From 68250017221a2bfcab7cc84157d1e9e5e4ec5a6d Mon Sep 17 00:00:00 2001
From: zhangdaihao <zhangdaiscott@163.com>
Date: Tue, 19 Sep 2017 14:57:23 +0800
Subject: [PATCH] =?UTF-8?q?jeecg=5F3.7.1=20=E9=9D=9Eadmin=E7=9C=8B?=
 =?UTF-8?q?=E4=B8=8D=E5=88=B0=E7=94=A8=E6=88=B7=E6=95=B0=E6=8D=AE=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98=E5=A4=84=E7=90=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../core/interceptors/AuthInterceptor.java    | 77 ++++++++++---------
 1 file changed, 41 insertions(+), 36 deletions(-)

diff --git a/src/main/java/org/jeecgframework/core/interceptors/AuthInterceptor.java b/src/main/java/org/jeecgframework/core/interceptors/AuthInterceptor.java
index 0a0dca8a..3ce3f515 100644
--- a/src/main/java/org/jeecgframework/core/interceptors/AuthInterceptor.java
+++ b/src/main/java/org/jeecgframework/core/interceptors/AuthInterceptor.java
@@ -91,7 +91,7 @@ public class AuthInterceptor implements HandlerInterceptor {
 	 * 在controller前拦截
 	 */
 	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object object) throws Exception {
-
+		//update-begin--Author:taoYan  Date:201706028 for：注解实现排除拦截
 		//判断是否被注解跳过权限认证  先判断类注解然后方法注解 都没有则走原来逻辑
 		HandlerMethod handlerMethod=(HandlerMethod)object;
 		JAuth jauthType =handlerMethod.getBean().getClass().getAnnotation(JAuth.class);
@@ -109,23 +109,25 @@ public class AuthInterceptor implements HandlerInterceptor {
 				}
 			}
 		}
-
+		//update-end--Author:taoYan  Date:201706028 for：注解实现排除拦截
+		
+		//update-begin--Author:dangzhenghui  Date:20170627 for：TASK #2157 【bug】拦截器，需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
 		Boolean isAjax=isAjax(request,response);
-
+		//update-end--Author:dangzhenghui  Date:20170627 for：TASK #2157 【bug】拦截器，需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
 		String requestPath = ResourceUtil.getRequestPath(request);// 用户访问的资源地址
 		//logger.info("-----authInterceptor----requestPath------"+requestPath);
 		//步骤一： 判断是否是排除拦截请求，直接返回TRUE
-
+		//update-begin--Author:dangzhenghui  Date:20170402 for：对外接口改造 api 设置为默认对外路径不用进行登陆验证
 		if (requestPath.length()>3&&"api/".equals(requestPath.substring(0,4))) {
 			return true;
 		}
-
+		//update-begin--Author:end  Date:20170402 for：对外接口改造 api 设置为默认对外路径不用进行登陆验证
 		if (excludeUrls.contains(requestPath)) {
 			return true;
-
+		//update-begin--Author:zhoujf  Date:20170426 for：TASK #1867 【改造】权限拦截器支持模糊匹配
 		} else if(moHuContain(excludeContainUrls, requestPath)){
 			return true;
-
+		//update-end--Author:zhoujf  Date:20170426 for：TASK #1867 【改造】权限拦截器支持模糊匹配
 		} else {
 			//步骤二： 权限控制，优先重组请求URL(考虑online请求前缀一致问题)
 			String clickFunctionId = request.getParameter("clickFunctionId");
@@ -139,23 +141,23 @@ public class AuthInterceptor implements HandlerInterceptor {
 				if(requestPath.equals("cgAutoListController.do?list")) {
 					requestPath += "&id=" +  request.getParameter("id");
 				}
-
+				//update-start--author:scott  date:20170311 for：online新请求方式,权限控制------------
 				if(requestPath.endsWith("?olstylecode=")) {
 					requestPath = requestPath.replace("?olstylecode=", "");
 				}
 				
 				//步骤三：  根据重组请求URL,进行权限授权判断
 				if((!hasMenuAuth(requestPath,clickFunctionId,currLoginUser)) && !currLoginUser.getUserName().equals("admin")){
-
+					//update-begin--Author:dangzhenghui  Date:20170627 for：TASK #2157 【bug】拦截器，需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
 					if(isAjax){
 							processAjax(response);
 					}else {
 						response.sendRedirect(request.getSession().getServletContext().getContextPath()+"/loginController.do?noAuth");
 					}
-
+					//update-end--Author:dangzhenghui  Date:20170627 for：TASK #2157 【bug】拦截器，需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
 					return false;
 				} 
-
+				//update-end--author:scott  date:20170311 for：online新请求方式,权限控制------------
 				
