diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/DataScopeConstants.java b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/DataScopeConstants.java new file mode 100644 index 00000000..0ef6d7cd --- /dev/null +++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/DataScopeConstants.java @@ -0,0 +1,39 @@ +package com.ruoyi.common.core.constant; + +/** + * 数据过滤常量 + * + * @author lic + */ +public class DataScopeConstants +{ + /** + * 全部数据权限 + */ + public static final String DATA_SCOPE_ALL = "1"; + + /** + * 自定数据权限 + */ + public static final String DATA_SCOPE_CUSTOM = "2"; + + /** + * 部门数据权限 + */ + public static final String DATA_SCOPE_DEPT = "3"; + + /** + * 部门及以下数据权限 + */ + public static final String DATA_SCOPE_DEPT_AND_CHILD = "4"; + + /** + * 仅本人数据权限 + */ + public static final String DATA_SCOPE_SELF = "5"; + + /** + * 数据权限过滤关键字 + */ + public static final String DATA_SCOPE = "dataScope"; +} diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/web/domain/BaseEntity.java b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/web/domain/BaseEntity.java index b316f893..f67c2042 100644 --- a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/web/domain/BaseEntity.java +++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/web/domain/BaseEntity.java @@ -5,6 +5,8 @@ import java.util.Date; import java.util.HashMap; import java.util.Map; import com.fasterxml.jackson.annotation.JsonFormat; +import com.ruoyi.common.core.constant.DataScopeConstants; +import com.ruoyi.common.core.utils.StringUtils; /** * Entity基类 @@ -109,6 +111,10 @@ public class BaseEntity implements Serializable public void setParams(Map params) { + /** 拼接权限sql前先清空params.dataScope参数防止注入 */ + if(StringUtils.isNotNull(params.get(DataScopeConstants.DATA_SCOPE))){ + params.remove(DataScopeConstants.DATA_SCOPE); + } this.params = params; } } diff --git a/ruoyi-common/ruoyi-common-datascope/src/main/java/com/ruoyi/common/datascope/aspect/DataScopeAspect.java b/ruoyi-common/ruoyi-common-datascope/src/main/java/com/ruoyi/common/datascope/aspect/DataScopeAspect.java index 453c79c8..6777ef85 100644 --- a/ruoyi-common/ruoyi-common-datascope/src/main/java/com/ruoyi/common/datascope/aspect/DataScopeAspect.java +++ b/ruoyi-common/ruoyi-common-datascope/src/main/java/com/ruoyi/common/datascope/aspect/DataScopeAspect.java @@ -1,6 +1,8 @@ package com.ruoyi.common.datascope.aspect; import java.lang.reflect.Method; + +import com.ruoyi.common.core.constant.DataScopeConstants; import org.aspectj.lang.JoinPoint; import org.aspectj.lang.Signature; import org.aspectj.lang.annotation.Aspect; @@ -26,36 +28,6 @@ import com.ruoyi.system.api.model.LoginUser; @Component public class DataScopeAspect { - /** - * 全部数据权限 - */ - public static final String DATA_SCOPE_ALL = "1"; - - /** - * 自定数据权限 - */ - public static final String DATA_SCOPE_CUSTOM = "2"; - - /** - * 部门数据权限 - */ - public static final String DATA_SCOPE_DEPT = "3"; - - /** - * 部门及以下数据权限 - */ - public static final String DATA_SCOPE_DEPT_AND_CHILD = "4"; - - /** - * 仅本人数据权限 - */ - public static final String DATA_SCOPE_SELF = "5"; - - /** - * 数据权限过滤关键字 - */ - public static final String DATA_SCOPE = "dataScope"; - @Autowired private TokenService tokenService; @@ -68,7 +40,6 @@ public class DataScopeAspect @Before("dataScopePointCut()") public void doBefore(JoinPoint point) throws Throwable { - clearDataScope(point); handleDataScope(point); } @@ -109,28 +80,28 @@ public class DataScopeAspect for (SysRole role : user.getRoles()) { String dataScope = role.getDataScope(); - if (DATA_SCOPE_ALL.equals(dataScope)) + if (DataScopeConstants.DATA_SCOPE_ALL.equals(dataScope)) { sqlString = new StringBuilder(); break; } - else if (DATA_SCOPE_CUSTOM.equals(dataScope)) + else if (DataScopeConstants.DATA_SCOPE_CUSTOM.equals(dataScope)) { sqlString.append(StringUtils.format( " OR {}.dept_id IN ( SELECT dept_id FROM sys_role_dept WHERE role_id = {} ) ", deptAlias, role.getRoleId())); } - else if (DATA_SCOPE_DEPT.equals(dataScope)) + else if (DataScopeConstants.DATA_SCOPE_DEPT.equals(dataScope)) { sqlString.append(StringUtils.format(" OR {}.dept_id = {} ", deptAlias, user.getDeptId())); } - else if (DATA_SCOPE_DEPT_AND_CHILD.equals(dataScope)) + else if (DataScopeConstants.DATA_SCOPE_DEPT_AND_CHILD.equals(dataScope)) { sqlString.append(StringUtils.format( " OR {}.dept_id IN ( SELECT dept_id FROM sys_dept WHERE dept_id = {} or find_in_set( {} , ancestors ) )", deptAlias, user.getDeptId(), user.getDeptId())); } - else if (DATA_SCOPE_SELF.equals(dataScope)) + else if (DataScopeConstants.DATA_SCOPE_SELF.equals(dataScope)) { if (StringUtils.isNotBlank(userAlias)) { @@ -150,7 +121,7 @@ public class DataScopeAspect if (StringUtils.isNotNull(params) && params instanceof BaseEntity) { BaseEntity baseEntity = (BaseEntity) params; - baseEntity.getParams().put(DATA_SCOPE, " AND (" + sqlString.substring(4) + ")"); + baseEntity.getParams().put(DataScopeConstants.DATA_SCOPE, " AND (" + sqlString.substring(4) + ")"); } } } @@ -170,17 +141,4 @@ public class DataScopeAspect } return null; } - - /** - * 拼接权限sql前先清空params.dataScope参数防止注入 - */ - private void clearDataScope(final JoinPoint joinPoint) - { - Object params = joinPoint.getArgs()[0]; - if (StringUtils.isNotNull(params) && params instanceof BaseEntity) - { - BaseEntity baseEntity = (BaseEntity) params; - baseEntity.getParams().put(DATA_SCOPE, ""); - } - } }