feat[litemall-admin-api]：后端API访问需要校验权限

835fd6f8 · Junling Bu · 457b7ad9 · 835fd6f8 · 835fd6f8 · 835fd6f8
Commit 835fd6f8 authored Jan 01, 2019 by Junling Bu
--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminIssueController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminIssueController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -27,9 +27,9 @@ public class AdminIssueController {
    @Autowired
    private LitemallIssueService issueService;
+    @RequiresPermissions("admin:issue:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String question,
-                       String question,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -55,8 +55,9 @@ public class AdminIssueController {
        return null;
    }
+    @RequiresPermissions("admin:issue:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallIssue issue) {
+    public Object create(@RequestBody LitemallIssue issue) {
        Object error = validate(issue);
        if (error != null) {
            return error;
@@ -65,14 +66,16 @@ public class AdminIssueController {
        return ResponseUtil.ok(issue);
    }
+    @RequiresPermissions("admin:issue:read")
    @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
        LitemallIssue issue = issueService.findById(id);
        return ResponseUtil.ok(issue);
    }
+    @RequiresPermissions("admin:issue:update")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallIssue issue) {
+    public Object update(@RequestBody LitemallIssue issue) {
        Object error = validate(issue);
        if (error != null) {
            return error;
@@ -84,8 +87,9 @@ public class AdminIssueController {
        return ResponseUtil.ok(issue);
    }
+    @RequiresPermissions("admin:issue:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallIssue issue) {
+    public Object delete(@RequestBody LitemallIssue issue) {
        Integer id = issue.getId();
        if (id == null) {
            return ResponseUtil.badArgument();

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminKeywordController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminKeywordController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -27,9 +27,9 @@ public class AdminKeywordController {
    @Autowired
    private LitemallKeywordService keywordService;
+    @RequiresPermissions("admin:keyword:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String keyword, String url,
-                       String keyword, String url,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -55,8 +55,9 @@ public class AdminKeywordController {
        return null;
    }
+    @RequiresPermissions("admin:keyword:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallKeyword keywords) {
+    public Object create(@RequestBody LitemallKeyword keywords) {
        Object error = validate(keywords);
        if (error != null) {
            return error;
@@ -65,14 +66,16 @@ public class AdminKeywordController {
        return ResponseUtil.ok(keywords);
    }
+    @RequiresPermissions("admin:keyword:read")
    @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
        LitemallKeyword brand = keywordService.findById(id);
        return ResponseUtil.ok(brand);
    }
+    @RequiresPermissions("admin:keyword:update")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallKeyword keywords) {
+    public Object update(@RequestBody LitemallKeyword keywords) {
        Object error = validate(keywords);
        if (error != null) {
            return error;
@@ -83,8 +86,9 @@ public class AdminKeywordController {
        return ResponseUtil.ok(keywords);
    }
+    @RequiresPermissions("admin:keyword:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallKeyword keyword) {
+    public Object delete(@RequestBody LitemallKeyword keyword) {
        Integer id = keyword.getId();
        if (id == null) {
            return ResponseUtil.badArgument();

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminOrderController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminOrderController.java
@@ -6,19 +6,20 @@ import com.github.binarywang.wxpay.exception.WxPayException;
 import com.github.binarywang.wxpay.service.WxPayService;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.notify.NotifyService;
 import org.linlinjava.litemall.core.notify.NotifyType;
-import org.linlinjava.litemall.core.util.CharUtil;
 import org.linlinjava.litemall.core.util.JacksonUtil;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
-import org.linlinjava.litemall.db.domain.*;
+import org.linlinjava.litemall.db.domain.LitemallComment;
+import org.linlinjava.litemall.db.domain.LitemallOrder;
+import org.linlinjava.litemall.db.domain.LitemallOrderGoods;
+import org.linlinjava.litemall.db.domain.UserVo;
 import org.linlinjava.litemall.db.service.*;
 import org.linlinjava.litemall.db.util.OrderUtil;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.transaction.PlatformTransactionManager;
 import org.springframework.transaction.TransactionDefinition;
 import org.springframework.transaction.TransactionStatus;
@@ -60,9 +61,9 @@ public class AdminOrderController {
    @Autowired
    private NotifyService notifyService;
+    @RequiresPermissions("admin:order:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(Integer userId, String orderSn,
-                       Integer userId, String orderSn,
                       @RequestParam(required = false) List<Short> orderStatusArray,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
@@ -78,8 +79,9 @@ public class AdminOrderController {
        return ResponseUtil.ok(data);
    }
+    @RequiresPermissions("admin:order:read")
    @GetMapping("/detail")
-    public Object detail(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object detail(@NotNull Integer id) {
        LitemallOrder order = orderService.findById(id);
        List<LitemallOrderGoods> orderGoods = orderGoodsService.queryByOid(id);
        UserVo user = userService.findUserVoById(order.getUserId());
@@ -108,8 +110,9 @@ public class AdminOrderController {
     * @param body    订单信息，{ orderId：xxx }
     * @return 订单退款操作结果
     */
+    @RequiresPermissions("admin:order:refund")
    @PostMapping("refund")
-    public Object refund(@LoginAdmin Integer adminId, @RequestBody String body) {
+    public Object refund(@RequestBody String body) {
        Integer orderId = JacksonUtil.parseInteger(body, "orderId");
        String refundMoney = JacksonUtil.parseString(body, "refundMoney");
        if (orderId == null) {
@@ -205,8 +208,9 @@ public class AdminOrderController {
     * 成功则 { errno: 0, errmsg: '成功' }
     * 失败则 { errno: XXX, errmsg: XXX }
     */
+    @RequiresPermissions("admin:order:ship")
    @PostMapping("ship")
-    public Object ship(@LoginAdmin Integer adminId, @RequestBody String body) {
+    public Object ship(@RequestBody String body) {
        Integer orderId = JacksonUtil.parseInteger(body, "orderId");
        String shipSn = JacksonUtil.parseString(body, "shipSn");
        String shipChannel = JacksonUtil.parseString(body, "shipChannel");
@@ -250,8 +254,9 @@ public class AdminOrderController {
     * 成功则 { errno: 0, errmsg: '成功' }
     * 失败则 { errno: XXX, errmsg: XXX }
     */
+    @RequiresPermissions("admin:order:reply")
    @PostMapping("reply")
-    public Object reply(@LoginAdmin Integer adminId, @RequestBody String body) {
+    public Object reply(@RequestBody String body) {
        Integer commentId = JacksonUtil.parseInteger(body, "commentId");
        if (commentId == null || commentId == 0) {
            return ResponseUtil.badArgument();

