data permission
The so-called data permission is to view different list data according to the login users of different roles
According to the data permission
Ruoyi's data permissions are also implemented based on roles , and it supports five permission modes, arranged at a time according to the size of permissions:
- All data permissions, indicating that you have the data permissions of all departments ·
- Customized data permissions, indicating that you have the data permissions of several specified departments
- The data authority of this department means that only the data authority of the department to which the user belongs (excluding sub-departments)
- This department and the following data permission means that only the user's department and all sub-departments have data permissions
- Only the user's data permission means that only the user has the data permission of the user himself
Page settings data permissions
If you set the data permissions, not only the page needs to be set, but also the backend. It is useless to only set the page without setting the backend! !, for this, there will be a detailed explanation later
Backend setting data permissions
If it is very simple to set the data permission according to the backend, you can use the @DataScope annotation to realize the data permission.
There are three attributes under the @DataScope annotation: deptAlias, userAlias, permission
Notice:
The deptAlias and userAlias attributes of this annotation require the database to have dept_id or user_id and splice ${params.dataScope} after the SQL, and the entity class needs to inherit the BaseEntity class .So it cannot support mybatis-Plus
Because the essence of data permissions is still splicing SQL, and params.dataScope is the splicing reserved by the framework. And params is in BaseEntity
departments
Set data permissions according to department
- First, set the data permissions of this department or the data permissions of this department and below in role management
- Then add @DataScope(deptAlias = "t1") to the backend interface implementation class. This t1 is the alias of the data table you want to query. If it is a single table query, you can not set the value, just @DataScope(deptAlias) directly .
3. View data on the page
admin view (admin can view all data):
Switch supplier account (custom data permission set by supplier, can see supplier and construction party data):
Switch service provider account (service provider can only see service provider data):
userAlias
userAlias is the same as deptAlias so I won’t be too verbose here (user_id must exist in the main table)
* permission
Let’s focus on permission. The definition of permission is the permission character (used to match multiple roles to meet the required permissions). By default, it is obtained according to the permission annotation @ss. Multiple permissions are separated by commas. If the annotation is not written, the default is
I modified the authority of your role here because of our business needs. For example, if a project is created by department a, this project should only be seen by department a. The project needs an approver, and this approver is under department b or Others, so if the login person is an approver, you should also see that our approver field is approval_id, and there may be handlers or other people, so I modified the permission attribute so that it can also be automatically spliced in the system Behind the Data Permissions
if ( StringUtils.isNotEmpty(permission) && !permission.equals(PermissionContextHolder.getContext())){
//自定义筛选字段
sqlString.append(StringUtils.format(" OR {} = {}", permission, user.getUserId()));
}
Implementation class:
automatic splicing:
not only splicing department permissions, but also splicing the permissions of our custom fields, and as long as one of or is satisfied, the data can be queried so
that the original supplier created by the supplier can only see the data, because the login person is an approver for this item and can also see data
DataScopeAspect
DataScopeAspect is the aspect class of @DataScope, and it is also the core dataScopeFilter method to realize splicing permission SQL according to the framework. It is the main method
. The constants in it are the different data permissions we set on the page.
If there is no dept_id or user_id in the table, for example, only createdBy The creator id, if you really need to modify it, you can also change the user_id in the SQL here to the createdBy field you want
Note: All the above data and names have been processed and do not involve company secrets