use of cn.devezhao.bizz.privileges.DepthEntry in project rebuild by getrebuild.
the class RoleBaseQueryFilter method evaluate.
@Override
public String evaluate(final Entity entity) {
if (user == null || !user.isActive()) {
return DENIED.evaluate(null);
} else if (user.isAdmin()) {
return ALLOWED.evaluate(null);
}
Entity useMainEntity = null;
if (!MetadataHelper.hasPrivilegesField(entity)) {
// NOTE BIZZ 实体全部用户可见
if (MetadataHelper.isBizzEntity(entity) || EasyMetaFactory.valueOf(entity).isPlainEntity()) {
return ALLOWED.evaluate(null);
} else if (entity.getMainEntity() != null) {
useMainEntity = entity.getMainEntity();
} else {
log.warn("None privileges entity use `Application#createQueryNoFilter` please : {} \n\t{}", entity, StringUtils.join(Thread.currentThread().getStackTrace(), "\n\t"));
return DENIED.evaluate(null);
}
}
// 未配置权限的默认拒绝
// 明细实体使用主实体权限
final Privileges ep = user.getOwningRole().getPrivileges(useMainEntity != null ? useMainEntity.getEntityCode() : entity.getEntityCode());
if (ep == Privileges.NONE) {
return DENIED.evaluate(null);
}
String owningFormat = "%s = '%s'";
Field dtmField = null;
if (useMainEntity != null) {
dtmField = MetadataHelper.getDetailToMainField(entity);
owningFormat = dtmField.getName() + "." + owningFormat;
}
final String customFilter = buildCustomFilter(ep, dtmField);
final String shareFilter = buildShareFilter(entity, dtmField);
final DepthEntry depth = ep.superlative(useAction);
if (depth == BizzDepthEntry.GLOBAL) {
if (customFilter == null) {
return ALLOWED.evaluate(null);
} else {
return String.format("(%s or %s)", customFilter, shareFilter);
}
}
if (depth == BizzDepthEntry.PRIVATE) {
String baseFilter = String.format(owningFormat, EntityHelper.OwningUser, user.getIdentity());
return joinFilters(baseFilter, customFilter, shareFilter);
}
// 部门
Department dept = user.getOwningDept();
String deptFilter = String.format(owningFormat, EntityHelper.OwningDept, dept.getIdentity());
if (depth == BizzDepthEntry.LOCAL) {
return joinFilters(deptFilter, customFilter, shareFilter);
} else if (depth == BizzDepthEntry.DEEPDOWN) {
Set<String> set = new HashSet<>();
set.add(deptFilter);
for (BusinessUnit ch : dept.getAllChildren()) {
set.add(String.format(owningFormat, EntityHelper.OwningDept, ch.getIdentity()));
}
deptFilter = StringUtils.join(set, " or ");
return joinFilters(deptFilter, customFilter, shareFilter);
}
return DENIED.evaluate(null);
}
use of cn.devezhao.bizz.privileges.DepthEntry in project rebuild by getrebuild.
the class PrivilegesManager method allow.
/**
* 是否对指定记录有指定权限
*
* @param user
* @param target 目标记录
* @param action 权限动作
* @param ignoreShared 是否忽略通过共享得到的权限
* @return
*/
public boolean allow(ID user, ID target, Permission action, boolean ignoreShared) {
final Entity entity = MetadataHelper.getEntity(target.getEntityCode());
// PlainEntity: CRUD
if (action.getMask() <= BizzPermission.READ.getMask() && EasyMetaFactory.valueOf(entity).isPlainEntity()) {
return true;
}
Boolean a = userAllow(user);
if (a != null) {
return a;
}
Role role = theUserStore.getUser(user).getOwningRole();
if (RoleService.ADMIN_ROLE.equals(role.getIdentity())) {
return true;
}
// BIZZ 全员可读
if (action == BizzPermission.READ && MetadataHelper.isBizzEntity(entity.getEntityCode())) {
return true;
}
// 用户可修改自己
if (action == BizzPermission.UPDATE && target.equals(user)) {
return true;
}
// 取消共享与共享共用权限
if (action == EntityService.UNSHARE) {
action = BizzPermission.SHARE;
}
// 明细无 分派/共享
if (entity.getMainEntity() != null) {
if (action == BizzPermission.ASSIGN || action == BizzPermission.SHARE) {
return false;
}
action = convert2MainAction(action);
}
Privileges ep = role.getPrivileges(convert2MainEntity(entity.getEntityCode()));
boolean allowed = ep.allowed(action);
if (!allowed) {
return false;
}
final DepthEntry depth = ep.superlative(action);
if (BizzDepthEntry.NONE.equals(depth)) {
return false;
} else if (BizzDepthEntry.GLOBAL.equals(depth)) {
return andPassCustomFilter(user, target, action, ep);
}
ID targetUserId = theRecordOwningCache.getOwningUser(target);
if (targetUserId == null) {
return false;
}
if (BizzDepthEntry.PRIVATE.equals(depth)) {
allowed = user.equals(targetUserId);
if (!allowed) {
allowed = !ignoreShared && allowViaShare(user, target, action);
}
return allowed && andPassCustomFilter(user, target, action, ep);
}
User accessUser = theUserStore.getUser(user);
User targetUser = theUserStore.getUser(targetUserId);
Department accessUserDept = accessUser.getOwningDept();
if (BizzDepthEntry.LOCAL.equals(depth)) {
allowed = accessUserDept.equals(targetUser.getOwningDept());
if (!allowed) {
allowed = !ignoreShared && allowViaShare(user, target, action);
}
return allowed && andPassCustomFilter(user, target, action, ep);
} else if (BizzDepthEntry.DEEPDOWN.equals(depth)) {
if (accessUserDept.equals(targetUser.getOwningDept())) {
return andPassCustomFilter(user, target, action, ep);
}
allowed = accessUserDept.isChildren(targetUser.getOwningDept(), true);
if (!allowed) {
allowed = !ignoreShared && allowViaShare(user, target, action);
}
return allowed && andPassCustomFilter(user, target, action, ep);
}
return false;
}
Aggregations