优化权限控制逻辑

hsweb-authorization/hsweb-authorization-api/src/main/java/org/hswebframework/web/authorization/annotation/Authorize.java

@@ -105,5 +105,6 @@ public @interface Authorize {
     /**
      * @return 数据权限控制
      */
-    RequiresDataAccess[] dataAccess() default {};
+    RequiresDataAccess dataAccess() default @RequiresDataAccess(ignore = true);
+
 }

hsweb-authorization/hsweb-authorization-api/src/main/java/org/hswebframework/web/authorization/annotation/RequiresDataAccess.java

@@ -20,6 +20,7 @@ package org.hswebframework.web.authorization.annotation;
 import org.hswebframework.web.authorization.access.DataAccessConfig;
 import org.hswebframework.web.authorization.access.DataAccessController;
 import org.hswebframework.web.authorization.Permission;
+import org.hswebframework.web.authorization.define.Phased;
 
 import java.lang.annotation.*;
 
@@ -67,8 +68,16 @@ public @interface RequiresDataAccess {
      */
     Class<DataAccessController> controllerClass() default DataAccessController.class;
 
+    Phased phased() default Phased.before;
+
     /**
      * @return id参数名称
      */
     String idParamName() default "id";
+
+    /**
+     * @return 是否忽略, 忽略后将不进行权限控制
+     */
+    boolean ignore() default false;
+
 }

hsweb-authorization/hsweb-authorization-api/src/main/java/org/hswebframework/web/authorization/define/AuthorizeDefinition.java

@@ -16,6 +16,7 @@ import java.util.Set;
 public interface AuthorizeDefinition {
 
     Phased getPhased();
+
     /**
      * 优先级,如果获取到多个权限控制定义是,则先判断优先级高的
      *

hsweb-authorization/hsweb-authorization-api/src/main/java/org/hswebframework/web/authorization/define/DataAccessDefinition.java

@@ -14,4 +14,6 @@ public interface DataAccessDefinition extends Serializable {
 
     String getIdParameterName();
 
+    Phased getPhased();
+
 }

hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/aop/AopAuthorizingController.java

@@ -4,21 +4,18 @@ import org.aopalliance.intercept.MethodInterceptor;
 import org.hswebframework.web.AopUtils;
 import org.hswebframework.web.authorization.Authentication;
 import org.hswebframework.web.authorization.annotation.Authorize;
-import org.hswebframework.web.authorization.define.AuthorizingContext;
 import org.hswebframework.web.authorization.basic.handler.AuthorizingHandler;
 import org.hswebframework.web.authorization.define.AuthorizeDefinition;
+import org.hswebframework.web.authorization.define.AuthorizingContext;
 import org.hswebframework.web.authorization.define.Phased;
 import org.hswebframework.web.authorization.exception.UnAuthorizedException;
-import org.hswebframework.web.boost.aop.context.MethodInterceptorHolder;
 import org.hswebframework.web.boost.aop.context.MethodInterceptorContext;
-import org.hswebframework.web.controller.message.ResponseMessage;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorHolder;
 import org.springframework.aop.support.StaticMethodMatcherPointcutAdvisor;
-import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.lang.reflect.Method;
-import java.util.Map;
 
 /**
  * @author zhouhao
@@ -45,13 +42,42 @@ public class AopAuthorizingController extends StaticMethodMatcherPointcutAdvisor
                     context.setDefinition(definition);
                     context.setParamContext(paramContext);
                     isControl = true;
+
+                    Phased dataAccessPhased = null;
+                    if (definition.getDataAccessDefinition() != null) {
+                        dataAccessPhased = definition.getDataAccessDefinition().getPhased();
+                    }
                     if (definition.getPhased() == Phased.before) {
-                        authorizingHandler.handle(context);
+                        //RDAC before
+                        authorizingHandler.handRDAC(context);
+
+                        //方法调用前验证数据权限
+                        if (dataAccessPhased == Phased.before) {
+                            authorizingHandler.handleDataAccess(context);
+                        }
+
                         result = methodInvocation.proceed();
+
+                        //方法调用后验证数据权限
+                        if (dataAccessPhased == Phased.after) {
+                            context.setParamContext(holder.createParamContext(result));
+                            authorizingHandler.handleDataAccess(context);
+                        }
                     } else {
+                        //方法调用前验证数据权限
+                        if (dataAccessPhased == Phased.before) {
+                            authorizingHandler.handleDataAccess(context);
+                        }
+
                         result = methodInvocation.proceed();
                         context.setParamContext(holder.createParamContext(result));
-                        authorizingHandler.handle(context);
+
+                        authorizingHandler.handRDAC(context);
+
+                        //方法调用后验证数据权限
+                        if (dataAccessPhased == Phased.after) {
+                            authorizingHandler.handleDataAccess(context);
+                        }
                     }
                 }
             }
@@ -63,8 +89,6 @@ public class AopAuthorizingController extends StaticMethodMatcherPointcutAdvisor
         });
     }
 
