新增组织机构权限控制API

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/pom.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>hsweb-system-organizational</artifactId>
+        <groupId>org.hswebframework.web</groupId>
+        <version>3.0-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>hsweb-system-organizational-authorization</artifactId>
+    <dependencies>
+        <dependency>
+            <groupId>org.hswebframework.web</groupId>
+            <artifactId>hsweb-authorization-api</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.hswebframework.web</groupId>
+            <artifactId>hsweb-commons-entity</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.hswebframework</groupId>
+            <artifactId>hsweb-easy-orm-rdb</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.hswebframework.web</groupId>
+            <artifactId>hsweb-commons-controller</artifactId>
+            <version>${project.version}</version>
+            <optional>true</optional>
+        </dependency>
+    </dependencies>
+
+
+</project>

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/Personnel.java

@@ -0,0 +1,22 @@
+package organizational;
+
+import java.io.Serializable;
+
+/**
+ * 人员基本信息
+ *
+ * @author zhouhao
+ * @since 3.0
+ */
+public interface Personnel extends Serializable {
+    String getId();
+
+    String getName();
+
+    String getPhone();
+
+    String getEmail();
+
+    String getPhoto();
+
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/PersonnelAuthorization.java

@@ -0,0 +1,113 @@
+package organizational;
+
+import org.hswebframework.web.authorization.Authentication;
+
+import java.io.Serializable;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+/**
+ * 人员权限信息,用于获取当前登录用户对应的人员相关信息
+ *
+ * @author zhouhao
+ * @see Authentication
+ * @since 3.0
+ */
+public interface PersonnelAuthorization extends Serializable {
+
+    /**
+     * 获取当前登录人员信息
+     *
+     * @return 人员权限信息
+     * @see Optional
+     * @see Authentication#getAttribute(String)
+     */
+    static Optional<PersonnelAuthorization> current() {
+        return Authentication.current()
+                .map(authentication -> authentication.<PersonnelAuthorization>getAttribute(PersonnelAuthorization.class.getName()))
+                .orElseGet(Optional::empty);
+    }
+
+    /**
+     * @return 人员的基本信息
+     */
+    Personnel getPersonnel();
+
+    /**
+     * @return 人员所在地区ID, 只返回根节点, 永远不会返回{@code null}
+     */
+    Set<TreeNode<String>> getAreaIds();
+
+    /**
+     * @return 人员所在机构ID, 只返回根节点, 永远不会返回{@code null}
+     */
+    Set<TreeNode<String>> getOrgIds();
+
+    /**
+     * @return 人员职务ID, 只返回根节点, 永远不会返回{@code null}
+     */
+    Set<TreeNode<String>> getPositionIds();
+
+    /**
+     * @return 人员所在部门ID, 只返回根节点, 永远不会返回{@code null}
+     */
+    Set<TreeNode<String>> getDepartmentIds();
+
+    /**
+     * @return 根地区ID
+     */
+    default Set<String> getRootAreaId() {
+        return getAreaIds().stream().map(TreeNode::getValue).collect(Collectors.toSet());
+    }
+
+    /**
+     * @return 根机构ID
+     */
+    default Set<String> getRootOrgId() {
+        return getOrgIds().stream().map(TreeNode::getValue).collect(Collectors.toSet());
+    }
+
+    /**
+     * @return 根职位ID
+     */
+    default Set<String> getRootPositionId() {
+        return getPositionIds().stream().map(TreeNode::getValue).collect(Collectors.toSet());
+    }
+
+    /**
+     * @return 根部门ID
+     */
+    default Set<String> getRootDepartmentId() {
+        return getDepartmentIds().stream().map(TreeNode::getValue).collect(Collectors.toSet());
+    }
+
+    /**
+     * @return 所有地区ID
+     */
+    default Set<String> getAllAreaId() {
+        return getAreaIds().stream().map(TreeNode::getAllValue).flatMap(List::stream).collect(Collectors.toSet());
+    }
+
+    /**
+     * @return 所有机构ID
+     */
+    default Set<String> getAllOrgId() {
+        return getOrgIds().stream().map(TreeNode::getAllValue).flatMap(List::stream).collect(Collectors.toSet());
+    }
+
+    /**
+     * @return 所有职位ID
+     */
+    default Set<String> getAllPositionId() {
+        return getPositionIds().stream().map(TreeNode::getAllValue).flatMap(List::stream).collect(Collectors.toSet());
+    }
+
+    /**
+     * @return 所有部门ID
+     */
+    default Set<String> getAllDepartmentId() {
+        return getDepartmentIds().stream().map(TreeNode::getAllValue).flatMap(List::stream).collect(Collectors.toSet());
+    }
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/TreeNode.java

