diff --git a/magic-api/src/main/java/org/ssssssss/magicapi/backup/web/MagicBackupController.java b/magic-api/src/main/java/org/ssssssss/magicapi/backup/web/MagicBackupController.java index 0142144c13fe7a0a572884ee9571fc5c92d0648a..a6d8fbe1d4852a75611bee4b9022d51d28e209db 100644 --- a/magic-api/src/main/java/org/ssssssss/magicapi/backup/web/MagicBackupController.java +++ b/magic-api/src/main/java/org/ssssssss/magicapi/backup/web/MagicBackupController.java @@ -7,6 +7,7 @@ import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.ResponseBody; import org.ssssssss.magicapi.backup.model.Backup; import org.ssssssss.magicapi.core.config.Constants; +import org.ssssssss.magicapi.core.interceptor.Authorization; import org.ssssssss.magicapi.core.web.MagicController; import org.ssssssss.magicapi.core.web.MagicExceptionHandler; import org.ssssssss.magicapi.core.config.MagicConfiguration; @@ -33,6 +34,7 @@ public class MagicBackupController extends MagicController implements MagicExcep @GetMapping("/backups") @ResponseBody public JsonBean> backups(Long timestamp) { + isTrue(allowVisit(Authorization.VIEW), PERMISSION_INVALID); if(service == null){ return new JsonBean<>(Collections.emptyList()); } @@ -42,6 +44,7 @@ public class MagicBackupController extends MagicController implements MagicExcep @GetMapping("/backup/{id}") @ResponseBody public JsonBean> backups(@PathVariable("id") String id) { + isTrue(allowVisit(Authorization.VIEW), PERMISSION_INVALID); if(service == null || StringUtils.isBlank(id)){ return new JsonBean<>(Collections.emptyList()); } @@ -51,6 +54,7 @@ public class MagicBackupController extends MagicController implements MagicExcep @PostMapping("/backup/rollback") @ResponseBody public JsonBean rollback(String id, Long timestamp) throws IOException { + isTrue(allowVisit(Authorization.SAVE), PERMISSION_INVALID); notNull(service, BACKUP_NOT_ENABLED); Backup backup = service.backupInfo(id, timestamp); if("full".equals(id)){ @@ -77,6 +81,7 @@ public class MagicBackupController extends MagicController implements MagicExcep @GetMapping("/backup") @ResponseBody public JsonBean backup(Long timestamp, String id) { + isTrue(allowVisit(Authorization.VIEW), PERMISSION_INVALID); notNull(service, BACKUP_NOT_ENABLED); notBlank(id, PARAMETER_INVALID); notNull(timestamp, PARAMETER_INVALID); @@ -88,6 +93,7 @@ public class MagicBackupController extends MagicController implements MagicExcep @PostMapping("/backup/full") @ResponseBody public JsonBean doBackup() throws IOException { + isTrue(allowVisit(Authorization.SAVE), PERMISSION_INVALID); notNull(service, BACKUP_NOT_ENABLED); service.doBackupAll("主动全量备份", WebUtils.currentUserName()); return new JsonBean<>(true); diff --git a/magic-api/src/main/java/org/ssssssss/magicapi/core/web/MagicController.java b/magic-api/src/main/java/org/ssssssss/magicapi/core/web/MagicController.java index d494acf4d055acbf487289aaf743963be09bf362..ef30d55409005d17859a4aa36fbd0a9cd5bad2ce 100644 --- a/magic-api/src/main/java/org/ssssssss/magicapi/core/web/MagicController.java +++ b/magic-api/src/main/java/org/ssssssss/magicapi/core/web/MagicController.java @@ -17,6 +17,7 @@ import org.ssssssss.magicapi.core.model.MagicEntity; import org.ssssssss.magicapi.core.service.MagicAPIService; import org.ssssssss.magicapi.core.service.MagicResourceService; import org.ssssssss.magicapi.core.servlet.MagicHttpServletRequest; +import org.ssssssss.magicapi.utils.WebUtils; import java.util.List; import java.util.Objects; @@ -53,7 +54,11 @@ public class MagicController implements JsonCodeConstants { /** * 判断是否有权限访问按钮 */ - boolean allowVisit(MagicHttpServletRequest request, Authorization authorization) { + public boolean allowVisit(Authorization authorization) { + return allowVisit(WebUtils.magicRequestContextHolder.getRequest(), authorization); + } + + public boolean allowVisit(MagicHttpServletRequest request, Authorization authorization) { if (authorization == null) { return true; } @@ -61,7 +66,7 @@ public class MagicController implements JsonCodeConstants { return configuration.getAuthorizationInterceptor().allowVisit(magicUser, request, authorization); } - boolean allowVisit(MagicHttpServletRequest request, Authorization authorization, MagicEntity entity) { + public boolean allowVisit(MagicHttpServletRequest request, Authorization authorization, MagicEntity entity) { if (authorization == null) { return true; } @@ -69,7 +74,7 @@ public class MagicController implements JsonCodeConstants { return configuration.getAuthorizationInterceptor().allowVisit(magicUser, request, authorization, entity); } - boolean allowVisit(MagicHttpServletRequest request, Authorization authorization, Group group) { + public boolean allowVisit(MagicHttpServletRequest request, Authorization authorization, Group group) { if (authorization == null) { return true; }