使用 @PreAuthorize("hasRole('ROLE_ADMIN')") 限定只有 admin role 可以访问 account 模块的接口

web/src/main/java/cn/reghao/devops/web/account/controller/MenuController.java

@@ -9,6 +9,7 @@ import cn.reghao.jutil.jdk.result.WebResult;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.http.MediaType;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
@@ -29,6 +30,7 @@ public class MenuController {
     }
 
     @ApiOperation(value = "添加资源")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @PostMapping(produces = MediaType.APPLICATION_JSON_VALUE)
     public String addMenu(@Validated Menu menu) {
         Result result = menuService.addMenu(menu);
@@ -36,6 +38,7 @@ public class MenuController {
     }
 
     @ApiOperation(value = "修改资源")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @PostMapping(value = "/edit", produces = MediaType.APPLICATION_JSON_VALUE)
     public String modifyMenu(@Validated MenuDto menuDto) {
         Result result = menuService.updateMenu(menuDto);
@@ -43,6 +46,7 @@ public class MenuController {
     }
 
     @ApiOperation(value = "修改资源状态")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @PostMapping(value = "/status/{enabled}", produces = MediaType.APPLICATION_JSON_VALUE)
     public String menuStatus(@PathVariable("enabled") boolean enabled, @RequestParam("ids") List<Integer> ids) {
         menuService.updateMenusStatus(enabled, ids);
@@ -50,6 +54,7 @@ public class MenuController {
     }
 
     @ApiOperation(value = "删除资源")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @DeleteMapping(value = "/{id}", produces = MediaType.APPLICATION_JSON_VALUE)
     public String deleteMenu(@PathVariable("id") Integer menuId) {
         Result result = menuService.deleteMenu(menuId);
@@ -57,12 +62,15 @@ public class MenuController {
     }
 
     @ApiOperation(value = "获取指定状态的菜单")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping(value = "/ztree/{enabled}", produces = MediaType.APPLICATION_JSON_VALUE)
     public String list(@PathVariable(value = "enabled") Boolean enabled) {
         List<MenuTree> list = menuService.getMenusByStatus(enabled);
         return WebResult.success(list);
     }
 
+    @ApiOperation(value = "返回所有 dir menu")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping(value = "/ztree/parent", produces = MediaType.APPLICATION_JSON_VALUE)
     public String getDirMenus() {
         List<MenuTree> list = menuService.getDirMenus();
@@ -70,6 +78,7 @@ public class MenuController {
     }
 
     @ApiOperation(value = "对同一 pid 组内的资源进行排序")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping(value = "/sorted/{pid}/{id}", produces = MediaType.APPLICATION_JSON_VALUE)
     public String sortList(@PathVariable(value = "pid") int pid,
                            @PathVariable(value = "id", required = false) Menu menu) {

web/src/main/java/cn/reghao/devops/web/account/controller/RoleController.java

@@ -11,6 +11,7 @@ import cn.reghao.jutil.jdk.result.WebResult;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.http.MediaType;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
@@ -35,6 +36,7 @@ public class RoleController {
     }
 
     @ApiOperation("添加或修改角色")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @PostMapping(produces = MediaType.APPLICATION_JSON_VALUE)
     public String addOrModifyRole(@Validated RoleDto roleDto) {
         roleService.addOrUpdate(roleDto);
@@ -42,6 +44,7 @@ public class RoleController {
     }
 
     @ApiOperation("删除角色")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @DeleteMapping(value = "/{roleId}", produces = MediaType.APPLICATION_JSON_VALUE)
     public String deleteRole(@PathVariable("roleId") Integer roleId) {
         Result result = roleService.deleteRole(roleId);
@@ -56,6 +59,7 @@ public class RoleController {
      * @date 2024-07-30 16:08:42
      */
     @ApiOperation("获取角色可访问的资源")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping(value = "/menus/{id}", produces = MediaType.APPLICATION_JSON_VALUE)
     public String getRoleMenus(@PathVariable("id") Role role) {
         List<MenuTree> allMenus = menuService.getMenusByRole(role);
@@ -63,6 +67,7 @@ public class RoleController {
     }
 
     @ApiOperation("设置角色可访问的资源")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @PostMapping(value = "/menus", produces = MediaType.APPLICATION_JSON_VALUE)
     public String setRoleMenus(@RequestParam(value = "id") Integer roleId,
                                @RequestParam(value = "menuId", required = false) Set<Menu> menus) {

web/src/main/java/cn/reghao/devops/web/account/controller/UserController.java

@@ -51,47 +51,47 @@ public class UserController {
         return WebResult.failWithMsg("接口未实现");
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @ApiOperation(value = "创建用户")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @PostMapping(produces = MediaType.APPLICATION_JSON_VALUE)
     public String createUser(@Validated CreateAccountDto createAccountDto) {
         Result result = accountService.createAccount(createAccountDto);
         return WebResult.result(result);
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @ApiOperation(value = "批量创建用户")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @PostMapping(value = "/batch", produces = MediaType.APPLICATION_JSON_VALUE)
     public String batchAdd(MultipartFile file) {
         return WebResult.failWithMsg("接口未实现");
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @ApiOperation(value = "删除用户")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @DeleteMapping(value = "/delete/{id}", produces = MediaType.APPLICATION_JSON_VALUE)
     public String deleteAccount(@PathVariable("id") Integer userId) {
         Result result = accountService.deleteAccount(userId);
         return WebResult.result(result);
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @ApiOperation(value = "修改用户密码")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @PostMapping(value = "/passwd", produces = MediaType.APPLICATION_JSON_VALUE)
     public String modifyPassword(@NotNull Integer id, @NotNull String newPassword) {
         accountService.updateAccountPassword(id, newPassword);
         return WebResult.success();
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @ApiOperation(value = "分配用户角色")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @PostMapping(value = "/role", produces = MediaType.APPLICATION_JSON_VALUE)
     public String assignRole(@Validated AccountRole accountRole) {
         accountService.updateAccountRole(accountRole);
         return WebResult.success();
     }
 
