赋权时,增加越权处理

jetlinks-manager/authentication-manager/src/main/java/org/jetlinks/community/auth/service/AuthorizationSettingDetailService.java

@@ -1,8 +1,11 @@
 package org.jetlinks.community.auth.service;
 
 import lombok.AllArgsConstructor;
+import org.apache.commons.collections4.CollectionUtils;
+import org.hswebframework.web.authorization.Authentication;
 import org.hswebframework.web.authorization.DimensionProvider;
 import org.hswebframework.web.system.authorization.api.entity.AuthorizationSettingEntity;
+import org.hswebframework.web.system.authorization.defaults.configuration.PermissionProperties;
 import org.hswebframework.web.system.authorization.defaults.service.DefaultAuthorizationSettingService;
 import org.jetlinks.community.auth.web.request.AuthorizationSettingDetail;
 import org.springframework.stereotype.Component;
@@ -18,27 +21,32 @@ public class AuthorizationSettingDetailService {
 
     private final DefaultAuthorizationSettingService settingService;
     private final List<DimensionProvider> providers;
+    private final PermissionProperties permissionProperties;
 
     @Transactional
-    public Mono<Void> saveDetail(Flux<AuthorizationSettingDetail> detailFlux) {
+    public Mono<Void> saveDetail(Authentication authentication, Flux<AuthorizationSettingDetail> detailFlux) {
         return detailFlux
             //先删除旧的权限设置
-            .flatMap(detail -> settingService.getRepository().createDelete()
+            .flatMap(detail -> settingService
+                .getRepository()
+                .createDelete()
                 .where(AuthorizationSettingEntity::getDimensionType, detail.getTargetType())
                 .and(AuthorizationSettingEntity::getDimensionTarget, detail.getTargetId())
                 .execute()
                 .thenReturn(detail))
-            .flatMap(detail ->
-                Flux.fromIterable(providers)
-                    .flatMap(provider -> provider
-                        .getAllType()
-                        .filter(type -> type.getId().equals(detail.getTargetType()))
-                        .singleOrEmpty()
-                        .flatMap(type -> provider.getDimensionById(type, detail.getTargetId()))
-                        .flatMapIterable(detail::toEntity))
-                    .switchIfEmpty(Flux.defer(() -> Flux.fromIterable(detail.toEntity())))
-                    .distinct(AuthorizationSettingEntity::getPermission)
+            .flatMap(detail -> Flux
+                .fromIterable(providers)
+                .flatMap(provider -> provider
+                    .getAllType()
+                    .filter(type -> type.getId().equals(detail.getTargetType()))//过滤掉不同的维度类型
+                    .singleOrEmpty()
+                    .flatMap(type -> provider.getDimensionById(type, detail.getTargetId()))
+                    .flatMapIterable(detail::toEntity))
+                .switchIfEmpty(Flux.defer(() -> Flux.fromIterable(detail.toEntity())))
+                .distinct(AuthorizationSettingEntity::getPermission)
             )
+            .map(entity -> permissionProperties.getFilter().handleSetting(authentication, entity))
+            .filter(e -> CollectionUtils.isNotEmpty(e.getActions()))
             .as(settingService::save)
             .then();
     }

jetlinks-manager/authentication-manager/src/main/java/org/jetlinks/community/auth/web/AuthorizationSettingDetailController.java

@@ -4,6 +4,7 @@ import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.AllArgsConstructor;
+import org.hswebframework.web.authorization.Authentication;
 import org.hswebframework.web.authorization.annotation.Authorize;
 import org.hswebframework.web.authorization.annotation.Resource;
 import org.hswebframework.web.authorization.annotation.SaveAction;
@@ -32,9 +33,12 @@ public class AuthorizationSettingDetailController {
     @Operation(summary = "赋权")
     public Mono<Boolean> saveSettings(@RequestBody Flux<AuthorizationSettingDetail> detailFlux) {
 
-        return settingService
-            .saveDetail(detailFlux)
-            .thenReturn(true);
+        return Authentication
+            .currentReactive()
+            .flatMap(authentication -> settingService
+                .saveDetail(authentication, detailFlux)
+                .thenReturn(true)
+            );
     }
 
     @GetMapping("/{targetType}/{target}")