@@ -0,0 +1,80 @@
+package organizational;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.function.Predicate;
+
+/**
+ * 树形结构节点信息
+ *
+ * @param <V> 节点值类型
+ * @author zhouhao
+ * @since 3.0
+ */
+public class TreeNode<V> implements Serializable {
+
+    /**
+     * 父节点,根节点为{@code null}
+     */
+    private TreeNode<V> parent;
+
+    /**
+     * 节点值
+     */
+    private V value;
+
+    /**
+     * 节点层级
+     */
+    private int level;
+
+    private List<TreeNode<V>> children;
+
+    public TreeNode<V> getParent() {
+        return parent;
+    }
+
+    public void setParent(TreeNode<V> parent) {
+        this.parent = parent;
+    }
+
+    public V getValue() {
+        return value;
+    }
+
+    public void setValue(V value) {
+        this.value = value;
+    }
+
+    public List<TreeNode<V>> getChildren() {
+        return children;
+    }
+
+    public void setChildren(List<TreeNode<V>> children) {
+        this.children = children;
+    }
+
+    public int getLevel() {
+        return level;
+    }
+
+    public void setLevel(int level) {
+        this.level = level;
+    }
+
+    public List<V> getAllValue() {
+        List<V> values = new ArrayList<>(getChildren().size() + 1);
+        values.add(value);
+        children.stream().map(TreeNode::getAllValue).flatMap(List::stream).forEach(values::add);
+        return values;
+    }
+
+    public List<V> getAllValue(Predicate<TreeNode<V>> filter) {
+        List<V> values = new ArrayList<>(getChildren().size() + 1);
+        if (filter.test(this))
+            values.add(value);
+        children.stream().filter(filter).map(val -> val.getAllValue(filter)).flatMap(List::stream).forEach(values::add);
+        return values;
+    }
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/access/DataAccessType.java

@@ -0,0 +1,44 @@
+package organizational.access;
+
+import java.io.Serializable;
+
+/**
+ * 控制类型
+ *
+ * @author zhouhao
+ * @since 3.0
+ */
+public interface DataAccessType extends Serializable {
+    /**
+     * 控制地区
+     */
+    String AREA_SCOPE       = "AREA_SCOPE";
+    /**
+     * 控制机构
+     */
+    String ORG_SCOPE        = "ORG_SCOPE";
+    /**
+     * 控制部门
+     */
+    String DEPARTMENT_SCOPE = "DEPARTMENT_SCOPE";
+    /**
+     * 控制职位
+     */
+    String POSITION_SCOPE   = "POSITION_SCOPE";
+
+    /**
+     * 控制人员
+     */
+    String PERSON_SCOPE = "PERSON_SCOPE";
+
+    enum ScopeType implements Serializable {
+        ONLY_SELF("只能查看自己"),
+        CHILDREN("包含子级"),
+        CUSTOM("自定义");
+        final String comment;
+
+        ScopeType(String comment) {
+            this.comment = comment;
+        }
+    }
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/access/ScopeDataAccessConfig.java

