支持如下数据范围设置:
- 所有数据
- 所在公司及以下数据
- 所在公司数据
- 所在部门及以下数据
- 所在部门数据
- 仅本人数据
- 按明细设置(特殊情况下,跨机构授权)
User user = UserUtils.getUser();
// 使用标准查询
DetachedCriteria dc = articleDao.createDetachedCriteria();
dc.createAlias("office", "office").createAlias("user", "user");
dc.add(dataScopeFilter(user, "office", "user"));
List<Entity> list = articleDao.find(page, dc);;
// 使用HQL查询
String hql = "select e from Entity e join e.office o join e.user u where 1=1 ";
hql += dataScopeFilterString(UserUtils.getUser(), "o", "u");
List<Entity> list2 = articleDao.find(page, hql);
/**
* 数据范围过滤
* @param dc Hibernate标准查询对象
* @param user 当前用户对象,通过“UserUtils.getUser()”获取
* @param officeAlias 机构表别名,例如:dc.createAlias("office", "office");
* @param userAlias 用户表别名,传递空,忽略此参数
* @return 标准连接条件对象
*/
protected static Junction dataScopeFilter(User user, String officeAlias, String userAlias) {
// 进行权限过滤,多个角色权限范围之间为或者关系。
List<String> dataScope = Lists.newArrayList();
Junction junction = Restrictions.disjunction();
// 超级管理员,跳过权限过滤
if (!user.isAdmin()){
for (Role r : user.getRoleList()){
if (!dataScope.contains(r.getDataScope()) && StringUtils.isNotBlank(officeAlias)){
boolean isDataScopeAll = false;
if (Role.DATA_SCOPE_ALL.equals(r.getDataScope())){
isDataScopeAll = true;
}
else if (Role.DATA_SCOPE_COMPANY_AND_CHILD.equals(r.getDataScope())){
junction.add(Restrictions.eq(officeAlias+".id", user.getCompany().getId()));
junction.add(Restrictions.like(officeAlias+".parentIds", user.getCompany().getParentIds()+user.getCompany().getId()+",%"));
}
else if (Role.DATA_SCOPE_COMPANY.equals(r.getDataScope())){
junction.add(Restrictions.eq(officeAlias+".id", user.getCompany().getId()));
junction.add(Restrictions.and(Restrictions.eq(officeAlias+".parent.id", user.getCompany().getId()),
Restrictions.eq(officeAlias+".type", "2"))); // 包括本公司下的部门
}
else if (Role.DATA_SCOPE_OFFICE_AND_CHILD.equals(r.getDataScope())){
junction.add(Restrictions.eq(officeAlias+".id", user.getOffice().getId()));
junction.add(Restrictions.like(officeAlias+".parentIds", user.getOffice().getParentIds()+user.getOffice().getId()+",%"));
}
else if (Role.DATA_SCOPE_OFFICE.equals(r.getDataScope())){
junction.add(Restrictions.eq(officeAlias+".id", user.getOffice().getId()));
}
else if (Role.DATA_SCOPE_CUSTOM.equals(r.getDataScope())){
junction.add(Restrictions.in(officeAlias+".id", r.getOfficeIdList()));
}
//else if (Role.DATA_SCOPE_SELF.equals(r.getDataScope())){
if (!isDataScopeAll){
if (StringUtils.isNotBlank(userAlias)){
junction.add(Restrictions.eq(userAlias+".id", user.getId()));
}else {
junction.add(Restrictions.isNull(officeAlias+".id"));
}
}else{
// 如果包含全部权限,则去掉之前添加的所有条件,并跳出循环。
junction = Restrictions.disjunction();
break;
}
dataScope.add(r.getDataScope());
}
}
}
return junction;
}
/**
* 数据范围过滤
* @param user 当前用户对象,通过“UserUtils.getUser()”获取
* @param officeAlias 机构表别名,例如:dc.createAlias("office", "office");
* @param userAlias 用户表别名,传递空,忽略此参数
* @return ql查询字符串
*/
protected static String dataScopeFilterString(User user, String officeAlias, String userAlias) {
Junction junction = dataScopeFilter(user, officeAlias, userAlias);
Iterator<Criterion> it = junction.conditions().iterator();
StringBuilder ql = new StringBuilder();
ql.append(" and (");
if (it.hasNext()){
ql.append(it.next());
}
String[] strField = {".parentIds like ", ".type="}; // 需要给字段增加“单引号”的字段。
while (it.hasNext()) {
ql.append(" or (");
String s = it.next().toString();
for(String field : strField){
s = s.replaceAll(field + "(\\w.*)", field + "'$1'");
}
ql.append(s).append(")");
}
ql.append(")");
return ql.toString();
}
