mirror of
https://github.com/hs-web/hsweb-framework.git
synced 2026-06-20 08:52:21 +08:00
fix #164
This commit is contained in:
zhouhao
@@ -160,8 +160,7 @@ public class DefaultAuthorizingHandler implements AuthorizingHandler {
|
||||
// 控制权限
|
||||
if (!definition.getPermissions().isEmpty()) {
|
||||
if (logger.isInfoEnabled()) {
|
||||
logger.info("执行权限控制:权限{}({}),操作{}.",
|
||||
definition.getPermissionDescription(),
|
||||
logger.info("执行权限控制:权限{},操作{}.",
|
||||
permissionsDef,
|
||||
actionsDef);
|
||||
}
|
||||
@@ -192,35 +191,39 @@ public class DefaultAuthorizingHandler implements AuthorizingHandler {
|
||||
CollectionUtils.isNotEmpty(permissions) :
|
||||
//权限数量和配置的数量相同
|
||||
permissions.size() == permissionsDef.size();
|
||||
} else {
|
||||
access = false;
|
||||
}
|
||||
//控制角色
|
||||
if (!rolesDef.isEmpty()) {
|
||||
if (logger.isInfoEnabled()) {
|
||||
logger.info("do role access handle : roles{} , definition:{}", rolesDef, definition.getRoles());
|
||||
}
|
||||
Function<Predicate<Role>, Boolean> func = logicalIsOr
|
||||
? authentication.getRoles().stream()::anyMatch
|
||||
: authentication.getRoles().stream()::allMatch;
|
||||
Set<String> roleIds = authentication.getRoles().stream().map(Role::getId).collect(Collectors.toSet());
|
||||
|
||||
Function<Predicate<String>, Boolean> func = logicalIsOr
|
||||
? roleIds.stream()::anyMatch
|
||||
: roleIds.stream()::allMatch;
|
||||
|
||||
access = logicalIsOr
|
||||
? access || func.apply(role -> rolesDef.contains(role.getId()))
|
||||
: access && func.apply(role -> rolesDef.contains(role.getId()));
|
||||
? access || func.apply(rolesDef::contains)
|
||||
: access && func.apply(rolesDef::contains);
|
||||
if (logger.isInfoEnabled()) {
|
||||
logger.info("执行角色权限控制{},当前角色:{},限制角色:{}.", access ? "通过" : "拒绝", roleIds, rolesDef);
|
||||
}
|
||||
}
|
||||
//控制用户
|
||||
if (!usersDef.isEmpty()) {
|
||||
if (logger.isInfoEnabled()) {
|
||||
logger.info("do user access handle : users{} , definition:{} ", usersDef, definition.getUser());
|
||||
}
|
||||
String username = authentication.getUser().getUsername();
|
||||
Function<Predicate<String>, Boolean> func = logicalIsOr
|
||||
? usersDef.stream()::anyMatch
|
||||
: usersDef.stream()::allMatch;
|
||||
access = logicalIsOr
|
||||
? access || func.apply(authentication.getUser().getUsername()::equals)
|
||||
: access && func.apply(authentication.getUser().getUsername()::equals);
|
||||
|
||||
}
|
||||
if (!access) {
|
||||
throw new AccessDenyException(definition.getMessage());
|
||||
? access || func.apply(username::equals)
|
||||
: access && func.apply(username::equals);
|
||||
if (logger.isInfoEnabled()) {
|
||||
logger.info("执行用户权限控制{},当前用户:{},限制用户:{}.", access ? "通过" : "拒绝", username, usersDef);
|
||||
}
|
||||
if (!access) {
|
||||
throw new AccessDenyException(definition.getMessage());
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,6 +12,7 @@ import org.hswebframework.web.authorization.basic.handler.access.DefaultDataAcce
|
||||
import org.hswebframework.web.authorization.define.AuthorizeDefinition;
|
||||
import org.hswebframework.web.authorization.define.AuthorizingContext;
|
||||
import org.hswebframework.web.authorization.define.Phased;
|
||||
import org.hswebframework.web.authorization.exception.AccessDenyException;
|
||||
import org.hswebframework.web.authorization.simple.*;
|
||||
import org.hswebframework.web.boost.aop.context.MethodInterceptorContext;
|
||||
import org.hswebframework.web.commons.entity.param.QueryParamEntity;
|
||||
@@ -37,6 +38,9 @@ public class AuthorizeTests {
|
||||
@Mock
|
||||
private MethodInterceptorContext dynamicQuery;
|
||||
|
||||
@Mock
|
||||
private MethodInterceptorContext handleRole;
|
||||
|
||||
@Mock
|
||||
private Authentication authentication;
|
||||
|
||||
@@ -67,6 +71,12 @@ public class AuthorizeTests {
|
||||
when(dynamicQuery.getParams()).thenReturn(Collections.singletonMap("paramEntity", entity));
|
||||
when(dynamicQuery.getParameter("paramEntity")).thenReturn(Optional.of(entity));
|
||||
|
||||
//mock MethodInterceptorContext
|
||||
when(handleRole.getMethod()).thenReturn(TestClass.class.getMethod("handleRoleDeny", QueryParamEntity.class));
|
||||
when(handleRole.getTarget()).thenReturn(testClass);
|
||||
when(handleRole.getParams()).thenReturn(Collections.singletonMap("paramEntity", entity));
|
||||
when(handleRole.getParameter("paramEntity")).thenReturn(Optional.of(entity));
|
||||
|
||||
|
||||
//过滤字段
|
||||
AbstractDataAccessConfig fieldFilter = new SimpleFieldFilterDataAccessConfig("password", "salt");
|
||||
@@ -110,9 +120,26 @@ public class AuthorizeTests {
|
||||
authorizingContext.setDefinition(definition);
|
||||
authorizingContext.setParamContext(queryById);
|
||||
|
||||
try {
|
||||
handler.handRBAC(authorizingContext);
|
||||
Assert.fail("role access handle fail");
|
||||
} catch (AccessDenyException ignore) {
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testIssue164() {
|
||||
DefaultAuthorizingHandler handler = new DefaultAuthorizingHandler();
|
||||
|
||||
AuthorizeDefinition definition = parser.parse(handleRole.getTarget().getClass(), handleRole.getMethod());
|
||||
|
||||
AuthorizingContext authorizingContext = new AuthorizingContext();
|
||||
authorizingContext.setAuthentication(authentication);
|
||||
authorizingContext.setDefinition(definition);
|
||||
authorizingContext.setParamContext(handleRole);
|
||||
|
||||
handler.handRBAC(authorizingContext);
|
||||
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -190,6 +217,12 @@ public class AuthorizeTests {
|
||||
System.out.println(JSON.toJSON(paramEntity));
|
||||
}
|
||||
|
||||
|
||||
@Authorize(role = "admin")
|
||||
public void handleRoleDeny(QueryParamEntity paramEntity) {
|
||||
System.out.println(JSON.toJSON(paramEntity));
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public interface TestClassSuper {
|
||||
|
||||
Reference in New Issue
Block a user