@@ -0,0 +1,27 @@
+package organizational.access;
+
+import org.hswebframework.web.authorization.access.DataAccessConfig;
+
+import java.util.Set;
+
+/**
+ * 范围数据权限控制配置
+ *
+ * @author zhouhao
+ * @see DataAccessConfig
+ * @since 3.0
+ */
+public interface ScopeDataAccessConfig extends DataAccessConfig {
+
+    /**
+     * @return 范围类型
+     * @see DataAccessType.ScopeType
+     */
+    DataAccessType.ScopeType getScopeType();
+
+    /**
+     * @return 自定义的控制范围, 仅在scopeType为CUSTOM的时候有效
+     * @see DataAccessType.ScopeType#CUSTOM
+     */
+    Set<String> getScope();
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/annotation/RequiresDepartment.java

@@ -0,0 +1,20 @@
+package organizational.annotation;
+
+import org.hswebframework.web.authorization.annotation.Logical;
+
+import java.lang.annotation.*;
+
+/**
+ * @author zhouhao
+ */
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface RequiresDepartment {
+    String[] value() default {};
+
+    boolean hasChidren() default true;
+
+    Logical logocal() default Logical.OR;
+
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/annotation/RequiresOrg.java

@@ -0,0 +1,20 @@
+package organizational.annotation;
+
+import org.hswebframework.web.authorization.annotation.Logical;
+
+import java.lang.annotation.*;
+
+/**
+ * @author zhouhao
+ */
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface RequiresOrg {
+    String[] value() default {};
+
+    boolean hasChidren() default true;
+
+    Logical logocal() default Logical.OR;
+
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/annotation/RequiresPosition.java

@@ -0,0 +1,20 @@
+package organizational.annotation;
+
+import org.hswebframework.web.authorization.annotation.Logical;
+
+import java.lang.annotation.*;
+
+/**
+ * @author zhouhao
+ */
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface RequiresPosition {
+    String[] value() default {};
+
+    boolean hasChidren() default true;
+
+    Logical logocal() default Logical.OR;
+
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/entity/AreaAttachEntity.java

@@ -0,0 +1,14 @@
+package organizational.entity;
+
+import java.io.Serializable;
+
+/**
+ * @author zhouhao
+ */
+public interface AreaAttachEntity extends Serializable {
+    String areaId = "areaId";
+
+    String getAreaId();
+
+    void setAreaId(String areaId);
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/entity/DepartmentAttachEntity.java

@@ -0,0 +1,24 @@
+package organizational.entity;
+
+import java.io.Serializable;
+
+/**
+ * 关联部门信息的实体,实现此接口,才能对相应的操作进行部门相关的权限控制
+ *
+ * @author zhouhao
+ * @since 3.0
+ */
+public interface DepartmentAttachEntity extends Serializable {
+
+    /*-------------------------------------------
+     |               属性名常量               |
+     ===========================================*/
+    String departmentId = "departmentId";
+
+    /**
+     * @return 部门ID
+     */
+    String getDepartmentId();
+
+    void setDepartmentId(String departmentId);
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/entity/OrgAttachEntity.java

@@ -0,0 +1,14 @@
+package organizational.entity;
+
+import java.io.Serializable;
+
+/**
+ * @author zhouhao
+ */
+public interface OrgAttachEntity extends Serializable {
+    String orgId = "orgId";
+
+    String getOrgId();
+
+    void setOrgId(String orgId);
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/entity/PersonAttachEntity.java

@@ -0,0 +1,14 @@
+package organizational.entity;
+
+import java.io.Serializable;
+
+/**
+ * @author zhouhao
+ */
+public interface PersonAttachEntity extends Serializable {
+    String personId = "personId";
+
+    String getPersonId();
+
+    void setPersonId(String personId);
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/entity/PositionAttachEntity.java

@@ -0,0 +1,14 @@
+package organizational.entity;
+
+import java.io.Serializable;
+
+/**
+ * @author zhouhao
+ */
+public interface PositionAttachEntity extends Serializable {
+    String positionId = "positionId";
+
+    String getPositionId();
+
+    void setPositionId(String positionId);
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/simple/AbstractScopeDataAccessHander.java