-
-
     @Override
     public boolean matches(Method method, Class<?> aClass) {
         //对controller进行控制

hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/aop/DefaultAopMethodAuthorizeDefinitionParser.java

@@ -40,6 +40,7 @@ public class DefaultAopMethodAuthorizeDefinitionParser implements AopMethodAutho
     }
 
     @Override
+    @SuppressWarnings("all")
     public AuthorizeDefinition parse(MethodInterceptorContext paramContext) {
         CacheKey key = buildCacheKey(paramContext);
 
@@ -61,7 +62,9 @@ public class DefaultAopMethodAuthorizeDefinitionParser implements AopMethodAutho
 
         Authorize classAuth = AopUtils.findAnnotation(paramContext.getTarget().getClass(), Authorize.class);
         Authorize methodAuth = AopUtils.findMethodAnnotation(paramContext.getTarget().getClass(), paramContext.getMethod(), Authorize.class);
+
         RequiresDataAccess classDataAccess = AopUtils.findAnnotation(paramContext.getTarget().getClass(), RequiresDataAccess.class);
+
         RequiresDataAccess methodDataAccess = AopUtils.findMethodAnnotation(paramContext.getTarget().getClass(), paramContext.getMethod(), RequiresDataAccess.class);
 
         RequiresExpression expression = AopUtils.findAnnotation(paramContext.getTarget().getClass(), RequiresExpression.class);
@@ -86,6 +89,8 @@ public class DefaultAopMethodAuthorizeDefinitionParser implements AopMethodAutho
 
         authorizeDefinition.put(expression);
 
+        authorizeDefinition.put(methodAuth.dataAccess());
+
         authorizeDefinition.put(classDataAccess);
 
         authorizeDefinition.put(methodDataAccess);
@@ -99,7 +104,7 @@ public class DefaultAopMethodAuthorizeDefinitionParser implements AopMethodAutho
     }
 
     class CacheKey {
-        private Class  type;
+        private Class type;
         private Method method;
 
         public CacheKey(Class type, Method method) {

hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/define/DefaultBasicAuthorizeDefinition.java

@@ -73,7 +73,7 @@ public class DefaultBasicAuthorizeDefinition implements AuthorizeDefinition {
             logical = authorize.logical();
         }
         message = authorize.message();
-        phased=authorize.phased();
+        phased = authorize.phased();
     }
 
     public void put(RequiresExpression expression) {
@@ -84,7 +84,7 @@ public class DefaultBasicAuthorizeDefinition implements AuthorizeDefinition {
     }
 
     public void put(RequiresDataAccess dataAccess) {
-        if (null == dataAccess) {
+        if (null == dataAccess || dataAccess.ignore()) {
             return;
         }
         if (!"".equals(dataAccess.permission())) {
@@ -92,7 +92,7 @@ public class DefaultBasicAuthorizeDefinition implements AuthorizeDefinition {
         }
         actions.addAll(Arrays.asList(dataAccess.action()));
         DefaultDataAccessDefinition definition = new DefaultDataAccessDefinition();
-
+        definition.setPhased(dataAccess.phased());
         if (!"".equals(dataAccess.controllerBeanName())) {
             definition.setController(dataAccess.controllerBeanName());
         } else if (DataAccessController.class != dataAccess.controllerClass()) {

hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/define/DefaultDataAccessDefinition.java

@@ -1,30 +1,26 @@
 package org.hswebframework.web.authorization.basic.define;
 
