Dev/sec2/v5.spirngboot5

modules/app/src/main/java/com/jeesite/modules/app/web/AppPublicServiceController.java

@@ -58,6 +58,10 @@ public String upgradeCheck(String appCode, Integer appVersion) {
 	@ResponseBody
 	public String commentSave(@Validated AppComment appComment) {
 		appComment.setStatus(AppComment.STATUS_NORMAL);
+		appComment.setReplyDate(null);
+		appComment.setReplyContent(null);
+		appComment.setReplyUserCode(null);
+		appComment.setReplyUserName(null);
 		appCommentService.save(appComment);
 		return renderResult(Global.TRUE, text("我们已收到您的宝贵意见，感谢您的反馈！"));
 	}

modules/cms/src/main/java/com/jeesite/modules/cms/service/ArticleService.java

@@ -15,11 +15,13 @@
 import com.jeesite.modules.cms.dao.ArticleDataDao;
 import com.jeesite.modules.cms.entity.Article;
 import com.jeesite.modules.cms.entity.ArticleData;
+import com.jeesite.modules.cms.entity.Category;
 import com.jeesite.modules.cms.service.extend.ArticleAuthService;
 import com.jeesite.modules.cms.service.extend.ArticleIndexService;
 import com.jeesite.modules.cms.service.extend.ArticleVectorStore;
 import com.jeesite.modules.cms.service.extend.PageCacheService;
 import com.jeesite.modules.cms.utils.CmsUtils;
+import com.jeesite.modules.sys.utils.UserUtils;
 import com.jeesite.modules.file.utils.FileUploadUtils;
 import io.netty.util.concurrent.DefaultThreadFactory;
 import org.springframework.beans.factory.ObjectProvider;
@@ -51,16 +53,19 @@ public class ArticleService extends CrudService<ArticleDao, Article> {
 	protected final ArticleVectorStore articleVectorStore;
 	protected final ArticleAuthService articleAuthService;
 	protected final PageCacheService pageCacheService;
+	protected final CategoryService categoryService;
 
 	// 是否能使用审核功能
 	public static boolean isCanUseAuth;
 
 	public ArticleService(ArticleDataDao articleDataDao,
+						  CategoryService categoryService,
 						  ObjectProvider<ArticleIndexService> articleIndexService,
 						  ObjectProvider<ArticleVectorStore> articleVectorStore,
 						  ObjectProvider<ArticleAuthService> bpmArticleService,
 						  ObjectProvider<PageCacheService> pageCacheService) {
 		this.articleDataDao = articleDataDao;
+		this.categoryService = categoryService;
 		this.articleIndexService = articleIndexService.getIfAvailable();
 		this.articleVectorStore = articleVectorStore.getIfAvailable();
 		this.articleAuthService = bpmArticleService.getIfAvailable();
@@ -163,9 +168,11 @@ public void save(Article article) {
 		if (StringUtils.isNotBlank(article.getCategory().getId())) {
 			article.setCategory(CmsUtils.getCategory(article.getCategory().getId()));
 		}
-		if (StringUtils.isBlank(article.getCategory().getId())) {
+		if (StringUtils.isBlank(article.getCategory().getCategoryCode())) {
 			throw new ServiceException(text("归属栏目不正确或为空。"));
 		}
+		checkSaveDataScope(article);
+		checkPublishPermission(article);
 		// 如果需要文章审核流程，则进行下一步流程操作
 		if (isCanUseAuth && Global.YES.equals(article.getCategory().getIsNeedAudit())) {
 			articleAuthService.submit(article, this::saveArticle);
@@ -179,6 +186,27 @@ public void save(Article article) {
 		}
 	}
 
+	private void checkSaveDataScope(Article article) {
+		if (article.currentUser().isSuperAdmin()) {
+			return;
+		}
+		Category where = new Category();
+		where.setCategoryCode(article.getCategory().getCategoryCode());
+		where.setSite(article.getCategory().getSite());
+		where.setStatus(Category.STATUS_NORMAL);
+		categoryService.addDataScopeFilter(where, Global.getConfig("user.adminCtrlPermi", "2"));
+		if (categoryService.findCount(where) == 0) {
+			throw new ServiceException(text("没有权限使用该栏目数据！"));
+		}
+	}
+
+	private void checkPublishPermission(Article article) {
+		if (Article.STATUS_NORMAL.equals(article.getStatus())
+				&& !UserUtils.getSubject().isPermitted("cms:article:audit")) {
+			article.setStatus(Article.STATUS_DRAFT);
+		}
+	}
+
 	private void saveArticle(Article article) {
 		// 计算内容字数
 		ArticleData articleData = article.getArticleData();

modules/core/src/main/java/com/jeesite/autoconfigure/sys/SysAutoConfiguration.java

