数据权限调整

2024-04-10 19:42:33 +08:00 · 2024-04-10 19:42:33 +08:00 · c1dedf1e26
commit c1dedf1e26
parent 6b63cd6439
5 changed files with 55 additions and 64 deletions
--- a/yudao-framework/yudao-spring-boot-starter-biz-data-permission/src/main/java/cn/iocoder/yudao/framework/datapermission/core/rule/dept/DeptDataPermissionRule.java
+++ b/yudao-framework/yudao-spring-boot-starter-biz-data-permission/src/main/java/cn/iocoder/yudao/framework/datapermission/core/rule/dept/DeptDataPermissionRule.java
@ -1,6 +1,7 @@
 package cn.iocoder.yudao.framework.datapermission.core.rule.dept;

 import cn.hutool.core.collection.CollUtil;
+import cn.hutool.core.collection.CollectionUtil;
 import cn.hutool.core.util.ObjectUtil;
 import cn.hutool.core.util.StrUtil;
 import cn.iocoder.yudao.framework.common.enums.UserTypeEnum;
@ -22,27 +23,22 @@ import net.sf.jsqlparser.expression.operators.relational.EqualsTo;
 import net.sf.jsqlparser.expression.operators.relational.ExpressionList;
 import net.sf.jsqlparser.expression.operators.relational.InExpression;

-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;

 /**
 * 基于部门的 {@link DataPermissionRule} 数据权限规则实现
- *
+ * <p>
 * 注意，使用 DeptDataPermissionRule 时，需要保证表中有 dept_id 部门编号的字段，可自定义。
- *
+ * <p>
 * 实际业务场景下，会存在一个经典的问题？当用户修改部门时，冗余的 dept_id 是否需要修改？
 * 1. 一般情况下，dept_id 不进行修改，则会导致用户看不到之前的数据。【yudao-server 采用该方案】
 * 2. 部分情况下，希望该用户还是能看到之前的数据，则有两种方式解决：【需要你改造该 DeptDataPermissionRule 的实现代码】
- *  1）编写洗数据的脚本，将 dept_id 修改成新部门的编号；【建议】
- *      最终过滤条件是 WHERE dept_id = ?
- *  2）洗数据的话，可能涉及的数据量较大，也可以采用 user_id 进行过滤的方式，此时需要获取到 dept_id 对应的所有 user_id 用户编号；
- *      最终过滤条件是 WHERE user_id IN (?, ?, ? ...)
- *  3）想要保证原 dept_id 和 user_id 都可以看的到，此时使用 dept_id 和 user_id 一起过滤；
- *      最终过滤条件是 WHERE dept_id = ? OR user_id IN (?, ?, ? ...)
- *
-
+ * 1）编写洗数据的脚本，将 dept_id 修改成新部门的编号；【建议】
+ * 最终过滤条件是 WHERE dept_id = ?
+ * 2）洗数据的话，可能涉及的数据量较大，也可以采用 user_id 进行过滤的方式，此时需要获取到 dept_id 对应的所有 user_id 用户编号；
+ * 最终过滤条件是 WHERE user_id IN (?, ?, ? ...)
+ * 3）想要保证原 dept_id 和 user_id 都可以看的到，此时使用 dept_id 和 user_id 一起过滤；
+ * 最终过滤条件是 WHERE dept_id = ? OR user_id IN (?, ?, ? ...)
 */
@AllArgsConstructor
@Slf4j
@ -60,10 +56,15 @@ public class DeptDataPermissionRule implements DataPermissionRule {

    private final PermissionApi permissionApi;

+    // TODO: 2024/4/10 注意 - 如果需要降级低权的话 要把需要的表名称加在这里 并且在方法上开启数据权限 并且添加 DataPermissionConfiguration 对象
+    private static final List<String> LOW_POWER_TABLES = Arrays.asList(
+            "bpm_process_instance_ext"
+    );
+
    /**
     * 基于部门的表字段配置
     * 一般情况下，每个表的部门编号字段是 dept_id，通过该配置自定义。
-     *
+     * <p>
     * key：表名
     * value：字段名
     */
@ -71,7 +72,7 @@ public class DeptDataPermissionRule implements DataPermissionRule {
    /**
     * 基于用户的表字段配置
     * 一般情况下，每个表的部门编号字段是 dept_id，通过该配置自定义。
-     *
+     * <p>
     * key：表名
     * value：字段名
     */
@ -113,18 +114,19 @@ public class DeptDataPermissionRule implements DataPermissionRule {
        }

        // 情况一，如果是 ALL 可查看全部，则无需拼接条件
-        if (deptDataPermission.getAll()) {
+        // 并且 (低权 和 支持地权) 都不成立
+        if (deptDataPermission.getAll() && !((deptDataPermission.getSelf() || CollectionUtil.isNotEmpty(deptDataPermission.getDeptIds())) && LOW_POWER_TABLES.contains(tableName))) {
            return null;
        }

