4 gadi atpakaļ · c0c4829ca8
--- a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/DefaultAuthorizingHandler.java
+++ b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/DefaultAuthorizingHandler.java
@@ -160,8 +160,7 @@ public class DefaultAuthorizingHandler implements AuthorizingHandler {
 
				         // 控制权限
			
 
				         if (!definition.getPermissions().isEmpty()) {
			
 
				             if (logger.isInfoEnabled()) {
			
 
				-                logger.info("执行权限控制:权限{}({}),操作{}.",
			
 
				-                        definition.getPermissionDescription(),
			
 
				+                logger.info("执行权限控制:权限{},操作{}.",
			
 
				                         permissionsDef,
			
 
				                         actionsDef);
			
 
				             }
			
@@ -192,35 +191,39 @@ public class DefaultAuthorizingHandler implements AuthorizingHandler {
 
				                     CollectionUtils.isNotEmpty(permissions) :
			
 
				                     //权限数量和配置的数量相同
			
 
				                     permissions.size() == permissionsDef.size();
			
 
				+        } else {
			
 
				+            access = false;
			
 
				         }
			
 
				         //控制角色
			
 
				         if (!rolesDef.isEmpty()) {
			
 
				-            if (logger.isInfoEnabled()) {
			
 
				-                logger.info("do role access handle : roles{} , definition:{}", rolesDef, definition.getRoles());
			
 
				-            }
			
 
				-            Function<Predicate<Role>, Boolean> func = logicalIsOr
			
 
				-                    ? authentication.getRoles().stream()::anyMatch
			
 
				-                    : authentication.getRoles().stream()::allMatch;
			
 
				+            Set<String> roleIds = authentication.getRoles().stream().map(Role::getId).collect(Collectors.toSet());
			
 
				+
			
 
				+            Function<Predicate<String>, Boolean> func = logicalIsOr
			
 
				+                    ? roleIds.stream()::anyMatch
			
 
				+                    : roleIds.stream()::allMatch;
			
 
				 
			
 
				             access = logicalIsOr
			
 
				-                    ? access || func.apply(role -> rolesDef.contains(role.getId()))
			
 
				-                    : access && func.apply(role -> rolesDef.contains(role.getId()));
			
 
				+                    ? access || func.apply(rolesDef::contains)
			
 
				+                    : access && func.apply(rolesDef::contains);
			
 
				+            if (logger.isInfoEnabled()) {
			
 
				+                logger.info("执行角色权限控制{},当前角色:{},限制角色:{}.", access ? "通过" : "拒绝", roleIds, rolesDef);
			
 
				+            }
			
 
				         }
			
 
				         //控制用户
			
 
				         if (!usersDef.isEmpty()) {
			
 
				-            if (logger.isInfoEnabled()) {
			
 
				-                logger.info("do user access handle : users{} , definition:{} ", usersDef, definition.getUser());
			
 
				-            }
			
 
				+            String username = authentication.getUser().getUsername();
			
 
				             Function<Predicate<String>, Boolean> func = logicalIsOr
			
 
				                     ? usersDef.stream()::anyMatch
			
 
				                     : usersDef.stream()::allMatch;
			
 
				             access = logicalIsOr
			
 
				-                    ? access || func.apply(authentication.getUser().getUsername()::equals)
			
 
				-                    : access && func.apply(authentication.getUser().getUsername()::equals);
			
 
				-
			
 
				-        }
			
 
				-        if (!access) {
			
 
				-            throw new AccessDenyException(definition.getMessage());
			
 
				+                    ? access || func.apply(username::equals)
			
 
				+                    : access && func.apply(username::equals);
			
 
				+            if (logger.isInfoEnabled()) {
			
 
				+                logger.info("执行用户权限控制{},当前用户:{},限制用户:{}.", access ? "通过" : "拒绝", username, usersDef);
			
 
				+            }
			
 
				+            if (!access) {
			
 
				+                throw new AccessDenyException(definition.getMessage());
			