@@ -11,6 +11,7 @@
 import com.jeesite.modules.sys.dao.PostRoleDao;
 import com.jeesite.modules.sys.service.*;
 import com.jeesite.modules.sys.service.support.*;
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -47,8 +48,11 @@ public EmployeeService employeeService(EmployeePostDao employeePostDao, Employee
 
 	@Bean
 	@ConditionalOnMissingBean
-	public EmpUserService empUserService(UserService userService, EmployeeService employeeService, EmployeeOfficeDao employeeOfficeDao){
-		return new EmpUserServiceSupport(userService, employeeService, employeeOfficeDao);
+	public EmpUserService empUserService(UserService userService, EmployeeService employeeService,
+										 EmployeeOfficeDao employeeOfficeDao, ObjectProvider<OfficeService> officeService,
+										 ObjectProvider<CompanyService> companyService, PostRoleDao postRoleDao, RoleService roleService){
+		return new EmpUserServiceSupport(userService, employeeService, employeeOfficeDao,
+				officeService, companyService, postRoleDao, roleService);
 	}
 
 	@Bean
@@ -65,8 +69,8 @@ public OfficeService officeService(DataScopeService dataScopeService, EmpUserSer
 
 	@Bean
 	@ConditionalOnMissingBean
-	public PostService postService(PostRoleDao postRoleDao, EmpUserService empUserService){
-		return new PostServiceSupport(postRoleDao, empUserService);
+	public PostService postService(PostRoleDao postRoleDao, EmpUserService empUserService, RoleService roleService){
+		return new PostServiceSupport(postRoleDao, empUserService, roleService);
 	}
 
 }

modules/core/src/main/java/com/jeesite/modules/sys/service/EmpUserService.java

@@ -39,6 +39,20 @@ public interface EmpUserService extends CrudServiceApi<EmpUser> {
 	@Override
 	void addDataScopeFilter(EmpUser empUser, String ctrlPermi);
 
+	/**
+	 * 校验用户是否在当前操作者的数据权限范围内
+	 * @param userCode 用户编码
+	 * @param ctrlPermi 控制权限类型
+	 */
+	void checkUserDataScope(String userCode, String ctrlPermi);
+
+	/**
+	 * 校验员工用户提交的数据是否在当前操作者的数据权限范围内
+	 * @param empUser 员工用户
+	 * @param ctrlPermi 控制权限类型
+	 */
+	void checkEmpUserDataScope(EmpUser empUser, String ctrlPermi);
+
 	/**
 	 * 分页查询数据
 	 */

modules/core/src/main/java/com/jeesite/modules/sys/service/support/EmpUserServiceSupport.java

@@ -15,17 +15,22 @@
 import com.jeesite.common.validator.ValidatorUtils;
 import com.jeesite.modules.sys.dao.EmpUserDao;
 import com.jeesite.modules.sys.dao.EmployeeOfficeDao;
+import com.jeesite.modules.sys.dao.PostRoleDao;
 import com.jeesite.modules.sys.entity.EmpUser;
 import com.jeesite.modules.sys.entity.Employee;
 import com.jeesite.modules.sys.entity.EmployeeOffice;
 import com.jeesite.modules.sys.entity.User;
+import com.jeesite.modules.sys.service.CompanyService;
 import com.jeesite.modules.sys.service.EmpUserService;
 import com.jeesite.modules.sys.service.EmployeeService;
+import com.jeesite.modules.sys.service.OfficeService;
+import com.jeesite.modules.sys.service.RoleService;
 import com.jeesite.modules.sys.service.UserService;
 import com.jeesite.modules.sys.utils.EmpUtils;
 import com.jeesite.modules.sys.utils.UserUtils;
 import jakarta.validation.ConstraintViolation;
 import jakarta.validation.ConstraintViolationException;
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.multipart.MultipartFile;
 
