refactor: 通过注解来拦截资源和项目的归属关系
This commit is contained in:
parent
24b6d9b5f2
commit
edf466ad35
|
@ -7,6 +7,7 @@ import io.metersphere.project.service.FileManagementService;
|
||||||
import io.metersphere.project.service.FileMetadataService;
|
import io.metersphere.project.service.FileMetadataService;
|
||||||
import io.metersphere.sdk.constants.PermissionConstants;
|
import io.metersphere.sdk.constants.PermissionConstants;
|
||||||
import io.metersphere.sdk.constants.StorageType;
|
import io.metersphere.sdk.constants.StorageType;
|
||||||
|
import io.metersphere.system.security.CheckOwner;
|
||||||
import io.metersphere.system.utils.Pager;
|
import io.metersphere.system.utils.Pager;
|
||||||
import io.metersphere.system.utils.SessionUtils;
|
import io.metersphere.system.utils.SessionUtils;
|
||||||
import io.swagger.v3.oas.annotations.Operation;
|
import io.swagger.v3.oas.annotations.Operation;
|
||||||
|
@ -77,6 +78,7 @@ public class FileManagementController {
|
||||||
@GetMapping(value = "/download/{id}")
|
@GetMapping(value = "/download/{id}")
|
||||||
@Operation(summary = "项目管理-文件管理-下载文件")
|
@Operation(summary = "项目管理-文件管理-下载文件")
|
||||||
@RequiresPermissions(PermissionConstants.PROJECT_FILE_MANAGEMENT_READ_DOWNLOAD)
|
@RequiresPermissions(PermissionConstants.PROJECT_FILE_MANAGEMENT_READ_DOWNLOAD)
|
||||||
|
@CheckOwner(resourceId = "#id", resourceType = "file_metadata")
|
||||||
public ResponseEntity<byte[]> download(@PathVariable String id) throws Exception {
|
public ResponseEntity<byte[]> download(@PathVariable String id) throws Exception {
|
||||||
return fileMetadataService.downloadById(id);
|
return fileMetadataService.downloadById(id);
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
package io.metersphere.system.mapper;
|
||||||
|
|
||||||
|
import org.apache.ibatis.annotations.Param;
|
||||||
|
|
||||||
|
public interface ExtCheckOwnerMapper {
|
||||||
|
boolean checkoutOwner(@Param("table") String resourceType, @Param("projectId") String projectId, @Param("id") String id);
|
||||||
|
}
|
|
@ -0,0 +1,10 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
|
||||||
|
<mapper namespace="io.metersphere.system.mapper.ExtCheckOwnerMapper">
|
||||||
|
<select id="checkoutOwner" resultType="boolean">
|
||||||
|
SELECT 1
|
||||||
|
FROM ${table}
|
||||||
|
WHERE id = #{id}
|
||||||
|
AND project_id = #{projectId}
|
||||||
|
</select>
|
||||||
|
</mapper>
|
|
@ -0,0 +1,12 @@
|
||||||
|
package io.metersphere.system.security;
|
||||||
|
|
||||||
|
import java.lang.annotation.*;
|
||||||
|
|
||||||
|
@Target({ElementType.METHOD})
|
||||||
|
@Retention(RetentionPolicy.RUNTIME)
|
||||||
|
@Documented
|
||||||
|
public @interface CheckOwner {
|
||||||
|
String resourceId();
|
||||||
|
|
||||||
|
String resourceType();
|
||||||
|
}
|
|
@ -0,0 +1,82 @@
|
||||||
|
package io.metersphere.system.security;
|
||||||
|
|
||||||
|
|
||||||
|
import io.metersphere.sdk.constants.InternalUserRole;
|
||||||
|
import io.metersphere.sdk.exception.MSException;
|
||||||
|
import io.metersphere.sdk.util.LogUtils;
|
||||||
|
import io.metersphere.sdk.util.Translator;
|
||||||
|
import io.metersphere.system.mapper.ExtCheckOwnerMapper;
|
||||||
|
import io.metersphere.system.utils.SessionUtils;