        // 情况二，即不能查看部门，又不能查看自己，则说明 100% 无权限
        if (CollUtil.isEmpty(deptDataPermission.getDeptIds())
-            && Boolean.FALSE.equals(deptDataPermission.getSelf())) {
+                && Boolean.FALSE.equals(deptDataPermission.getSelf())) {
            return new EqualsTo(null, null); // WHERE null = null，可以保证返回的数据为空
        }

        // 情况三，拼接 Dept 和 User 的条件，最后组合
-        Expression deptExpression = buildDeptExpression(tableName,tableAlias, deptDataPermission.getDeptIds());
+        Expression deptExpression = buildDeptExpression(tableName, tableAlias, deptDataPermission.getDeptIds());
        Expression userExpression = buildUserExpression(tableName, tableAlias, deptDataPermission.getSelf(), loginUser.getId());
        if (deptExpression == null && userExpression == null) {
            // TODO 芋艿：获得不到条件的时候，暂时不抛出异常，而是不返回数据
@ -180,7 +182,7 @@ public class DeptDataPermissionRule implements DataPermissionRule {

    public void addDeptColumn(Class<? extends BaseDO> entityClass, String columnName) {
        String tableName = TableInfoHelper.getTableInfo(entityClass).getTableName();
-       addDeptColumn(tableName, columnName);
+        addDeptColumn(tableName, columnName);
    }

    public void addDeptColumn(String tableName, String columnName) {
--- a/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/controller/admin/task/BpmProcessInstanceController.java
+++ b/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/controller/admin/task/BpmProcessInstanceController.java
@ -25,7 +25,6 @@ import static cn.iocoder.yudao.framework.security.core.util.SecurityFrameworkUti
@RestController
@RequestMapping("/bpm/process-instance")
@Validated
-@DataPermission(enable = false)
 public class BpmProcessInstanceController {

    @Resource
@ -34,6 +33,7 @@ public class BpmProcessInstanceController {
    @GetMapping("/my-page")
    @Operation(summary = "获得我的实例分页列表", description = "在【我的流程】菜单中，进行调用")
    @PreAuthorize("@ss.hasPermission('bpm:process-instance:query')")
+    @DataPermission(enable = false)
    public CommonResult<PageResult<BpmProcessInstancePageItemRespVO>> getMyProcessInstancePage(
            @Valid BpmProcessInstanceMyPageReqVO pageReqVO) {
        return success(processInstanceService.getMyProcessInstancePage(getLoginUserId(), pageReqVO));
@ -42,6 +42,7 @@ public class BpmProcessInstanceController {
    @PostMapping("/create")
    @Operation(summary = "新建流程实例")
    @PreAuthorize("@ss.hasPermission('bpm:process-instance:query')")
+    @DataPermission(enable = false)
    public CommonResult<String> createProcessInstance(@Valid @RequestBody BpmProcessInstanceCreateReqVO createReqVO) {
        return success(processInstanceService.createProcessInstance(getLoginUserId(), createReqVO));
    }
@ -50,6 +51,7 @@ public class BpmProcessInstanceController {
    @Operation(summary = "获得指定流程实例", description = "在【流程详细】界面中，进行调用")
    @Parameter(name = "id", description = "流程实例的编号", required = true)
    @PreAuthorize("@ss.hasPermission('bpm:process-instance:query')")
+    @DataPermission(enable = false)
    public CommonResult<BpmProcessInstanceRespVO> getProcessInstance(@RequestParam("id") String id) {
        return success(processInstanceService.getProcessInstanceVO(id));
    }
@ -57,6 +59,7 @@ public class BpmProcessInstanceController {
    @DeleteMapping("/cancel")
    @Operation(summary = "取消流程实例", description = "撤回发起的流程")
    @PreAuthorize("@ss.hasPermission('bpm:process-instance:cancel')")
+    @DataPermission(enable = false)
    public CommonResult<Boolean> cancelProcessInstance(@Valid @RequestBody BpmProcessInstanceCancelReqVO cancelReqVO) {
        processInstanceService.cancelProcessInstance(getLoginUserId(), cancelReqVO);
        return success(true);
@ -69,6 +72,7 @@ public class BpmProcessInstanceController {
    @GetMapping("/process_instance_group_name_statistics")
    @Operation(summary = "根据流程名称分组，统计各个流程的具体实例数据", description = "根据流程名称分组，统计各个流程的具体实例数据")
    //@PreAuthorize("@ss.hasPermission('bpm:task:update')")
+    @DataPermission(enable = false)
    public CommonResult<List<BpmProcessInstanceStatisticsRespVO>> getProcessInstancesGroupByModelName(@Valid BpmProcessInstanceStatisticsReqVO reqVO) {
        List<BpmProcessInstanceStatisticsRespVO> list = processInstanceService.getProcessInstancesGroupByModelName(reqVO);
        return success(list);
@ -80,6 +84,7 @@ public class BpmProcessInstanceController {
     */
    @GetMapping("/process_instance_result_status_statistics")
    @Operation(summary = "流程实例的状态统计查询", description = "根据流程状态（处理中，通过，不通过，取消），统计各个状态的数据量")
+    @DataPermission(enable = false)
    public CommonResult<List<BpmProcessInstanceStatisticsRespVO>> getProcessInstancesGroupByResultStatus(@Valid BpmProcessInstanceStatisticsReqVO reqVO) {
        List<BpmProcessInstanceStatisticsRespVO> list = processInstanceService.getProcessInstancesGroupByResultStatus(reqVO);
        return success(list);
@ -95,6 +100,7 @@ public class BpmProcessInstanceController {