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminProfileController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminProfileController.java
@@ -2,7 +2,9 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authz.annotation.RequiresAuthentication;
+import org.apache.shiro.subject.Subject;
 import org.linlinjava.litemall.core.util.JacksonUtil;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.util.bcrypt.BCryptPasswordEncoder;
@@ -16,7 +18,6 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
-import static org.linlinjava.litemall.admin.util.AdminResponseCode.ADMIN_ALTER_NOT_ALLOWED;
 import static org.linlinjava.litemall.admin.util.AdminResponseCode.ADMIN_INVALID_ACCOUNT;
 @RestController
@@ -28,8 +29,9 @@ public class AdminProfileController {
    @Autowired
    private LitemallAdminService adminService;
+    @RequiresAuthentication
    @PostMapping("/password")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody String body) {
+    public Object create(@RequestBody String body) {
        String oldPassword = JacksonUtil.parseString(body, "oldPassword");
        String newPassword = JacksonUtil.parseString(body, "newPassword");
        if (StringUtils.isEmpty(oldPassword)) {
@@ -39,7 +41,8 @@ public class AdminProfileController {
            return ResponseUtil.badArgument();
        }
-        LitemallAdmin admin = adminService.findAdmin(adminId);
+        Subject currentUser = SecurityUtils.getSubject();
+        LitemallAdmin admin = (LitemallAdmin) currentUser.getPrincipal();
        BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
        if (!encoder.matches(oldPassword, admin.getPassword())) {

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminRegionController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminRegionController.java
@@ -2,7 +2,6 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -30,14 +29,13 @@ public class AdminRegionController {
    private LitemallRegionService regionService;
    @GetMapping("/clist")
-    public Object clist(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object clist(@NotNull Integer id) {
        List<LitemallRegion> regionList = regionService.queryByPid(id);
        return ResponseUtil.ok(regionList);
    }
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String name, Integer code,
-                       String name, Integer code,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort(accepts = {"id"}) @RequestParam(defaultValue = "id") String sort,

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStatController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStatController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.admin.util.StatVo;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.db.service.StatService;
@@ -24,8 +24,9 @@ public class AdminStatController {
    @Autowired
    private StatService statService;
+    @RequiresPermissions("admin:stat:user")
    @GetMapping("/user")
-    public Object statUser(@LoginAdmin Integer adminId) {
+    public Object statUser() {
        List<Map> rows = statService.statUser();
        String[] columns = new String[]{"day", "users"};
        StatVo statVo = new StatVo();
@@ -34,8 +35,9 @@ public class AdminStatController {
        return ResponseUtil.ok(statVo);
    }
+    @RequiresPermissions("admin:stat:order")
    @GetMapping("/order")
-    public Object statOrder(@LoginAdmin Integer adminId) {
+    public Object statOrder() {
        List<Map> rows = statService.statOrder();
        String[] columns = new String[]{"day", "orders", "customers", "amount", "pcr"};
        StatVo statVo = new StatVo();
@@ -45,8 +47,9 @@ public class AdminStatController {
        return ResponseUtil.ok(statVo);
    }
+    @RequiresPermissions("admin:stat:goods")
    @GetMapping("/goods")
-    public Object statGoods(@LoginAdmin Integer adminId) {
+    public Object statGoods() {
        List<Map> rows = statService.statGoods();
        String[] columns = new String[]{"day", "orders", "products", "amount"};
        StatVo statVo = new StatVo();

