diff --git a/manager-api/src/main/java/cn/lili/security/ManagerAuthenticationFilter.java b/manager-api/src/main/java/cn/lili/security/ManagerAuthenticationFilter.java index d8fa20ed..70706a82 100755 --- a/manager-api/src/main/java/cn/lili/security/ManagerAuthenticationFilter.java +++ b/manager-api/src/main/java/cn/lili/security/ManagerAuthenticationFilter.java @@ -4,6 +4,7 @@ import cn.hutool.core.util.StrUtil; import cn.lili.cache.Cache; import cn.lili.cache.CachePrefix; import cn.lili.common.security.AuthUser; +import cn.lili.common.security.enums.PermissionEnum; import cn.lili.common.security.enums.SecurityEnum; import cn.lili.common.security.enums.UserEnums; import cn.lili.common.security.token.SecretKeyUtil; @@ -20,6 +21,8 @@ import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; +import org.springframework.util.PatternMatchUtils; +import org.springframework.web.bind.annotation.RequestMethod; import javax.naming.NoPermissionException; import javax.servlet.FilterChain; @@ -71,27 +74,28 @@ public class ManagerAuthenticationFilter extends BasicAuthenticationFilter { */ private void customAuthentication(HttpServletRequest request, HttpServletResponse response, UsernamePasswordAuthenticationToken authentication) throws NoPermissionException { AuthUser authUser = (AuthUser) authentication.getDetails(); + String requestUrl = request.getRequestURI(); Map> permission = (Map>) cache.get(CachePrefix.PERMISSION_LIST.getPrefix(UserEnums.MANAGER) + authUser.getId()); - if (authUser.getIsSuper()) { - return; - } else { - //用户是否拥有权限判定œ + //如果不是超级管理员, 不做鉴权 + if (!authUser.getIsSuper()) { //获取数据权限 -// if (request.getMethod().equals(RequestMethod.GET.name())) { -// if (!PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.SUPER).toArray(new String[0]), request.getRequestURI()) || -// PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.QUERY).toArray(new String[0]), request.getRequestURI())) { -// -// ResponseUtil.output(response, ResponseUtil.resultMap(false, 401, "抱歉,您没有访问权限")); -// throw new NoPermissionException("权限不足"); -// } -// } else { -// if (!PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.SUPER).toArray(new String[0]), request.getRequestURI())) { -// -// ResponseUtil.output(response, ResponseUtil.resultMap(false, 401, "抱歉,您没有访问权限")); -// throw new NoPermissionException("权限不足"); -// } -// } - return; + if (request.getMethod().equals(RequestMethod.GET.name())) { + //如果用户的超级权限和查阅权限都不包含当前请求的api + if (!PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.SUPER.name()).toArray(new String[0]), requestUrl) && + !PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.QUERY.name()).toArray(new String[0]), requestUrl)) { + + ResponseUtil.output(response, ResponseUtil.resultMap(false, 401, "抱歉,您没有访问权限")); + throw new NoPermissionException("权限不足"); + } + } + //非get请求(数据操作) 判定 + else { + if (!PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.SUPER.name()).toArray(new String[0]), request.getRequestURI())) { + + ResponseUtil.output(response, ResponseUtil.resultMap(false, 401, "抱歉,您没有访问权限")); + throw new NoPermissionException("权限不足"); + } + } } }