-    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @ApiOperation(value = "启用/禁用用户")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @PostMapping(value = "/status/{userId}", produces = MediaType.APPLICATION_JSON_VALUE)
     public String updateAccountStatus(@PathVariable("userId") Integer userId) {
         //userIds.forEach(userId -> accountService.updateAccountStatus(userId, enable));

web/src/main/java/cn/reghao/devops/web/account/controller/page/MenuPageController.java

@@ -4,6 +4,7 @@ import cn.reghao.devops.web.account.model.po.Menu;
 import cn.reghao.devops.web.account.model.vo.RoleVO;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.*;
@@ -20,6 +21,7 @@ import java.util.stream.Collectors;
 @Controller
 public class MenuPageController {
     @ApiOperation(value = "资源列表页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping
     public String menuPage(@RequestParam(value = "enabled", required = false) Boolean enabled, Model model) {
         if (enabled == null) {
@@ -31,12 +33,14 @@ public class MenuPageController {
     }
 
     @ApiOperation(value = "资源添加页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping(value = "/add")
     public String addMenuPage(Model model) {
         return "/rbac/menu/add";
     }
 
     @ApiOperation(value = "资源编辑页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping("/edit/{id}")
     public String toEdit(@PathVariable("id") Menu menu, Model model) {
         model.addAttribute("menu", menu);
@@ -45,6 +49,7 @@ public class MenuPageController {
 
     // TODO Hibernate 会根据传入的 id 自动查找相应的 Menu
     @ApiOperation(value = "可访问资源的角色列表页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping("/{id}/roles")
     public String roleListWithResource(@PathVariable("id") Menu menu, Model model) {
         List<RoleVO> list = menu.getRoles().stream().map(RoleVO::new).collect(Collectors.toList());

web/src/main/java/cn/reghao/devops/web/account/controller/page/RolePageController.java

@@ -8,6 +8,7 @@ import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.PageRequest;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.*;
@@ -29,6 +30,7 @@ public class RolePageController {
     }
 
     @ApiOperation("角色列表页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping
     public String rolePage(@RequestParam(value = "name", required = false) String name, Model model) {
         Page<RoleVO> page;
@@ -45,12 +47,14 @@ public class RolePageController {
     }
 
     @ApiOperation("角色新增页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping("/add")
     public String addRolePage() {
         return "/rbac/role/add";
     }
 
     @ApiOperation("角色编辑页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping("/edit/{id}")
     public String editRolePage(@PathVariable("id") int id, Model model) {
         RoleVO vo = roleService.getRoleVOById(id);
@@ -59,6 +63,7 @@ public class RolePageController {
     }
 
     @ApiOperation("角色详细信息页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping("/detail/{id}")
     public String roleDetailPage(@PathVariable("id") int id, Model model) {
         RoleVO vo = roleService.getRoleVOById(id);
@@ -67,6 +72,7 @@ public class RolePageController {
     }
 
     @ApiOperation("设置角色可访问的资源页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping("/menus/{id}")
     public String menusPage(@PathVariable(value = "id") Integer id, Model model){
         model.addAttribute("roleId", id);
@@ -74,6 +80,7 @@ public class RolePageController {
     }
 
     @ApiOperation("拥有角色的所有用户页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping("/users/{id}")
     public String userListWithRole(@PathVariable("id") Integer roleId, Model model) {
         List<User> list = roleService.getRoleUsers(roleId);

web/src/main/java/cn/reghao/devops/web/account/controller/page/UserPageController.java

@@ -13,6 +13,7 @@ import io.swagger.annotations.ApiOperation;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.PageImpl;
 import org.springframework.data.domain.PageRequest;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.*;
@@ -53,6 +54,7 @@ public class UserPageController {
     }
 
     @ApiOperation(value = "用户列表页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping
     public String userPage(@RequestParam(value = "screenName", required = false) String screenName, Model model) {
         Page<UserVO> page;
@@ -79,6 +81,7 @@ public class UserPageController {
     }
 
     @ApiOperation(value = "新增用户页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping("/add")
     public String addUserPage(Model model) {
         Set<RoleVO> allRoles = roleService.getAllRoles();
@@ -88,6 +91,7 @@ public class UserPageController {
     }
 
     @ApiOperation(value = "用户详细信息页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping("/detail/{id}")
     public String userDetailPage(@PathVariable("id") int id, Model model) {
         User user = accountService.getById(id);
@@ -100,6 +104,7 @@ public class UserPageController {
     }
 
     @ApiOperation(value = "重置用户密码页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping("/passwd/{id}")
     public String modifyPasswordPage(@PathVariable("id") Integer id, Model model) {
         model.addAttribute("id", id);
@@ -107,6 +112,7 @@ public class UserPageController {
     }
 
     @ApiOperation(value = "用户角色分配页面")
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
     @GetMapping("/role/{id}")
     public String assignRolePage(@PathVariable("id") User user, Model model) {
         Set<RoleVO> allRoles = roleService.getAllRoles();