 				//解决rest风格下 权限失效问题
 				String functionId="";
@@ -166,27 +168,27 @@ public class AuthInterceptor implements HandlerInterceptor {
 				}else {
 					realRequestPath=uri;
 				}
-
+				//update-begin--author:zhoujf  date:20170307 for：TASK #1745 【bug】自定义表单数据权限控制方式 1. 普通控件通过“控件名称”来控制 2. 列表控件，通过“控件名称.表头”来控制
 //				if(!oConvertUtils.isEmpty(clickFunctionId)){
 //					functionId = clickFunctionId;
 //				}else{
-
+					//update-begin--author:zhoujf  date:20170304 for：自定义表单页面控件权限控制-------------
 					if(realRequestPath.indexOf("autoFormController/af/")>-1 && realRequestPath.indexOf("?")!=-1){
 						realRequestPath = realRequestPath.substring(0, realRequestPath.indexOf("?"));
 					}
-
+					//update-end--author:scott  date:20170304 for：自定义表单页面控件权限控制---------------
 					List<TSFunction> functions = systemService.findByProperty(TSFunction.class, "functionUrl", realRequestPath);
 					if (functions.size()>0){
 						functionId = functions.get(0).getId();
 					}
 //				}
-
+				//update-begin--author:zhoujf  date:20170307 for：TASK #1745 【bug】自定义表单数据权限控制方式 1. 普通控件通过“控件名称”来控制 2. 列表控件，通过“控件名称.表头”来控制
 				//Step.1 第一部分处理页面表单和列表的页面控件权限（页面表单字段+页面按钮等控件）
 				if(!oConvertUtils.isEmpty(functionId)){
-
+					//update-begin-author:taoYan date:20170829 for:admin不作数据权限控制
 					if(!currLoginUser.getUserName().equals("admin")){
 						//获取菜单对应的页面控制权限（包括表单字段和操作按钮）
-
+						//update-begin-author:taoYan date:20170814 for:TASK #2207 【权限bug】多个角色权限（并集问题），因为是反的控制，导致有admin的最大权限反而受小权限控制
 						List<TSOperation> operations = systemService.getOperationsByUserIdAndFunctionId(currLoginUser.getId(), functionId);
 						request.setAttribute(Globals.NOAUTO_OPERATIONCODES, operations);
 						if(operations==null){
@@ -199,13 +201,15 @@ public class AuthInterceptor implements HandlerInterceptor {
 							request.setAttribute(Globals.OPERATIONCODES, operationCodes);
 						}
 					}
-
+					//update-end-author:taoYan date:20170829 for:admin不作数据权限控制
 					
 					//Set<String> operationCodes = systemService.getOperationCodesByUserIdAndFunctionId(currLoginUser.getId(), functionId);
 					//request.setAttribute(Globals.OPERATIONCODES, operationCodes);
 				//}
 				//if(!oConvertUtils.isEmpty(functionId)){
 					
+					//update-begin--Author:scott  Date:20170330 for：[online表单按钮\链接权限]jeecg 统一规则采用反的控制，授权的进行按钮或者字段 隐藏\禁用--------------------
+					
 //					List<TSOperation> allOperation=this.systemService.findByProperty(TSOperation.class, "TSFunction.id", functionId);
 //					List<TSOperation> newall = new ArrayList<TSOperation>();
 //					if(allOperation.size()>0){
@@ -213,9 +217,10 @@ public class AuthInterceptor implements HandlerInterceptor {
 //						    //s=s.replaceAll(" ", "");
 //							newall.add(s); 
 //						}
-
+//						//---author:jg_xugj----start-----date:20151210--------for：#781  【oracle兼容】兼容问题fun.operation!='' 在oracle 数据下不正确
 //						String hasOperSql="SELECT operation FROM t_s_role_function fun, t_s_role_user role WHERE  " +
 //							"fun.functionid='"+functionId+"' AND fun.operation is not null  AND fun.roleid=role.roleid AND role.userid='"+currLoginUser.getId()+"' ";
+//						//---author:jg_xugj----end-----date:20151210--------for：#781  【oracle兼容】兼容问题fun.operation!='' 在oracle 数据下不正确
 //						List<String> hasOperList = this.systemService.findListbySql(hasOperSql); 
 //					    for(String operationIds:hasOperList){
 //							    for(String operationId:operationIds.split(",")){
@@ -241,7 +246,8 @@ public class AuthInterceptor implements HandlerInterceptor {
 						    } 
 					} 
 					request.setAttribute(Globals.NOAUTO_OPERATIONCODES, newall);*/
-
+					//update-end--Author:scott  Date:20170330 for：[online表单按钮权限\链接]jeecg 统一规则采用反的控制，授权的进行按钮或者字段 隐藏\禁用--------------------
+					//update-end-author:taoYan date:20170814 for:TASK #2207 【权限bug】多个角色权限（并集问题），因为是反的控制，导致有admin的最大权限反而受小权限控制
 					
 					 //Step.2  第二部分处理列表数据级权限 (菜单数据规则集合)
 					 List<TSDataRule> MENU_DATA_AUTHOR_RULES = new ArrayList<TSDataRule>(); 
@@ -250,7 +256,7 @@ public class AuthInterceptor implements HandlerInterceptor {
 					
