refactor: 通过注解来拦截资源和项目的归属关系

This commit is contained in:
CaptainB 2023-12-13 13:15:57 +08:00 committed by 刘瑞斌
parent 24b6d9b5f2
commit edf466ad35
5 changed files with 115 additions and 2 deletions

View File

@ -7,6 +7,7 @@ import io.metersphere.project.service.FileManagementService;
import io.metersphere.project.service.FileMetadataService; import io.metersphere.project.service.FileMetadataService;
import io.metersphere.sdk.constants.PermissionConstants; import io.metersphere.sdk.constants.PermissionConstants;
import io.metersphere.sdk.constants.StorageType; import io.metersphere.sdk.constants.StorageType;
import io.metersphere.system.security.CheckOwner;
import io.metersphere.system.utils.Pager; import io.metersphere.system.utils.Pager;
import io.metersphere.system.utils.SessionUtils; import io.metersphere.system.utils.SessionUtils;
import io.swagger.v3.oas.annotations.Operation; import io.swagger.v3.oas.annotations.Operation;
@ -64,19 +65,20 @@ public class FileManagementController {
@Operation(summary = "项目管理-文件管理-上传文件") @Operation(summary = "项目管理-文件管理-上传文件")
@RequiresPermissions(PermissionConstants.PROJECT_FILE_MANAGEMENT_READ_ADD) @RequiresPermissions(PermissionConstants.PROJECT_FILE_MANAGEMENT_READ_ADD)
public String upload(@Validated @RequestPart("request") FileUploadRequest request, @RequestPart(value = "file", required = false) MultipartFile uploadFile) throws Exception { public String upload(@Validated @RequestPart("request") FileUploadRequest request, @RequestPart(value = "file", required = false) MultipartFile uploadFile) throws Exception {
return fileMetadataService.upload(request, SessionUtils.getUserId(), uploadFile); return fileMetadataService.upload(request, SessionUtils.getUserId(), uploadFile);
} }
@PostMapping("/re-upload") @PostMapping("/re-upload")
@Operation(summary = "项目管理-文件管理-重新上传文件") @Operation(summary = "项目管理-文件管理-重新上传文件")
@RequiresPermissions(PermissionConstants.PROJECT_FILE_MANAGEMENT_READ_UPDATE) @RequiresPermissions(PermissionConstants.PROJECT_FILE_MANAGEMENT_READ_UPDATE)
public String reUpload(@Validated @RequestPart("request") FileReUploadRequest request, @RequestPart(value = "file", required = false) MultipartFile uploadFile) throws Exception { public String reUpload(@Validated @RequestPart("request") FileReUploadRequest request, @RequestPart(value = "file", required = false) MultipartFile uploadFile) throws Exception {
return fileMetadataService.reUpload(request, SessionUtils.getUserId(), uploadFile); return fileMetadataService.reUpload(request, SessionUtils.getUserId(), uploadFile);
} }
@GetMapping(value = "/download/{id}") @GetMapping(value = "/download/{id}")
@Operation(summary = "项目管理-文件管理-下载文件") @Operation(summary = "项目管理-文件管理-下载文件")
@RequiresPermissions(PermissionConstants.PROJECT_FILE_MANAGEMENT_READ_DOWNLOAD) @RequiresPermissions(PermissionConstants.PROJECT_FILE_MANAGEMENT_READ_DOWNLOAD)
@CheckOwner(resourceId = "#id", resourceType = "file_metadata")
public ResponseEntity<byte[]> download(@PathVariable String id) throws Exception { public ResponseEntity<byte[]> download(@PathVariable String id) throws Exception {
return fileMetadataService.downloadById(id); return fileMetadataService.downloadById(id);
} }

View File

@ -0,0 +1,7 @@
package io.metersphere.system.mapper;
import org.apache.ibatis.annotations.Param;
public interface ExtCheckOwnerMapper {
boolean checkoutOwner(@Param("table") String resourceType, @Param("projectId") String projectId, @Param("id") String id);
}

View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="io.metersphere.system.mapper.ExtCheckOwnerMapper">
<select id="checkoutOwner" resultType="boolean">
SELECT 1
FROM ${table}
WHERE id = #{id}
AND project_id = #{projectId}
</select>
</mapper>

View File

@ -0,0 +1,12 @@
package io.metersphere.system.security;
import java.lang.annotation.*;
@Target({ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface CheckOwner {
String resourceId();
String resourceType();
}

View File

@ -0,0 +1,82 @@
package io.metersphere.system.security;
import io.metersphere.sdk.constants.InternalUserRole;
import io.metersphere.sdk.exception.MSException;
import io.metersphere.sdk.util.LogUtils;
import io.metersphere.sdk.util.Translator;
import io.metersphere.system.mapper.ExtCheckOwnerMapper;
import io.metersphere.system.utils.SessionUtils;
import jakarta.annotation.Resource;
import org.apache.commons.lang3.StringUtils;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.aspectj.lang.annotation.Pointcut;
import org.aspectj.lang.reflect.MethodSignature;
import org.springframework.core.StandardReflectionParameterNameDiscoverer;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.stereotype.Component;
import java.lang.reflect.Method;
@Aspect
@Component
public class CheckOwnerAspect {
private ExpressionParser parser = new SpelExpressionParser();
private StandardReflectionParameterNameDiscoverer discoverer = new StandardReflectionParameterNameDiscoverer();
@Resource
private ExtCheckOwnerMapper extCheckOwnerMapper;
@Pointcut("@annotation(io.metersphere.system.security.CheckOwner)")
public void pointcut() {
}
@Before("pointcut()")
public void before(JoinPoint joinPoint) {
try {
//从切面织入点处通过反射机制获取织入点处的方法
MethodSignature signature = (MethodSignature) joinPoint.getSignature();
//获取切入点所在的方法
Method method = signature.getMethod();
//获取参数对象数组
Object[] args = joinPoint.getArgs();
CheckOwner checkOwner = method.getAnnotation(CheckOwner.class);
long count = SessionUtils.getUser().getUserRoles()
.stream()
.filter(g -> StringUtils.equalsIgnoreCase(g.getId(), InternalUserRole.ADMIN.getValue()))
.count();
if (count > 0) {
return;
}
// 操作内容
//获取方法参数名
String[] params = discoverer.getParameterNames(method);
//将参数纳入Spring管理
EvaluationContext context = new StandardEvaluationContext();
for (int len = 0; len < params.length; len++) {
context.setVariable(params[len], args[len]);
}
String resourceId = checkOwner.resourceId();
String resourceType = checkOwner.resourceType();
Expression titleExp = parser.parseExpression(resourceId);
Object v = titleExp.getValue(context, Object.class);
if (v instanceof String id) {
if (!extCheckOwnerMapper.checkoutOwner(resourceType, SessionUtils.getCurrentProjectId(), id)) {
throw new MSException(Translator.get("check_owner_case"));
}
}
} catch (Exception e) {
LogUtils.error(e.getMessage(), e);
}
}
}