    @GetMapping("/getUserProcessTpo10")
    @Operation(summary = "获得用户审批耗时最长Top10", description = "在工作台-给数据权限是可以查看全部数据的用户查询使用")
+    @DataPermission(enable = false)
    public CommonResult<List<BpmProcessFinishStatisticsRespVO>> getUserProcessTpo10(@Valid BpmProcessInstanceStatisticsReqVO reqVO) {
        List<BpmProcessFinishStatisticsRespVO> list = processInstanceService.getUserProcessTpo10(reqVO);
        return success(list);
--- a/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/dal/mysql/task/BpmProcessInstanceExtMapper.java
+++ b/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/dal/mysql/task/BpmProcessInstanceExtMapper.java
@ -8,10 +8,7 @@ import cn.iocoder.yudao.module.bpm.controller.admin.task.vo.instance.BpmProcessI
 import cn.iocoder.yudao.module.bpm.controller.admin.task.vo.instance.BpmProcessInstanceStatisticsReqVO;
 import cn.iocoder.yudao.module.bpm.controller.admin.task.vo.instance.BpmProcessInstanceStatisticsRespVO;
 import cn.iocoder.yudao.module.bpm.dal.dataobject.task.BpmProcessInstanceExtDO;
-import cn.iocoder.yudao.module.bpm.dal.dataobject.task.BpmTaskExtDO;
 import org.apache.ibatis.annotations.Mapper;
-import org.apache.ibatis.annotations.Param;
-import org.apache.ibatis.annotations.Select;

 import java.util.List;

@ -21,7 +18,7 @@ public interface BpmProcessInstanceExtMapper extends BaseMapperX<BpmProcessInsta
    default PageResult<BpmProcessInstanceExtDO> selectCCPage(Long userId, BpmProcessInstanceMyPageReqVO reqVO) {
        return selectPage(reqVO, new LambdaQueryWrapperX<BpmProcessInstanceExtDO>()
 //                .eqIfPresent(BpmProcessInstanceExtDO::getStartUserId, userId)
-                .likeIfPresent(BpmProcessInstanceExtDO::getCcids, "["+userId+"]")
+                .likeIfPresent(BpmProcessInstanceExtDO::getCcids, "[" + userId + "]")
                .eqIfPresent(BpmProcessInstanceExtDO::getProcessDefinitionId, reqVO.getProcessDefinitionId())
                .eqIfPresent(BpmProcessInstanceExtDO::getCategory, reqVO.getCategory())
                .eqIfPresent(BpmProcessInstanceExtDO::getStatus, reqVO.getStatus())
@ -53,36 +50,25 @@ public interface BpmProcessInstanceExtMapper extends BaseMapperX<BpmProcessInsta
    }


-    List<BpmProcessInstanceStatisticsRespVO> getProcessInstancesGroupByModelName(BpmProcessInstanceStatisticsReqVO reqVO) ;
+    List<BpmProcessInstanceStatisticsRespVO> getProcessInstancesGroupByModelName(BpmProcessInstanceStatisticsReqVO reqVO);