 				 	//数据权限规则的查询
 				 	//查询所有的当前这个用户所对应的角色和菜单的datarule的数据规则id
-
+					//update-begin-author:taoYan date:20170829 for:admin不作数据权限控制
 					 if(!currLoginUser.getUserName().equals("admin")){
 						 //Globals.BUTTON_AUTHORITY_CHECK
 						 Set<String> dataruleCodes = systemService.getOperationCodesByUserIdAndDataId(currLoginUser.getId(), functionId);
@@ -261,7 +267,7 @@ public class AuthInterceptor implements HandlerInterceptor {
 						 	MENU_DATA_AUTHOR_RULE_SQL += SysContextSqlConvert.setSqlModel(dataRule);
 						}
 					 }
-
+					//update-end-author:taoYan date:20170829 for:admin不作数据权限控制
 					 JeecgDataAutorUtils.installDataSearchConditon(request, MENU_DATA_AUTHOR_RULES);//菜单数据规则集合
 					 JeecgDataAutorUtils.installDataSearchConditon(request, MENU_DATA_AUTHOR_RULE_SQL);//菜单数据规则sql
 
@@ -275,7 +281,8 @@ public class AuthInterceptor implements HandlerInterceptor {
 
 		}
 	}
-
+	
+	//update-start--author:scott  date:20170225 for：重构权限判断，提高效率---------------
 	/**
 	 * 判断用户是否有菜单访问权限
 	 * @param requestPath
@@ -285,11 +292,9 @@ public class AuthInterceptor implements HandlerInterceptor {
 	 */
 	private boolean hasMenuAuth(String requestPath,String clickFunctionId,TSUser currLoginUser){
         String userid = currLoginUser.getId();
-
-        //step.1 先判断请求是否配置菜单，没有配置菜单默认不作权限控制
-
-        String hasMenuSql = "select count(*) from t_s_function where functionurl = '"+requestPath+"'";
-
+        //update-start--author:scott -------- date:20170330 -------- for：菜单访问权限由模糊匹配改成精确匹配TODO ---------------
+        //step.1 先判断请求是否配置菜单，没有配置菜单默认不作权限控制[注意：这里不限制权限类型菜单]
+        String hasMenuSql = "select count(*) from t_s_function where functiontype = 0 and functionurl = '"+requestPath+"'";
         Long hasMenuCount = systemService.getCountForJdbc(hasMenuSql);
         if(hasMenuCount<=0){
         	return true;
@@ -313,9 +318,9 @@ public class AuthInterceptor implements HandlerInterceptor {
         }else{
 			return true;
 		}
-
+		//update-end--author:scott -------- date:20170330 -------- ：菜单访问权限由模糊匹配改成精确匹配TODO ---------------
 	}
-
+	//update-end--author:scott  date:20170225 for：重构权限判断，提高效率---------------
 	
 	/**
 	 * 转发
@@ -330,14 +335,14 @@ public class AuthInterceptor implements HandlerInterceptor {
 	}
 
 	private void forward(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-
+		//update-start--Author:scott  Date:20160803 for：无登陆情况跳转登陆页
 		//超时，未登陆页面跳转
 		//response.sendRedirect(request.getServletContext().getContextPath()+"/loginController.do?login");
-
+//      update-start--Author:chenjin  Date:20160828 for：TASK #1324 【bug】Session超时后，重新登录页面显示在标签里,让它重新显示登录页面
 		response.sendRedirect(request.getSession().getServletContext().getContextPath()+"/webpage/login/timeout.jsp");
-
+//      update-end--Author:chenjin  Date:20160828 for：TASK #1324 【bug】Session超时后，重新登录页面显示在标签里,让它重新显示登录页面
 		//request.getRequestDispatcher("loginController.do?login").forward(request, response);
-
+		//update-start--Author:scott  Date:20160803 for：无登陆情况跳转登陆页
 	}
 	
 	/**
@@ -362,7 +367,7 @@ public class AuthInterceptor implements HandlerInterceptor {
 	private boolean isAjax(HttpServletRequest request, HttpServletResponse response){
 		return oConvertUtils.isNotEmpty(request.getHeader("X-Requested-With"));
 	}
-
+	//update-begin--Author:dangzhenghui  Date:20170627 for：TASK #2157 【bug】拦截器，需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
 	private void processAjax(HttpServletResponse response){
 		AjaxJson json = new AjaxJson();
 		json.setSuccess(false);
@@ -378,5 +383,5 @@ public class AuthInterceptor implements HandlerInterceptor {
 			pw.close();
 		}
 	}
-
+	//update-end--Author:dangzhenghui  Date:20170627 for：TASK #2157 【bug】拦截器，需要判断过来的请求是否ajax,如果ajax则返回无权限json,非跳转页面
 }