@@ -0,0 +1,166 @@
+package organizational.simple;
+
+import org.hsweb.ezorm.core.param.Term;
+import org.hswebframework.web.authorization.Permission;
+import org.hswebframework.web.authorization.access.DataAccessConfig;
+import org.hswebframework.web.authorization.access.DataAccessHandler;
+import org.hswebframework.web.authorization.annotation.RequiresDataAccess;
+import organizational.PersonnelAuthorization;
+import organizational.access.DataAccessType;
+import organizational.access.ScopeDataAccessConfig;
+import organizational.entity.OrgAttachEntity;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorParamContext;
+import org.hswebframework.web.commons.entity.Entity;
+import org.hswebframework.web.commons.entity.param.QueryParamEntity;
+import org.hswebframework.web.controller.QueryController;
+import org.hswebframework.web.service.QueryService;
+import org.hswebframwork.utils.ClassUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * TODO 完成注释
+ *
+ * @author zhouhao
+ */
+public abstract class AbstractScopeDataAccessHander<E> implements DataAccessHandler {
+    protected Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    private boolean defaultSuccessOnError = true;
+
+    protected abstract Class<E> getEntityClass();
+
+    protected abstract String getSupportScope();
+
+    protected abstract String getOperationScope(E entity);
+
+    protected abstract Term applyQueryTerm(Set<String> scope);
+
+    protected abstract Set<String> getTryOperationScope(DataAccessType.ScopeType scopeType, PersonnelAuthorization authorization);
+
+    @Override
+    public boolean isSupport(DataAccessConfig access) {
+        return access instanceof ScopeDataAccessConfig && access.getType().equals(getSupportScope());
+    }
+
+    @Override
+    public boolean handle(DataAccessConfig access, MethodInterceptorParamContext context) {
+        ScopeDataAccessConfig accessConfig = ((ScopeDataAccessConfig) access);
+        switch (accessConfig.getAction()) {
+            case Permission.ACTION_QUERY:
+                return handleQuery(accessConfig, context);
+            case Permission.ACTION_GET:
+            case Permission.ACTION_DELETE:
+            case Permission.ACTION_UPDATE:
+                return handleRW(accessConfig, context);
+            case Permission.ACTION_ADD:
+                return handleAdd(accessConfig, context);
+        }
+        return false;
+    }
+
+    protected PersonnelAuthorization getPersonnelAuthorization() {
+        return PersonnelAuthorization.current()
+                .orElseThrow(UnsupportedOperationException::new); // TODO: 17-5-23 其他异常?
+    }
+
+    protected boolean handleAdd(ScopeDataAccessConfig access, MethodInterceptorParamContext context) {
+        PersonnelAuthorization authorization = getPersonnelAuthorization();
+        Set<String> scopes = authorization.getRootOrgId();
+        String scope = null;
+        if (scopes.size() == 0) return true;
+        else if (scopes.size() == 1) scope = scopes.iterator().next();
+        else logger.warn("existing many scope :{} , try use config.", scopes);
+        scopes = access.getScope();
+        if (scope == null && scopes.size() == 1) {
+            scope = scopes.iterator().next();
+        }
+        if (scope != null) {
+            String finalScopeId = scope;
+            context.getParams().values().stream()
+                    .filter(OrgAttachEntity.class::isInstance)
+                    .map(OrgAttachEntity.class::cast)
+                    .forEach(entity -> entity.setOrgId(finalScopeId));
+        } else {
+            logger.warn("scope is null!");
+        }
+        return defaultSuccessOnError;
+    }
+
+    protected boolean handleRW(ScopeDataAccessConfig access, MethodInterceptorParamContext context) {
+        //获取注解
+        RequiresDataAccess dataAccess = context.getAnnotation(RequiresDataAccess.class);
+        Object id = context.<String>getParameter(dataAccess.idParamName()).orElse(null);
+        Object controller = context.getTarget();
+        Set<String> ids = getTryOperationScope(access);
+        String errorMsg;
+        //通过QueryController获取QueryService
+        //然后调用selectByPk 查询旧的数据,进行对比
+        if (controller instanceof QueryController) {
+            //判断是否满足条件(泛型为 getEntityClass)
+            Class entityType = ClassUtils.getGenericType(controller.getClass(), 0);
+            if (ClassUtils.instanceOf(entityType, getEntityClass())) {
+                QueryService<E, Object> queryService =
+                        ((QueryController<E, Object, Entity>) controller).getService();
+                E oldData = queryService.selectByPk(id);
+                if (oldData != null && ids.contains(getOperationScope(oldData))) {
+                    return false;
+                } else {
+                    return true;
+                }
+            } else {
+                errorMsg = "GenericType[0] not instance of " + getEntityClass();
+            }
+        } else {
+            errorMsg = "target not instance of QueryController";
+        }
+        logger.warn("do handle {} fail,because {}", access.getAction(), errorMsg);
+        return defaultSuccessOnError;
+    }
+
+    protected Set<String> getTryOperationScope(ScopeDataAccessConfig access) {
+        if (access.getScopeType() == DataAccessType.ScopeType.CUSTOM)
+            return access.getScope();
+        return getTryOperationScope(access.getScopeType(), getPersonnelAuthorization());
+    }
+
+    protected boolean handleQuery(ScopeDataAccessConfig access, MethodInterceptorParamContext context) {
+        Entity entity = context.getParams()
+                .values().stream()
+                .filter(Entity.class::isInstance)
+                .map(Entity.class::cast)
+                .findAny().orElse(null);
+        if (entity == null) {
+            logger.warn("try validate query access, but query entity is null or not instance of org.hswebframework.web.commons.entity.Entity");
+            return defaultSuccessOnError;
+        }
+        Set<String> scope = getTryOperationScope(access);
+        if (scope.isEmpty()) {
+            logger.warn("try validate query access,but config is empty!");
+            return defaultSuccessOnError;
+        }
+        if (entity instanceof QueryParamEntity) {
+            if (logger.isDebugEnabled())
+                logger.debug("try rebuild query param ...");
+            QueryParamEntity queryParamEntity = ((QueryParamEntity) entity);
+            //重构查询条件
+            //如: 旧的条件为 where name =? or name = ?
+            //重构后为: where org_id in(?,?) and (name = ? or name = ?)
+            List<Term> oldParam = queryParamEntity.getTerms();
+            //清空旧的查询条件
+            queryParamEntity.setTerms(new ArrayList<>());
+            //添加一个查询条件
+            queryParamEntity
+                    .addTerm(applyQueryTerm(scope))
+                    //客户端提交的参数 作为嵌套参数
+                    .nest().setTerms(oldParam);
+        } else {
+            logger.warn("try validate query access,but entity not support, QueryParamEntity support now!");
+        }
+        return true;
+    }
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/simple/AreaScopeDataAccessHandler.java