 
				+            }
			
 
				         }
			
 
				     }
			
 
				 }
			
--- a/hsweb-authorization/hsweb-authorization-basic/src/test/groovy/org/hswebframework/web/authorization/AuthorizeTests.java
+++ b/hsweb-authorization/hsweb-authorization-basic/src/test/groovy/org/hswebframework/web/authorization/AuthorizeTests.java
@@ -12,6 +12,7 @@ import org.hswebframework.web.authorization.basic.handler.access.DefaultDataAcce
 
				 import org.hswebframework.web.authorization.define.AuthorizeDefinition;
			
 
				 import org.hswebframework.web.authorization.define.AuthorizingContext;
			
 
				 import org.hswebframework.web.authorization.define.Phased;
			
 
				+import org.hswebframework.web.authorization.exception.AccessDenyException;
			
 
				 import org.hswebframework.web.authorization.simple.*;
			
 
				 import org.hswebframework.web.boost.aop.context.MethodInterceptorContext;
			
 
				 import org.hswebframework.web.commons.entity.param.QueryParamEntity;
			
@@ -37,6 +38,9 @@ public class AuthorizeTests {
 
				     @Mock
			
 
				     private MethodInterceptorContext dynamicQuery;
			
 
				 
			
 
				+    @Mock
			
 
				+    private MethodInterceptorContext handleRole;
			
 
				+
			
 
				     @Mock
			
 
				     private Authentication authentication;
			
 
				 
			
@@ -67,6 +71,12 @@ public class AuthorizeTests {
 
				         when(dynamicQuery.getParams()).thenReturn(Collections.singletonMap("paramEntity", entity));
			
 
				         when(dynamicQuery.getParameter("paramEntity")).thenReturn(Optional.of(entity));
			
 
				 
			
 
				+        //mock MethodInterceptorContext
			
 
				+        when(handleRole.getMethod()).thenReturn(TestClass.class.getMethod("handleRoleDeny", QueryParamEntity.class));
			
 
				+        when(handleRole.getTarget()).thenReturn(testClass);
			
 
				+        when(handleRole.getParams()).thenReturn(Collections.singletonMap("paramEntity", entity));
			
 
				+        when(handleRole.getParameter("paramEntity")).thenReturn(Optional.of(entity));
			
 
				+
			
 
				 
			
 
				         //过滤字段
			
 
				         AbstractDataAccessConfig fieldFilter = new SimpleFieldFilterDataAccessConfig("password", "salt");
			
@@ -110,9 +120,26 @@ public class AuthorizeTests {
 
				         authorizingContext.setDefinition(definition);
			
 
				         authorizingContext.setParamContext(queryById);
			
 
				 
			
 
				-        handler.handRBAC(authorizingContext);
			
 
				+        try {
			
 
				+            handler.handRBAC(authorizingContext);
			
 
				+            Assert.fail("role access handle fail");
			
 
				+        } catch (AccessDenyException ignore) {
			
 
				+
			
 
				+        }
			
 
				+    }
			
 
				+
			
 
				+    @Test
			
 
				+    public void testIssue164() {
			
 
				+        DefaultAuthorizingHandler handler = new DefaultAuthorizingHandler();
			
 
				+
			
 
				+        AuthorizeDefinition definition = parser.parse(handleRole.getTarget().getClass(), handleRole.getMethod());
			
 
				 
			
 
				+        AuthorizingContext authorizingContext = new AuthorizingContext();
			
 
				+        authorizingContext.setAuthentication(authentication);
			
 
				+        authorizingContext.setDefinition(definition);
			
 
				+        authorizingContext.setParamContext(handleRole);
			
 
				 
			
 
				+        handler.handRBAC(authorizingContext);
			
 
				     }
			
 
				 
			
 
				     /**
			
@@ -190,6 +217,12 @@ public class AuthorizeTests {
 
				             System.out.println(JSON.toJSON(paramEntity));
			
 
				         }
			
 
				 
			
 
				+
			
 
				+        @Authorize(role = "admin")
			
 
				+        public void handleRoleDeny(QueryParamEntity paramEntity) {
			
 
				+            System.out.println(JSON.toJSON(paramEntity));
			
 
				+        }
			
 
				+
			
 
				     }
			
 
				 
			
 
				     public interface TestClassSuper {