-    List<BpmProcessInstanceStatisticsRespVO> getProcessInstancesGroupByResultStatus(BpmProcessInstanceStatisticsReqVO reqVO) ;
+    List<BpmProcessInstanceStatisticsRespVO> getProcessInstancesGroupByResultStatus(BpmProcessInstanceStatisticsReqVO reqVO);
+
+    default PageResult<BpmProcessInstanceExtDO> selectStatisticePage(BpmProcessInstanceMyPageReqVO reqVO) {
+        //如果为空，那么查询全部
+        return selectPage(reqVO, new LambdaQueryWrapperX<BpmProcessInstanceExtDO>()
+                .likeIfPresent(BpmProcessInstanceExtDO::getName, reqVO.getName())
+                .eqIfPresent(BpmProcessInstanceExtDO::getProcessDefinitionId, reqVO.getProcessDefinitionId())
+                .eqIfPresent(BpmProcessInstanceExtDO::getCategory, reqVO.getCategory())
+                .eqIfPresent(BpmProcessInstanceExtDO::getStatus, reqVO.getStatus())
+                .eqIfPresent(BpmProcessInstanceExtDO::getResult, reqVO.getResult())
+                .betweenIfPresent(BpmProcessInstanceExtDO::getCreateTime, reqVO.getCreateTime())
+                .orderByDesc(BpmProcessInstanceExtDO::getId));

-    default PageResult<BpmProcessInstanceExtDO> selectStatisticePage(Long[] userIds, BpmProcessInstanceMyPageReqVO reqVO) {
-        if( userIds == null ) {
-            //如果为空，那么查询全部
-            return selectPage(reqVO, new LambdaQueryWrapperX<BpmProcessInstanceExtDO>()
-                    .likeIfPresent(BpmProcessInstanceExtDO::getName, reqVO.getName())
-                    .eqIfPresent(BpmProcessInstanceExtDO::getProcessDefinitionId, reqVO.getProcessDefinitionId())
-                    .eqIfPresent(BpmProcessInstanceExtDO::getCategory, reqVO.getCategory())
-                    .eqIfPresent(BpmProcessInstanceExtDO::getStatus, reqVO.getStatus())
-                    .eqIfPresent(BpmProcessInstanceExtDO::getResult, reqVO.getResult())
-                    .betweenIfPresent(BpmProcessInstanceExtDO::getCreateTime, reqVO.getCreateTime())
-                    .orderByDesc(BpmProcessInstanceExtDO::getId));
-        }else {
-            return selectPage(reqVO, new LambdaQueryWrapperX<BpmProcessInstanceExtDO>()
-                    .likeIfPresent(BpmProcessInstanceExtDO::getName, reqVO.getName())
-                    .eqIfPresent(BpmProcessInstanceExtDO::getProcessDefinitionId, reqVO.getProcessDefinitionId())
-                    .eqIfPresent(BpmProcessInstanceExtDO::getCategory, reqVO.getCategory())
-                    .eqIfPresent(BpmProcessInstanceExtDO::getStatus, reqVO.getStatus())
-                    .eqIfPresent(BpmProcessInstanceExtDO::getResult, reqVO.getResult())
-                    .betweenIfPresent(BpmProcessInstanceExtDO::getCreateTime, reqVO.getCreateTime())
-                    .in(BpmProcessInstanceExtDO::getStartUserId,userIds)
-                    .orderByDesc(BpmProcessInstanceExtDO::getId));
-        }
    }

-    List<BpmProcessFinishStatisticsRespVO> getUserProcessTpo10(BpmProcessInstanceStatisticsReqVO reqVO) ;
+    List<BpmProcessFinishStatisticsRespVO> getUserProcessTpo10(BpmProcessInstanceStatisticsReqVO reqVO);

-    List<BpmProcessFinishStatisticsRespVO> selectUnfinishProcessCount(BpmProcessInstanceStatisticsReqVO reqVO) ;
+    List<BpmProcessFinishStatisticsRespVO> selectUnfinishProcessCount(BpmProcessInstanceStatisticsReqVO reqVO);

 }
--- a/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/framework/datapermission/config/DataPermissionConfiguration.java
+++ b/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/framework/datapermission/config/DataPermissionConfiguration.java
@ -8,20 +8,17 @@ import org.springframework.context.annotation.Configuration;
 /**
 * 工作流 模块的数据权限 Configuration
 *
- 
+
 */
-//@Configuration(proxyBeanMethods = false)
+@Configuration(proxyBeanMethods = false)
 public class DataPermissionConfiguration {

-//    @Bean
-//    public DeptDataPermissionRuleCustomizer sysDeptDataPermissionRuleCustomizer() {
-//        return rule -> {
-//            // dept
-//            rule.addDeptColumn(AdminUserDO.class);
-//            rule.addDeptColumn(DeptDO.class, "id");
-//            // user
-//            rule.addUserColumn(BpmProcessInstanceExtDO.class, "start_user_id");
-//        };
-//    }
+    @Bean
+    public DeptDataPermissionRuleCustomizer sysDeptDataPermissionRuleCustomizer() {
+        return rule -> {
+            // user
+            rule.addUserColumn(BpmProcessInstanceExtDO.class, "start_user_id");
+        };
+    }

 }
--- a/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/service/task/BpmProcessInstanceServiceImpl.java
+++ b/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/service/task/BpmProcessInstanceServiceImpl.java