diff --git a/backend/src/main/java/io/dataease/plugins/server/RowPermissionsTreeController.java b/backend/src/main/java/io/dataease/plugins/server/RowPermissionsTreeController.java new file mode 100644 index 0000000000..3f724eb4a0 --- /dev/null +++ b/backend/src/main/java/io/dataease/plugins/server/RowPermissionsTreeController.java @@ -0,0 +1,63 @@ +package io.dataease.plugins.server; + +import io.dataease.auth.annotation.DePermission; +import io.dataease.commons.constants.DePermissionType; +import io.dataease.commons.constants.ResourceAuthLevel; +import io.dataease.plugins.common.request.permission.DataSetRowPermissionsTreeDTO; +import io.dataease.plugins.config.SpringContextUtil; +import io.dataease.plugins.xpack.auth.service.RowPermissionTreeService; +import io.swagger.annotations.Api; +import io.swagger.annotations.ApiOperation; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestBody; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +import java.util.List; + +//@ApiIgnore +@Api(tags = "行权限") +@RestController +@RequestMapping("plugin/dataset/rowPermissionsTree") +public class RowPermissionsTreeController { + + @DePermission(type = DePermissionType.DATASET, value = "datasetId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE) + @ApiOperation("保存") + @PostMapping("save") + public void save(@RequestBody DataSetRowPermissionsTreeDTO request) { + RowPermissionTreeService rowPermissionTreeService = SpringContextUtil.getBean(RowPermissionTreeService.class); + rowPermissionTreeService.save(request); + } + + @DePermission(type = DePermissionType.DATASET, value = "datasetId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE) + @ApiOperation("删除") + @PostMapping("delete") + public void delete(@RequestBody DataSetRowPermissionsTreeDTO request) { + RowPermissionTreeService rowPermissionTreeService = SpringContextUtil.getBean(RowPermissionTreeService.class); + rowPermissionTreeService.delete(request.getId()); + } + + @DePermission(type = DePermissionType.DATASET, value = "datasetId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE) + @ApiOperation("根据ID查找行权限") + @PostMapping("getById") + public DataSetRowPermissionsTreeDTO getById(@RequestBody DataSetRowPermissionsTreeDTO request) { + RowPermissionTreeService rowPermissionTreeService = SpringContextUtil.getBean(RowPermissionTreeService.class); + return rowPermissionTreeService.get(request); + } + + @DePermission(type = DePermissionType.DATASET, value = "datasetId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE) + @ApiOperation("根据数据集、当前组织/角色/用户查找行权限") + @PostMapping("get") + public DataSetRowPermissionsTreeDTO getBy(@RequestBody DataSetRowPermissionsTreeDTO request) { + RowPermissionTreeService rowPermissionTreeService = SpringContextUtil.getBean(RowPermissionTreeService.class); + return rowPermissionTreeService.get(request); + } + + @DePermission(type = DePermissionType.DATASET, value = "datasetId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE) + @ApiOperation("根据数据集查找行权限") + @PostMapping("getByDs") + public List getByDs(@RequestBody DataSetRowPermissionsTreeDTO request) { + RowPermissionTreeService rowPermissionTreeService = SpringContextUtil.getBean(RowPermissionTreeService.class); + return rowPermissionTreeService.list(request); + } +} diff --git a/backend/src/main/java/io/dataease/service/dataset/PermissionsTreeService.java b/backend/src/main/java/io/dataease/service/dataset/PermissionsTreeService.java new file mode 100644 index 0000000000..8601e3b906 --- /dev/null +++ b/backend/src/main/java/io/dataease/service/dataset/PermissionsTreeService.java @@ -0,0 +1,156 @@ +package io.dataease.service.dataset; + +import com.google.gson.Gson; +import com.google.gson.reflect.TypeToken; +import io.dataease.auth.api.dto.CurrentRoleDto; +import io.dataease.auth.entity.SysUserEntity; +import io.dataease.auth.service.AuthUserService; +import io.dataease.commons.utils.AuthUtils; +import io.dataease.plugins.common.base.domain.DatasetTable; +import io.dataease.plugins.common.base.domain.DatasetTableField; +import io.dataease.plugins.common.request.permission.DataSetRowPermissionsTreeDTO; +import io.dataease.plugins.common.request.permission.DatasetRowPermissionsTreeItem; +import io.dataease.plugins.common.request.permission.DatasetRowPermissionsTreeObj; +import io.dataease.plugins.config.SpringContextUtil; +import io.dataease.plugins.xpack.auth.service.RowPermissionTreeService; +import org.apache.commons.lang3.ObjectUtils; +import org.apache.commons.lang3.StringUtils; +import org.springframework.stereotype.Service; + +import javax.annotation.Resource; +import java.util.