@@ -42,11 +47,21 @@ public class EmpUserServiceSupport extends CrudService<EmpUserDao, EmpUser>
 	protected final UserService userService;
 	protected final EmployeeService employeeService;
 	protected final EmployeeOfficeDao employeeOfficeDao;
+	protected final ObjectProvider<OfficeService> officeService;
+	protected final ObjectProvider<CompanyService> companyService;
+	protected final PostRoleDao postRoleDao;
+	protected final RoleService roleService;
 
-	public EmpUserServiceSupport(UserService userService, EmployeeService employeeService, EmployeeOfficeDao employeeOfficeDao) {
+	public EmpUserServiceSupport(UserService userService, EmployeeService employeeService,
+			EmployeeOfficeDao employeeOfficeDao, ObjectProvider<OfficeService> officeService,
+			ObjectProvider<CompanyService> companyService, PostRoleDao postRoleDao, RoleService roleService) {
 		this.userService = userService;
 		this.employeeService = employeeService;
 		this.employeeOfficeDao = employeeOfficeDao;
+		this.officeService = officeService;
+		this.companyService = companyService;
+		this.postRoleDao = postRoleDao;
+		this.roleService = roleService;
 	}
 
 	/**
@@ -93,6 +108,23 @@ public void addDataScopeFilter(EmpUser empUser, String ctrlPermi) {
 //				"a.user_code", ctrlPermi);
 	}
 
+	/**
+	 * 校验用户是否在当前操作者的数据权限范围内
+	 */
+	@Override
+	public void checkUserDataScope(String userCode, String ctrlPermi) {
+		SysDataScopeCheckHelper.checkUserDataScope(userCode, ctrlPermi, this);
+	}
+
+	/**
+	 * 校验员工用户提交的数据是否在当前操作者的数据权限范围内
+	 */
+	@Override
+	public void checkEmpUserDataScope(EmpUser empUser, String ctrlPermi) {
+		SysDataScopeCheckHelper.checkEmpUserDataScope(empUser, ctrlPermi,
+				this, officeService.getObject(), companyService.getObject(), postRoleDao, roleService);
+	}
+
 	/**
 	 * 查询数据
 	 */
@@ -227,12 +259,14 @@ public String importData(MultipartFile file, Boolean isUpdateSupport) {
 					// 验证是否存在这个用户
 					User u = UserUtils.getByLoginCode(user.getLoginCode());
 					if (u == null){
+						checkEmpUserDataScope(user, null);
 						this.save(user);
 						userService.saveAuth(user);
 						successNum++;
 						successMsg.append("<br/>" + successNum + "、账号 " + user.getLoginCode() + " 导入成功");
 					} else if (isUpdateSupport){
 						user.setUserCode(u.getUserCode());
+						checkEmpUserDataScope(user, null);
 						this.save(user);
 						userService.saveAuth(user);
 						successNum++;

modules/core/src/main/java/com/jeesite/modules/sys/service/support/PostServiceSupport.java

@@ -17,6 +17,7 @@
 import com.jeesite.modules.sys.entity.PostRole;
 import com.jeesite.modules.sys.service.EmpUserService;
 import com.jeesite.modules.sys.service.PostService;
+import com.jeesite.modules.sys.service.RoleService;
 import com.jeesite.modules.sys.utils.CorpUtils;
 import com.jeesite.modules.sys.utils.UserUtils;
 import org.springframework.transaction.annotation.Transactional;
@@ -33,10 +34,12 @@ public class PostServiceSupport extends CrudService<PostDao, Post>
 
 	protected final PostRoleDao postRoleDao;
 	protected final EmpUserService empUserService;
+	protected final RoleService roleService;
 
-	public PostServiceSupport(PostRoleDao postRoleDao, EmpUserService empUserService) {
+	public PostServiceSupport(PostRoleDao postRoleDao, EmpUserService empUserService, RoleService roleService) {
 		this.postRoleDao = postRoleDao;
 		this.empUserService = empUserService;
+		this.roleService = roleService;
 	}
 
 	/**
@@ -86,6 +89,7 @@ public List<PostRole> findPostRoleList(PostRole postRole) {
 	@Override
 	@Transactional
 	public void save(Post post) {
+		SysDataScopeCheckHelper.checkRoleDataScope(post.getRoleCodes(), null, roleService);
 		if (post.getIsNewRecord()){
 			// 生成主键，并验证改主键是否存在，如存在则抛出验证信息
 			genIdAndValid(post, post.getViewCode());