update 优化数据权限

ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/mapper/SysPostMapper.java

@@ -34,10 +34,10 @@ public interface SysPostMapper extends BaseMapperPlus<SysPost, SysPostVo> {
     }
 
     /**
-     * 分页查询岗位列表
+     * 查询岗位列表
      *
      * @param queryWrapper 查询条件
-     * @return 包含岗位信息的分页结果
+     * @return 岗位信息列表
      */
     @DataPermission({
         @DataColumn(key = "deptName", value = "dept_id"),
@@ -47,6 +47,20 @@ public interface SysPostMapper extends BaseMapperPlus<SysPost, SysPostVo> {
         return this.selectVoList(queryWrapper);
     }
 
+    /**
+     * 根据岗位ID集合查询岗位数量
+     *
+     * @param postIds 岗位ID列表
+     * @return 匹配的岗位数量
+     */
+    @DataPermission({
+        @DataColumn(key = "deptName", value = "dept_id"),
+        @DataColumn(key = "userName", value = "create_by")
+    })
+    default long selectPostCount(List<Long> postIds) {
+        return this.selectCount(new LambdaQueryWrapper<SysPost>().in(SysPost::getPostId, postIds));
+    }
+
     /**
      * 根据用户ID查询其关联的岗位列表
      *

ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/mapper/SysRoleMapper.java

@@ -48,7 +48,7 @@ public interface SysRoleMapper extends BaseMapperPlus<SysRole, SysRoleVo> {
     }
 
     /**
-     * 根据条件分页查询角色数据
+     * 根据条件查询角色数据
      *
      * @param queryWrapper 查询条件
      * @return 角色数据集合信息
@@ -61,6 +61,20 @@ public interface SysRoleMapper extends BaseMapperPlus<SysRole, SysRoleVo> {
         return this.selectVoList(queryWrapper);
     }
 
+    /**
+     * 根据角色ID集合查询角色数量
+     *
+     * @param roleIds 角色ID列表
+     * @return 匹配的角色数量
+     */
+    @DataPermission({
+        @DataColumn(key = "deptName", value = "create_dept"),
+        @DataColumn(key = "userName", value = "create_by")
+    })
+    default long selectRoleCount(List<Long> roleIds) {
+        return this.selectCount(new LambdaQueryWrapper<SysRole>().in(SysRole::getRoleId, roleIds));
+    }
+
     /**
      * 根据角色ID查询角色信息
      *

ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java

@@ -441,6 +441,9 @@ public class SysRoleServiceImpl implements ISysRoleService, RoleService {
      */
     @Override
     public int deleteAuthUser(SysUserRole userRole) {
+        if (LoginHelper.getUserId().equals(userRole.getUserId())) {
+            throw new ServiceException("不允许修改当前用户角色!");
+        }
         int rows = userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>()
             .eq(SysUserRole::getRoleId, userRole.getRoleId())
             .eq(SysUserRole::getUserId, userRole.getUserId()));
@@ -460,6 +463,9 @@ public class SysRoleServiceImpl implements ISysRoleService, RoleService {
     @Override
     public int deleteAuthUsers(Long roleId, Long[] userIds) {
         List<Long> ids = List.of(userIds);
+        if (ids.contains(LoginHelper.getUserId())) {
+            throw new ServiceException("不允许修改当前用户角色!");
+        }
         int rows = userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>()
             .eq(SysUserRole::getRoleId, roleId)
             .in(SysUserRole::getUserId, ids));
@@ -481,6 +487,9 @@ public class SysRoleServiceImpl implements ISysRoleService, RoleService {
         // 新增用户与角色管理
         int rows = 1;
         List<Long> ids = List.of(userIds);
+        if (ids.contains(LoginHelper.getUserId())) {
+            throw new ServiceException("不允许修改当前用户角色!");
+        }
         List<SysUserRole> list = StreamUtils.toList(ids, userId -> {
             SysUserRole ur = new SysUserRole();
             ur.setUserId(userId);

ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysUserServiceImpl.java

@@ -22,7 +22,9 @@ import org.dromara.common.core.utils.*;
 import org.dromara.common.mybatis.core.page.PageQuery;
 import org.dromara.common.mybatis.core.page.TableDataInfo;
 import org.dromara.common.satoken.utils.LoginHelper;
-import org.dromara.system.domain.*;
+import org.dromara.system.domain.SysUser;
+import org.dromara.system.domain.SysUserPost;
+import org.dromara.system.domain.SysUserRole;
 import org.dromara.system.domain.bo.SysUserBo;
 import org.dromara.system.domain.vo.SysPostVo;
 import org.dromara.system.domain.vo.SysRoleVo;
@@ -454,23 +456,25 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
             return;
         }
         List<Long> postIds = Arrays.asList(postIdArr);
-        // 判断是否具有此角色的操作权限
-        List<SysPostVo> posts = postMapper.selectPostList(
-            new LambdaQueryWrapper<SysPost>().in(SysPost::getPostId, postIds));
-        if (CollUtil.isEmpty(posts) || posts.size() != postIds.size()) {
+
+        // 校验是否有权限操作这些岗位（含数据权限控制）
+        if (postMapper.selectPostCount(postIds) != postIds.size()) {
             throw new ServiceException("没有权限访问岗位的数据");
         }
+
+        // 是否清除旧的用户岗位绑定
         if (clear) {
-            // 删除用户与岗位关联
             userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, user.getUserId()));
         }
-        // 新增用户与岗位管理
-        List<SysUserPost> list = StreamUtils.toList(postIds, postId -> {
-            SysUserPost up = new SysUserPost();
-            up.setUserId(user.getUserId());
-            up.setPostId(postId);
-            return up;
-        });
+
+        // 构建用户岗位关联列表并批量插入
+        List<SysUserPost> list = StreamUtils.toList(postIds,
+            postId -> {
+                SysUserPost up = new SysUserPost();
+                up.setUserId(user.getUserId());
+                up.setPostId(postId);
+                return up;
+            });
         userPostMapper.insertBatch(list);
     }
 
@@ -482,30 +486,36 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
      * @param clear   清除已存在的关联数据
      */
     private void insertUserRole(Long userId, Long[] roleIds, boolean clear) {
-        if (ArrayUtil.isNotEmpty(roleIds)) {
-            List<Long> roleList = new ArrayList<>(List.of(roleIds));
-            if (!LoginHelper.isSuperAdmin(userId)) {
-                roleList.remove(SystemConstants.SUPER_ADMIN_ID);
-            }
-            // 判断是否具有此角色的操作权限
-            List<SysRoleVo> roles = roleMapper.selectRoleList(
-                new LambdaQueryWrapper<SysRole>().in(SysRole::getRoleId, roleList));
-            if (CollUtil.isEmpty(roles) || roles.size() != roleList.size()) {
-                throw new ServiceException("没有权限访问角色的数据");
-            }
-            if (clear) {
-                // 删除用户与角色关联
-                userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
-            }
-            // 新增用户与角色管理
-            List<SysUserRole> list = StreamUtils.toList(roleList, roleId -> {
+        if (ArrayUtil.isEmpty(roleIds)) {
+            return;
+        }
+
+        List<Long> roleList = new ArrayList<>(Arrays.asList(roleIds));
+
+        // 非超级管理员，禁止包含超级管理员角色
+        if (!LoginHelper.isSuperAdmin(userId)) {
+            roleList.remove(SystemConstants.SUPER_ADMIN_ID);
+        }
+
+        // 校验是否有权限访问这些角色（含数据权限控制）
+        if (roleMapper.selectRoleCount(roleList) != roleList.size()) {
+            throw new ServiceException("没有权限访问角色的数据");
+        }
+
+        // 是否清除原有绑定
+        if (clear) {
+            userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
+        }
+
+        // 批量插入用户-角色关联
+        List<SysUserRole> list = StreamUtils.toList(roleList,
+            roleId -> {
                 SysUserRole ur = new SysUserRole();
                 ur.setUserId(userId);
                 ur.setRoleId(roleId);
                 return ur;
             });
-            userRoleMapper.insertBatch(list);
-        }
+        userRoleMapper.insertBatch(list);
     }
 
     /**