|
||||||
|
import jakarta.annotation.Resource;
|
||||||
|
import org.apache.commons.lang3.StringUtils;
|
||||||
|
import org.aspectj.lang.JoinPoint;
|
||||||
|
import org.aspectj.lang.annotation.Aspect;
|
||||||
|
import org.aspectj.lang.annotation.Before;
|
||||||
|
import org.aspectj.lang.annotation.Pointcut;
|
||||||
|
import org.aspectj.lang.reflect.MethodSignature;
|
||||||
|
import org.springframework.core.StandardReflectionParameterNameDiscoverer;
|
||||||
|
import org.springframework.expression.EvaluationContext;
|
||||||
|
import org.springframework.expression.Expression;
|
||||||
|
import org.springframework.expression.ExpressionParser;
|
||||||
|
import org.springframework.expression.spel.standard.SpelExpressionParser;
|
||||||
|
import org.springframework.expression.spel.support.StandardEvaluationContext;
|
||||||
|
import org.springframework.stereotype.Component;
|
||||||
|
|
||||||
|
import java.lang.reflect.Method;
|
||||||
|
|
||||||
|
|
||||||
|
@Aspect
|
||||||
|
@Component
|
||||||
|
public class CheckOwnerAspect {
|
||||||
|
|
||||||
|
private ExpressionParser parser = new SpelExpressionParser();
|
||||||
|
private StandardReflectionParameterNameDiscoverer discoverer = new StandardReflectionParameterNameDiscoverer();
|
||||||
|
|
||||||
|
@Resource
|
||||||
|
private ExtCheckOwnerMapper extCheckOwnerMapper;
|
||||||
|
|
||||||
|
@Pointcut("@annotation(io.metersphere.system.security.CheckOwner)")
|
||||||
|
public void pointcut() {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Before("pointcut()")
|
||||||
|
public void before(JoinPoint joinPoint) {
|
||||||
|
try {
|
||||||
|
//从切面织入点处通过反射机制获取织入点处的方法
|
||||||
|
MethodSignature signature = (MethodSignature) joinPoint.getSignature();
|
||||||
|
//获取切入点所在的方法
|
||||||
|
Method method = signature.getMethod();
|
||||||
|
//获取参数对象数组
|
||||||
|
Object[] args = joinPoint.getArgs();
|
||||||
|
CheckOwner checkOwner = method.getAnnotation(CheckOwner.class);
|
||||||
|
long count = SessionUtils.getUser().getUserRoles()
|
||||||
|
.stream()
|
||||||
|
.filter(g -> StringUtils.equalsIgnoreCase(g.getId(), InternalUserRole.ADMIN.getValue()))
|
||||||
|
.count();
|
||||||
|
if (count > 0) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
// 操作内容
|
||||||
|
//获取方法参数名
|
||||||
|
String[] params = discoverer.getParameterNames(method);
|
||||||
|
//将参数纳入Spring管理
|
||||||
|
EvaluationContext context = new StandardEvaluationContext();
|
||||||
|
for (int len = 0; len < params.length; len++) {
|
||||||
|
context.setVariable(params[len], args[len]);
|
||||||
|
}
|
||||||
|
|
||||||
|
String resourceId = checkOwner.resourceId();
|
||||||
|
String resourceType = checkOwner.resourceType();
|
||||||
|
Expression titleExp = parser.parseExpression(resourceId);
|
||||||
|
Object v = titleExp.getValue(context, Object.class);
|
||||||
|
if (v instanceof String id) {
|
||||||
|
if (!extCheckOwnerMapper.checkoutOwner(resourceType, SessionUtils.getCurrentProjectId(), id)) {
|
||||||
|
throw new MSException(Translator.get("check_owner_case"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (Exception e) {
|
||||||
|
LogUtils.error(e.getMessage(), e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue