Search in sources :

Example 1 with DepthEntry

use of cn.devezhao.bizz.privileges.DepthEntry in project rebuild by getrebuild.

the class RoleBaseQueryFilter method evaluate.

@Override
public String evaluate(final Entity entity) {
    if (user == null || !user.isActive()) {
        return DENIED.evaluate(null);
    } else if (user.isAdmin()) {
        return ALLOWED.evaluate(null);
    }
    Entity useMainEntity = null;
    if (!MetadataHelper.hasPrivilegesField(entity)) {
        // NOTE BIZZ 实体全部用户可见
        if (MetadataHelper.isBizzEntity(entity) || EasyMetaFactory.valueOf(entity).isPlainEntity()) {
            return ALLOWED.evaluate(null);
        } else if (entity.getMainEntity() != null) {
            useMainEntity = entity.getMainEntity();
        } else {
            log.warn("None privileges entity use `Application#createQueryNoFilter` please : {} \n\t{}", entity, StringUtils.join(Thread.currentThread().getStackTrace(), "\n\t"));
            return DENIED.evaluate(null);
        }
    }
    // 未配置权限的默认拒绝
    // 明细实体使用主实体权限
    final Privileges ep = user.getOwningRole().getPrivileges(useMainEntity != null ? useMainEntity.getEntityCode() : entity.getEntityCode());
    if (ep == Privileges.NONE) {
        return DENIED.evaluate(null);
    }
    String owningFormat = "%s = '%s'";
    Field dtmField = null;
    if (useMainEntity != null) {
        dtmField = MetadataHelper.getDetailToMainField(entity);
        owningFormat = dtmField.getName() + "." + owningFormat;
    }
    final String customFilter = buildCustomFilter(ep, dtmField);
    final String shareFilter = buildShareFilter(entity, dtmField);
    final DepthEntry depth = ep.superlative(useAction);
    if (depth == BizzDepthEntry.GLOBAL) {
        if (customFilter == null) {
            return ALLOWED.evaluate(null);
        } else {
            return String.format("(%s or %s)", customFilter, shareFilter);
        }
    }
    if (depth == BizzDepthEntry.PRIVATE) {
        String baseFilter = String.format(owningFormat, EntityHelper.OwningUser, user.getIdentity());
        return joinFilters(baseFilter, customFilter, shareFilter);
    }
    // 部门
    Department dept = user.getOwningDept();
    String deptFilter = String.format(owningFormat, EntityHelper.OwningDept, dept.getIdentity());
    if (depth == BizzDepthEntry.LOCAL) {
        return joinFilters(deptFilter, customFilter, shareFilter);
    } else if (depth == BizzDepthEntry.DEEPDOWN) {
        Set<String> set = new HashSet<>();
        set.add(deptFilter);
        for (BusinessUnit ch : dept.getAllChildren()) {
            set.add(String.format(owningFormat, EntityHelper.OwningDept, ch.getIdentity()));
        }
        deptFilter = StringUtils.join(set, " or ");
        return joinFilters(deptFilter, customFilter, shareFilter);
    }
    return DENIED.evaluate(null);
}
Also used : Entity(cn.devezhao.persist4j.Entity) Field(cn.devezhao.persist4j.Field) Department(com.rebuild.core.privileges.bizz.Department) HashSet(java.util.HashSet) Set(java.util.Set) BusinessUnit(cn.devezhao.bizz.security.member.BusinessUnit) CustomEntityPrivileges(com.rebuild.core.privileges.bizz.CustomEntityPrivileges) Privileges(cn.devezhao.bizz.privileges.Privileges) DepthEntry(cn.devezhao.bizz.privileges.DepthEntry) BizzDepthEntry(cn.devezhao.bizz.privileges.impl.BizzDepthEntry)

Example 2 with DepthEntry

use of cn.devezhao.bizz.privileges.DepthEntry in project rebuild by getrebuild.

the class PrivilegesManager method allow.