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStorageController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStorageController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.storage.StorageService;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
@@ -32,9 +32,9 @@ public class AdminStorageController {
    @Autowired
    private LitemallStorageService litemallStorageService;
+    @RequiresPermissions("admin:storage:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String key, String name,
-                       String key, String name,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -48,8 +48,9 @@ public class AdminStorageController {
        return ResponseUtil.ok(data);
    }
+    @RequiresPermissions("admin:storage:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestParam("file") MultipartFile file) throws IOException {
+    public Object create(@RequestParam("file") MultipartFile file) throws IOException {
        String originalFilename = file.getOriginalFilename();
        String url = storageService.store(file.getInputStream(), file.getSize(), file.getContentType(), originalFilename);
        Map<String, Object> data = new HashMap<>();
@@ -57,8 +58,9 @@ public class AdminStorageController {
        return ResponseUtil.ok(data);
    }
+    @RequiresPermissions("admin:storage:read")
    @PostMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
        LitemallStorage storageInfo = litemallStorageService.findById(id);
        if (storageInfo == null) {
            return ResponseUtil.badArgumentValue();
@@ -66,16 +68,18 @@ public class AdminStorageController {
        return ResponseUtil.ok(storageInfo);
    }
+    @RequiresPermissions("admin:storage:delete")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallStorage litemallStorage) {
+    public Object update(@RequestBody LitemallStorage litemallStorage) {
        if (litemallStorageService.update(litemallStorage) == 0) {
            return ResponseUtil.updatedDataFailed();
        }
        return ResponseUtil.ok(litemallStorage);
    }
+    @RequiresPermissions("admin:storage:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallStorage litemallStorage) {
+    public Object delete(@RequestBody LitemallStorage litemallStorage) {
        String key = litemallStorage.getKey();
        if (StringUtils.isEmpty(key)) {
            return ResponseUtil.badArgument();

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminTopicController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminTopicController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -28,9 +28,9 @@ public class AdminTopicController {
    @Autowired
    private LitemallTopicService topicService;
+    @RequiresPermissions("admin:topic:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String title, String subtitle,
-                       String title, String subtitle,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -60,8 +60,9 @@ public class AdminTopicController {
        return null;
    }
+    @RequiresPermissions("admin:topic:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallTopic topic) {
+    public Object create(@RequestBody LitemallTopic topic) {
        Object error = validate(topic);
        if (error != null) {
            return error;
@@ -70,14 +71,16 @@ public class AdminTopicController {
        return ResponseUtil.ok(topic);
    }
+    @RequiresPermissions("admin:topic:read")
    @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
        LitemallTopic topic = topicService.findById(id);
        return ResponseUtil.ok(topic);
    }
+    @RequiresPermissions("admin:topic:update")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallTopic topic) {
+    public Object update(@RequestBody LitemallTopic topic) {
        Object error = validate(topic);
        if (error != null) {
            return error;
@@ -88,8 +91,9 @@ public class AdminTopicController {
        return ResponseUtil.ok(topic);
    }
+    @RequiresPermissions("admin:topic:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallTopic topic) {
+    public Object delete(@RequestBody LitemallTopic topic) {
        topicService.deleteById(topic.getId());
        return ResponseUtil.ok();
    }

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminUserController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminUserController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.RegexUtil;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.util.bcrypt.BCryptPasswordEncoder;
@@ -31,9 +31,9 @@ public class AdminUserController {
    @Autowired
    private LitemallUserService userService;
+    @RequiresPermissions("admin:user:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String username, String mobile,
-                       String username, String mobile,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -47,8 +47,9 @@ public class AdminUserController {
        return ResponseUtil.ok(data);
    }
+    @RequiresPermissions("admin:user:list")
    @GetMapping("/username")
-    public Object username(@LoginAdmin Integer adminId, @NotEmpty String username) {
+    public Object username(@NotEmpty String username) {
        int total = userService.countSeletive(username, null, null, null, null, null);
        if (total == 0) {
            return ResponseUtil.ok("不存在");
@@ -78,8 +79,9 @@ public class AdminUserController {
        return null;
    }
+    @RequiresPermissions("admin:user:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallUser user) {
+    public Object create(@RequestBody LitemallUser user) {
        Object error = validate(user);
        if (error != null) {
            return error;
@@ -107,8 +109,9 @@ public class AdminUserController {
        return ResponseUtil.ok(user);
    }
+    @RequiresPermissions("admin:user:update")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallUser user) {
+    public Object update(@RequestBody LitemallUser user) {
        Object error = validate(user);
        if (error != null) {
            return error;