@@ -0,0 +1,54 @@
+package organizational.simple;
+
+import org.hsweb.ezorm.core.param.Term;
+import org.hsweb.ezorm.core.param.TermType;
+import organizational.PersonnelAuthorization;
+import organizational.access.DataAccessType;
+import organizational.entity.AreaAttachEntity;
+
+import java.util.Collections;
+import java.util.Set;
+
+/**
+ * TODO 完成注释
+ *
+ * @author zhouhao
+ */
+public class AreaScopeDataAccessHandler extends AbstractScopeDataAccessHander<AreaAttachEntity> {
+    @Override
+    protected Class<AreaAttachEntity> getEntityClass() {
+        return AreaAttachEntity.class;
+    }
+
+    @Override
+    protected String getSupportScope() {
+        return DataAccessType.DEPARTMENT_SCOPE;
+    }
+
+    @Override
+    protected String getOperationScope(AreaAttachEntity entity) {
+        return entity.getAreaId();
+    }
+
+    @Override
+    protected Set<String> getTryOperationScope(DataAccessType.ScopeType scopeType, PersonnelAuthorization authorization) {
+        switch (scopeType) {
+            case CHILDREN:
+                return authorization.getAllAreaId();
+            case ONLY_SELF:
+                return authorization.getRootAreaId();
+            default:
+                return Collections.emptySet();
+        }
+    }
+
+    @Override
+    protected Term applyQueryTerm(Set<String> scope) {
+        Term term = new Term();
+        term.setColumn(AreaAttachEntity.areaId);
+        term.setTermType(TermType.in);
+        term.setValue(scope);
+        term.setType(Term.Type.and);
+        return term;
+    }
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/simple/DepartmentScopeDataAccessHandler.java