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
 import org.hswebframework.web.authorization.define.DataAccessDefinition;
+import org.hswebframework.web.authorization.define.Phased;
 
 /**
  * @author zhouhao
  */
+@Getter
+@Setter
+@AllArgsConstructor
+@NoArgsConstructor
 public class DefaultDataAccessDefinition implements DataAccessDefinition {
 
+    private static final long serialVersionUID = 8285566729547666068L;
+
     private String controller;
 
     private String idParameterName="id";
-    @Override
-    public String getController() {
-        return controller;
-    }
-
-    @Override
-    public String getIdParameterName() {
-        return idParameterName;
-    }
-
-    public void setController(String controller) {
-        this.controller = controller;
-    }
 
-    public void setIdParameterName(String idParameterName) {
-        this.idParameterName = idParameterName;
-    }
+    private Phased phased;
 }

hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/AuthorizingHandler.java

@@ -4,8 +4,16 @@ import org.hswebframework.web.authorization.define.AuthorizingContext;
 
 /**
  * aop方式权限控制处理器
+ *
  * @author zhouhao
  */
 public interface AuthorizingHandler {
-    void handle(AuthorizingContext context);
+    void handRDAC(AuthorizingContext context);
+
+    void handleDataAccess(AuthorizingContext context);
+
+    default void handle(AuthorizingContext context) {
+        handRDAC(context);
+        handleDataAccess(context);
+    }
 }

hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/DefaultAuthorizingHandler.java

@@ -42,23 +42,23 @@ public class DefaultAuthorizingHandler implements AuthorizingHandler {
     }
 
     @Override
-    public void handle(AuthorizingContext context) {
+    public void handRDAC(AuthorizingContext context) {
 
         //进行rdac权限控制
         handleRdac(context.getAuthentication(), context.getDefinition());
-
-        //进行数据权限控制
-        handleDataAccess(context);
-
         //表达式权限控制
         handleExpression(context.getAuthentication(), context.getDefinition(), context.getParamContext());
-    }
 
-    protected void handleDataAccess(AuthorizingContext context) {
+
+    }
+    public void handleDataAccess(AuthorizingContext context) {
         if (dataAccessController == null) {
             logger.warn("dataAccessController is null,skip result access control!");
             return;
         }
+        if(context.getDefinition().getDataAccessDefinition()==null){
+            return;
+        }
         List<Permission> permission = context.getAuthentication().getPermissions()
                 .stream()
                 .filter(per -> context.getDefinition().getPermissions().contains(per.getId()))

hsweb-authorization/hsweb-authorization-basic/src/test/java/org/hswebframework/web/authorization/AuthorizeDefinitionTests.java

@@ -31,7 +31,7 @@ import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 @RunWith(MockitoJUnitRunner.class)
-public class AuthorizeDefinitionTests {
+public class AuthorizeTests {
 
     @Mock
     private MethodInterceptorContext queryById;
@@ -43,7 +43,6 @@ public class AuthorizeDefinitionTests {
 
     AopMethodAuthorizeDefinitionParser parser = new DefaultAopMethodAuthorizeDefinitionParser();
 
-
     @Before
     public void init() throws NoSuchMethodException {
         TestClass testClass = new TestClass();
@@ -112,7 +111,7 @@ public class AuthorizeDefinitionTests {
         authorizingContext.setDefinition(definition);
         authorizingContext.setParamContext(queryById);
 
-        handler.handle(authorizingContext);
+        handler.handRDAC(authorizingContext);
 
 
     }
@@ -139,7 +138,7 @@ public class AuthorizeDefinitionTests {
         authorizingContext.setDefinition(definition);
         authorizingContext.setParamContext(dynamicQuery);
 
-        handler.handle(authorizingContext);
+        handler.handleDataAccess(authorizingContext);
 
         System.out.println(JSON.toJSONString(entity, SerializerFeature.PrettyFormat));
 
@@ -171,7 +170,7 @@ public class AuthorizeDefinitionTests {
         authorizingContext.setDefinition(definition);
         authorizingContext.setParamContext(queryById);
 
-         handler.handle(authorizingContext);
+        handler.handleDataAccess(authorizingContext);
 
         System.out.println(JSON.toJSONString(response, SerializerFeature.PrettyFormat));
         Assert.assertTrue(response instanceof ResponseMessage);