fix 角色分配判断是否越权未考虑到子孙角色, 补充一些请求权限注解

2025-09-08 13:37:35 +00:00 · 2024-10-10 18:36:53 +08:00
parent e72c5ccd32
commit 3e6c4eb92f
7 changed files with 60 additions and 25 deletions
--- a/bootx-platform/bootx-platform-service/service-iam/src/main/java/cn/bootx/platform/iam/service/upms/UserRoleService.java
+++ b/bootx-platform/bootx-platform-service/service-iam/src/main/java/cn/bootx/platform/iam/service/upms/UserRoleService.java
@@ -4,13 +4,14 @@ import cn.bootx.platform.common.mybatisplus.util.MpUtil;
 import cn.bootx.platform.core.entity.UserDetail;
 import cn.bootx.platform.core.exception.BizException;
 import cn.bootx.platform.core.exception.ValidationFailedException;
+import cn.bootx.platform.core.util.TreeBuildUtil;
 import cn.bootx.platform.iam.dao.role.RoleManager;
 import cn.bootx.platform.iam.dao.upms.UserRoleManager;
 import cn.bootx.platform.iam.dao.user.UserInfoManager;
-import cn.bootx.platform.iam.entity.role.Role;
 import cn.bootx.platform.iam.entity.upms.UserRole;
 import cn.bootx.platform.iam.entity.user.UserInfo;
 import cn.bootx.platform.iam.result.role.RoleResult;
+import cn.bootx.platform.iam.service.role.RoleQueryService;
 import cn.bootx.platform.starter.auth.util.SecurityUtil;
 import cn.hutool.core.collection.CollUtil;
 import lombok.RequiredArgsConstructor;
@@ -36,6 +37,8 @@ public class UserRoleService {

    private final RoleManager roleManager;

+    private final RoleQueryService roleQueryService;
+
    private final UserInfoManager userInfoManager;

    private final UserRoleManager userRoleManager;
@@ -46,7 +49,12 @@ public class UserRoleService {
    @Transactional(rollbackFor = Exception.class)
    public void saveAssign(Long userId, List<Long> roleIds) {
        // 判断是否越权
-        List<Long> roleIdsByUser = this.findRoleIdsByUser();
+        List<RoleResult> roleTree = roleQueryService.tree();
+        List<Long> roleIdsByUser = TreeBuildUtil.unfold(roleTree, RoleResult::getChildren)
+                .stream()
+                .distinct()
+                .map(RoleResult::getId)
+                .toList();
        if (!CollUtil.containsAll(roleIdsByUser, roleIds)){
            throw new ValidationFailedException("角色分配超出了可分配的范围");
        }
@@ -63,7 +71,13 @@ public class UserRoleService {
     */
    @Transactional(rollbackFor = Exception.class)
    public void saveAssignBatch(List<Long> userIds, List<Long> roleIds) {
-        List<Long> roleIdsByUser = this.findRoleIdsByUser();
+        // 判断是否越权
+        List<RoleResult> roleTree = roleQueryService.tree();
+        List<Long> roleIdsByUser = TreeBuildUtil.unfold(roleTree, RoleResult::getChildren)
+                .stream()
+                .distinct()
+                .map(RoleResult::getId)
+                .toList();
        if (!CollUtil.containsAll(roleIdsByUser, roleIds)){
            throw new ValidationFailedException("角色分配超出了可分配的范围");
        }
@@ -106,18 +120,6 @@ public class UserRoleService {
            .toList();
    }

-    /**
-     * 查询用户关联的角色, 超级管理员返回全部
-     */
-    private List<Long> findRoleIdsByUser() {
-        UserDetail user = SecurityUtil.getUser();
-        if (user.isAdmin()){
-            return roleManager.findAll().stream().map(Role::getId).toList();
-        } else {
-            return findRoleIdsByUser(user.getId());
-        }
-    }
-
    /**
     * 判断当前登录用户和指定角色是否为符合下列条件
     * 1. 为超级管理员