@@ -0,0 +1,54 @@
+package organizational.simple;
+
+import org.hsweb.ezorm.core.param.Term;
+import org.hsweb.ezorm.core.param.TermType;
+import organizational.PersonnelAuthorization;
+import organizational.access.DataAccessType;
+import organizational.entity.DepartmentAttachEntity;
+
+import java.util.Collections;
+import java.util.Set;
+
+/**
+ * TODO 完成注释
+ *
+ * @author zhouhao
+ */
+public class DepartmentScopeDataAccessHandler extends AbstractScopeDataAccessHander<DepartmentAttachEntity> {
+    @Override
+    protected Class<DepartmentAttachEntity> getEntityClass() {
+        return DepartmentAttachEntity.class;
+    }
+
+    @Override
+    protected String getSupportScope() {
+        return DataAccessType.DEPARTMENT_SCOPE;
+    }
+
+    @Override
+    protected String getOperationScope(DepartmentAttachEntity entity) {
+        return entity.getDepartmentId();
+    }
+
+    @Override
+    protected Set<String> getTryOperationScope(DataAccessType.ScopeType scopeType, PersonnelAuthorization authorization) {
+        switch (scopeType) {
+            case CHILDREN:
+                return authorization.getAllDepartmentId();
+            case ONLY_SELF:
+                return authorization.getRootDepartmentId();
+            default:
+                return Collections.emptySet();
+        }
+    }
+
+    @Override
+    protected Term applyQueryTerm(Set<String> scope) {
+        Term term = new Term();
+        term.setColumn(DepartmentAttachEntity.departmentId);
+        term.setTermType(TermType.in);
+        term.setValue(scope);
+        term.setType(Term.Type.and);
+        return term;
+    }
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/simple/OrgScopeDataAccessHandler.java

@@ -0,0 +1,54 @@
+package organizational.simple;
+
+import org.hsweb.ezorm.core.param.Term;
+import org.hsweb.ezorm.core.param.TermType;
+import organizational.PersonnelAuthorization;
+import organizational.access.DataAccessType;
+import organizational.entity.OrgAttachEntity;
+
+import java.util.Collections;
+import java.util.Set;
+
+/**
+ * TODO 完成注释
+ *
+ * @author zhouhao
+ */
+public class OrgScopeDataAccessHandler extends AbstractScopeDataAccessHander<OrgAttachEntity> {
+    @Override
+    protected Class<OrgAttachEntity> getEntityClass() {
+        return OrgAttachEntity.class;
+    }
+
+    @Override
+    protected String getSupportScope() {
+        return DataAccessType.ORG_SCOPE;
+    }
+
+    @Override
+    protected Set<String> getTryOperationScope(DataAccessType.ScopeType scopeType, PersonnelAuthorization authorization) {
+        switch (scopeType) {
+            case CHILDREN:
+                return authorization.getAllOrgId();
+            case ONLY_SELF:
+                return authorization.getRootOrgId();
+            default:
+                return Collections.emptySet();
+        }
+    }
+
+    @Override
+    protected String getOperationScope(OrgAttachEntity entity) {
+        return entity.getOrgId();
+    }
+
+    @Override
+    protected Term applyQueryTerm(Set<String> scope) {
+        Term term = new Term();
+        term.setColumn(OrgAttachEntity.orgId);
+        term.setTermType(TermType.in);
+        term.setValue(scope);
+        term.setType(Term.Type.and);
+        return term;
+    }
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/simple/PersonScopeDataAccessHandler.java