*; +import java.util.stream.Collectors; + +@Service +public class PermissionsTreeService { + @Resource + private AuthUserService authUserService; + @Resource + private DataSetTableFieldsService dataSetTableFieldsService; + + public List getRowPermissionsTree(List fields, DatasetTable datasetTable, Long user) { + // 获取当前数据集下,当前用户、角色、组织所有的行权限(非白名单,非禁用) + List records = rowPermissionsTree(datasetTable.getId(), user); + // 构建权限tree中的field,如果field不存在,置为null + for (DataSetRowPermissionsTreeDTO record : records) { + getField(record.getTree()); + } + return records; + } + + private List rowPermissionsTree(String datasetId, Long userId) { + List datasetRowPermissions = new ArrayList<>(); + Map beansOfType = SpringContextUtil.getApplicationContext().getBeansOfType((RowPermissionTreeService.class)); + if (beansOfType.keySet().size() == 0) { + return datasetRowPermissions; + } + RowPermissionTreeService rowPermissionTreeService = SpringContextUtil.getBean(RowPermissionTreeService.class); + SysUserEntity userEntity = userId != null ? authUserService.getUserById(userId) : AuthUtils.getUser(); + List roleIds = new ArrayList<>(); + Long deptId = null; + + if (userEntity == null) { + return datasetRowPermissions; + } + if (userEntity.getIsAdmin()) { + return datasetRowPermissions; + } + userId = userEntity.getUserId(); + deptId = userEntity.getDeptId(); + List currentRoleDtos = authUserService.roleInfos(userId); + roleIds = currentRoleDtos.stream().map(CurrentRoleDto::getId).collect(Collectors.toList()); + + DataSetRowPermissionsTreeDTO dataSetRowPermissionsDTO = new DataSetRowPermissionsTreeDTO(); + dataSetRowPermissionsDTO.setDatasetId(datasetId); + dataSetRowPermissionsDTO.setEnable(true); + + if (ObjectUtils.isNotEmpty(userId)) { + dataSetRowPermissionsDTO.setAuthTargetIds(Collections.singletonList(userId)); + dataSetRowPermissionsDTO.setAuthTargetType("user"); + datasetRowPermissions.addAll(rowPermissionTreeService.list(dataSetRowPermissionsDTO)); + } + + if (ObjectUtils.isNotEmpty(roleIds)) { + dataSetRowPermissionsDTO.setAuthTargetIds(roleIds); + dataSetRowPermissionsDTO.setAuthTargetType("role"); + datasetRowPermissions.addAll(rowPermissionTreeService.list(dataSetRowPermissionsDTO)); + } + + if (ObjectUtils.isNotEmpty(deptId)) { + dataSetRowPermissionsDTO.setAuthTargetIds(Collections.singletonList(deptId)); + dataSetRowPermissionsDTO.setAuthTargetType("dept"); + datasetRowPermissions.addAll(rowPermissionTreeService.list(dataSetRowPermissionsDTO)); + } + + if (ObjectUtils.isNotEmpty(deptId)) { + dataSetRowPermissionsDTO.setAuthTargetIds(null); + dataSetRowPermissionsDTO.setAuthTargetType("sysParams"); + datasetRowPermissions.addAll(rowPermissionTreeService.list(dataSetRowPermissionsDTO)); + } + + // 若当前用户是白名单中的,则忽略permission tree + // 若当前规则是系统变量,则替换变量 + List result = new ArrayList<>(); + Gson gson = new Gson(); + for (DataSetRowPermissionsTreeDTO record : datasetRowPermissions) { + List userIdList = gson.fromJson(record.getWhiteListUser(), new TypeToken>() { + }.getType()); + List roleIdList = gson.fromJson(record.getWhiteListRole(), new TypeToken>() { + }.getType()); + List deptIdList = gson.fromJson(record.getWhiteListDept(), new TypeToken>() { + }.getType()); + if (ObjectUtils.isNotEmpty(userId) && ObjectUtils.isNotEmpty(userIdList) && userIdList.contains(userId)) { + continue; + } + if (ObjectUtils.isNotEmpty(roleIds) && ObjectUtils.isNotEmpty(roleIdList) && ObjectUtils.isNotEmpty(intersectionForList(roleIds, roleIdList))) { + continue; + } + if (ObjectUtils.isNotEmpty(deptIdList) && ObjectUtils.isNotEmpty(deptIdList) && deptIdList.contains(deptId)) { + continue; + } + // 替换系统变量 + if (StringUtils.equalsIgnoreCase(record.getAuthTargetType(), "sysParams")) { + String expressionTree = record.getExpressionTree(); + expressionTree = expressionTree.replaceAll("\\$\\{sysParams\\.userId}", userEntity.getUsername()); + expressionTree = expressionTree.replaceAll("\\$\\{sysParams\\.userName}", userEntity.getNickName()); + expressionTree = expressionTree.replaceAll("\\$\\{sysParams\\.userEmail}", userEntity.getEmail()); + expressionTree = expressionTree.replaceAll("\\$\\{sysParams\\.userSource}", userEntity.getFrom() == 0 ? "LOCAL" : "OIDC"); + expressionTree = expressionTree.replaceAll("\\$\\{sysParams\\.dept}", userEntity.getDeptName()); + expressionTree = expressionTree.replaceAll("\\$\\{sysParams\\.roles}", String.join(",", currentRoleDtos.stream().map(CurrentRoleDto::getName).collect(Collectors.toList()))); + record.setExpressionTree(expressionTree); + + DatasetRowPermissionsTreeObj tree = gson.fromJson(expressionTree, DatasetRowPermissionsTreeObj.class); + record.setTree(tree); + } + result.add(record); + } + + return result; + } + + private List intersectionForList(List list1, List list2) { + List result = new ArrayList<>(); + for (Long id : list1) { + if (list2.contains(id)) { + result.add(id); + } + } + return result; + } + + private void getField(DatasetRowPermissionsTreeObj tree) { + if (ObjectUtils.isNotEmpty(tree)) { + if (ObjectUtils.isNotEmpty(tree.getItems())) { + for (DatasetRowPermissionsTreeItem item : tree.getItems()) { + if (ObjectUtils.isNotEmpty(item)) { + if (StringUtils.equalsIgnoreCase(item.getType(), "item")) { + item.setField(dataSetTableFieldsService.selectByPrimaryKey(item.getFieldId())); + } else if (StringUtils.equalsIgnoreCase(item.getType(), "tree")) { + getField(item.getSubTree()); + } + } + } + } + } + } +}