/**
 * 是否对指定记录有指定权限
 *
 * @param user
 * @param target 目标记录
 * @param action 权限动作
 * @param ignoreShared 是否忽略通过共享得到的权限
 * @return
 */
public boolean allow(ID user, ID target, Permission action, boolean ignoreShared) {
    final Entity entity = MetadataHelper.getEntity(target.getEntityCode());
    // PlainEntity: CRUD
    if (action.getMask() <= BizzPermission.READ.getMask() && EasyMetaFactory.valueOf(entity).isPlainEntity()) {
        return true;
    }
    Boolean a = userAllow(user);
    if (a != null) {
        return a;
    }
    Role role = theUserStore.getUser(user).getOwningRole();
    if (RoleService.ADMIN_ROLE.equals(role.getIdentity())) {
        return true;
    }
    // BIZZ 全员可读
    if (action == BizzPermission.READ && MetadataHelper.isBizzEntity(entity.getEntityCode())) {
        return true;
    }
    // 用户可修改自己
    if (action == BizzPermission.UPDATE && target.equals(user)) {
        return true;
    }
    // 取消共享与共享共用权限
    if (action == EntityService.UNSHARE) {
        action = BizzPermission.SHARE;
    }
    // 明细无 分派/共享
    if (entity.getMainEntity() != null) {
        if (action == BizzPermission.ASSIGN || action == BizzPermission.SHARE) {
            return false;
        }
        action = convert2MainAction(action);
    }
    Privileges ep = role.getPrivileges(convert2MainEntity(entity.getEntityCode()));
    boolean allowed = ep.allowed(action);
    if (!allowed) {
        return false;
    }
    final DepthEntry depth = ep.superlative(action);
    if (BizzDepthEntry.NONE.equals(depth)) {
        return false;
    } else if (BizzDepthEntry.GLOBAL.equals(depth)) {
        return andPassCustomFilter(user, target, action, ep);
    }
    ID targetUserId = theRecordOwningCache.getOwningUser(target);
    if (targetUserId == null) {
        return false;
    }
    if (BizzDepthEntry.PRIVATE.equals(depth)) {
        allowed = user.equals(targetUserId);
        if (!allowed) {
            allowed = !ignoreShared && allowViaShare(user, target, action);
        }
        return allowed && andPassCustomFilter(user, target, action, ep);
    }
    User accessUser = theUserStore.getUser(user);
    User targetUser = theUserStore.getUser(targetUserId);
    Department accessUserDept = accessUser.getOwningDept();
    if (BizzDepthEntry.LOCAL.equals(depth)) {
        allowed = accessUserDept.equals(targetUser.getOwningDept());
        if (!allowed) {
            allowed = !ignoreShared && allowViaShare(user, target, action);
        }
        return allowed && andPassCustomFilter(user, target, action, ep);
    } else if (BizzDepthEntry.DEEPDOWN.equals(depth)) {
        if (accessUserDept.equals(targetUser.getOwningDept())) {
            return andPassCustomFilter(user, target, action, ep);
        }
        allowed = accessUserDept.isChildren(targetUser.getOwningDept(), true);
        if (!allowed) {
            allowed = !ignoreShared && allowViaShare(user, target, action);
        }
        return allowed && andPassCustomFilter(user, target, action, ep);
    }
    return false;
}
Also used : Role(cn.devezhao.bizz.security.member.Role) Entity(cn.devezhao.persist4j.Entity) Privileges(cn.devezhao.bizz.privileges.Privileges) ID(cn.devezhao.persist4j.engine.ID) DepthEntry(cn.devezhao.bizz.privileges.DepthEntry) BizzDepthEntry(cn.devezhao.bizz.privileges.impl.BizzDepthEntry)

Aggregations

DepthEntry (cn.devezhao.bizz.privileges.DepthEntry)2 Privileges (cn.devezhao.bizz.privileges.Privileges)2 BizzDepthEntry (cn.devezhao.bizz.privileges.impl.BizzDepthEntry)2 Entity (cn.devezhao.persist4j.Entity)2 BusinessUnit (cn.devezhao.bizz.security.member.BusinessUnit)1 Role (cn.devezhao.bizz.security.member.Role)1 Field (cn.devezhao.persist4j.Field)1 ID (cn.devezhao.persist4j.engine.ID)1 CustomEntityPrivileges (com.rebuild.core.privileges.bizz.CustomEntityPrivileges)1 Department (com.rebuild.core.privileges.bizz.Department)1 HashSet (java.util.HashSet)1 Set (java.util.Set)1