@@ -0,0 +1,54 @@
+package organizational.simple;
+
+import org.hsweb.ezorm.core.param.Term;
+import org.hsweb.ezorm.core.param.TermType;
+import organizational.PersonnelAuthorization;
+import organizational.access.DataAccessType;
+import organizational.entity.PersonAttachEntity;
+
+import java.util.Collections;
+import java.util.Set;
+
+/**
+ * TODO 完成注释
+ *
+ * @author zhouhao
+ */
+public class PersonScopeDataAccessHandler extends AbstractScopeDataAccessHander<PersonAttachEntity> {
+    @Override
+    protected Class<PersonAttachEntity> getEntityClass() {
+        return PersonAttachEntity.class;
+    }
+
+    @Override
+    protected String getSupportScope() {
+        return DataAccessType.PERSON_SCOPE;
+    }
+
+    @Override
+    protected Set<String> getTryOperationScope(DataAccessType.ScopeType scopeType, PersonnelAuthorization authorization) {
+        switch (scopeType) {
+            case CHILDREN:
+                logger.warn("not support person children control!");
+            case ONLY_SELF:
+                return Collections.singleton(authorization.getPersonnel().getId());
+            default:
+                return Collections.emptySet();
+        }
+    }
+
+    @Override
+    protected String getOperationScope(PersonAttachEntity entity) {
+        return entity.getPersonId();
+    }
+
+    @Override
+    protected Term applyQueryTerm(Set<String> scope) {
+        Term term = new Term();
+        term.setColumn(PersonAttachEntity.personId);
+        term.setTermType(TermType.in);
+        term.setValue(scope);
+        term.setType(Term.Type.and);
+        return term;
+    }
+}

hsweb-system/hsweb-system-organizational/hsweb-system-organizational-authorization/src/main/java/organizational/simple/PositionScopeDataAccessHandler.java

@@ -0,0 +1,54 @@
+package organizational.simple;
+
+import org.hsweb.ezorm.core.param.Term;
+import org.hsweb.ezorm.core.param.TermType;
+import organizational.PersonnelAuthorization;
+import organizational.access.DataAccessType;
+import organizational.entity.PositionAttachEntity;
+
+import java.util.Collections;
+import java.util.Set;
+
+/**
+ * TODO 完成注释
+ *
+ * @author zhouhao
+ */
+public class PositionScopeDataAccessHandler extends AbstractScopeDataAccessHander<PositionAttachEntity> {
+    @Override
+    protected Class<PositionAttachEntity> getEntityClass() {
+        return PositionAttachEntity.class;
+    }
+
+    @Override
+    protected String getSupportScope() {
+        return DataAccessType.POSITION_SCOPE;
+    }
+
+    @Override
+    protected Set<String> getTryOperationScope(DataAccessType.ScopeType scopeType, PersonnelAuthorization authorization) {
+        switch (scopeType) {
+            case CHILDREN:
+                return authorization.getAllPositionId();
+            case ONLY_SELF:
+                return authorization.getRootPositionId();
+            default:
+                return Collections.emptySet();
+        }
+    }
+
+    @Override
+    protected String getOperationScope(PositionAttachEntity entity) {
+        return entity.getPositionId();
+    }
+
+    @Override
+    protected Term applyQueryTerm(Set<String> scope) {
+        Term term = new Term();
+        term.setColumn(PositionAttachEntity.positionId);
+        term.setTermType(TermType.in);
+        term.setValue(scope);
+        term.setType(Term.Type.and);
+        return term;
+    }
+}