84,7 +84,7 @@ public class FieldScopeDataAccessHandler implements DataAccessHandler {

    @SuppressWarnings("all")
    protected boolean doQueryAccess(FieldScopeDataAccessConfig access, AuthorizingContext context) {
-        if (context.getDefinition().getPhased() == Phased.before) {
+        if (context.getDefinition().getDataAccessDefinition().getPhased() == Phased.before) {
            QueryParamEntity entity = context.getParamContext().getParams()
                    .values().stream()
                    .filter(QueryParamEntity.class::isInstance)
--- a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/access/InvokeResultUtils.java
+++ b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/access/InvokeResultUtils.java
@@ -1,15 +1,19 @@
 package org.hswebframework.web.authorization.basic.handler.access;

+import org.hswebframework.web.commons.entity.PagerResult;
 import org.hswebframework.web.controller.message.ResponseMessage;
 import org.springframework.http.ResponseEntity;

 public class InvokeResultUtils {
    public static Object convertRealResult(Object result) {
-        if (result instanceof ResponseMessage) {
-            return ((ResponseMessage) result).getResult();
-        }
        if (result instanceof ResponseEntity) {
-            return ((ResponseEntity) result).getBody();
+            result = ((ResponseEntity) result).getBody();
+        }
+        if (result instanceof ResponseMessage) {
+            result = ((ResponseMessage) result).getResult();
+        }
+        if (result instanceof PagerResult) {
+            result = ((PagerResult) result).getData();
        }
        return result;
    }
--- a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/access/OwnCreatedDataAccessHandler.java
+++ b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/access/OwnCreatedDataAccessHandler.java
@@ -99,7 +99,7 @@ public class OwnCreatedDataAccessHandler implements DataAccessHandler {
    protected boolean doQueryAccess(OwnCreatedDataAccessConfig access, AuthorizingContext context) {
        String userId = context.getAuthentication().getUser().getId();

-        if (context.getDefinition().getPhased() == Phased.before) {
+        if (context.getDefinition().getDataAccessDefinition().getPhased() == Phased.before) {
            Entity entity = context.getParamContext().getParams()
                    .values().stream()
                    .filter(Entity.class::isInstance)
@@ -144,8 +144,7 @@ public class OwnCreatedDataAccessHandler implements DataAccessHandler {
        } else if (result instanceof Collection) {
            Collection<?> collection = ((Collection) result);
            //删掉不能访问的对象
-            collection.removeAll(collection.stream().filter((Object o) -> !matchCreatorId(o, userId))
-                    .collect(Collectors.toList()));
+            collection.removeAll(collection.stream().filter((Object o) -> !matchCreatorId(o, userId)).collect(Collectors.toList()));
        } else {
            try {
                return userId.equals(PropertyUtils.getProperty(result, "creatorId"));