业务场景

系统的权限设计

Posted by Wh0ami-hy on December 27, 2023

1. 权限管理

1.1. RBAC模型

它有两种解释

Role-Based Access Control

基于角色的访问控制,即按角色进行授权。当需要修改角色的权限时就需要修改授权的相关代码,系统可扩展性差

if(主体.hasRole("总经理角色") || 主体.hasRole("股东角色")){
     查询运营报表
}

Resource-Based Access Control

基于资源的访问控制,即按资源(或权限)进行授权。这样在系统设计时就已经定义好权限标识,即使所需要的角色变化也不需要修改授权代码,系统可扩展性强。该授权方式更加常用

if(主体.hasPermission("查询报表权限")){
   查询运营报表
}

系统权限设计.drawio

1.2. 权限表设计

目前流行的是用户-角色-部门-权限的权限管理模型,下面仅介绍了不含部门的情况

用户表、角色表、权限表,用户和角色表,角色和权限表

用户表

CREATE TABLE `users`  (`uid` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `password` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `phone` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  PRIMARY KEY (`uid`) USING BTREE ) ENGINE = InnoDB AUTO_INCREMENT = 3
  CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
INSERT INTO `users` VALUES (1, 'baizhan','$2a$10$Eqv9PRMl6bPt5BiwgPr2eucgyl.E.xLENt4b
vfDvv7DyS5AVPT.U6', '13812345678');

角色表

CREATE TABLE `role`  (
  `rid` int(11) NOT NULL AUTO_INCREMENT,
  `roleName` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `roleDesc` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  PRIMARY KEY (`rid`) USING BTREE ) ENGINE = InnoDB AUTO_INCREMENT = 4
CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
INSERT INTO `role` VALUES (1,'总经理','管理整个公司');
INSERT INTO `role` VALUES (2,'股东','参与公司决策');
INSERT INTO `role` VALUES (3,'财务','管理公司资产');

权限表

CREATE TABLE `permission`  (
  `pid` int(11) NOT NULL AUTO_INCREMENT,
  `permission_name` varchar(255) DEFAULT NULL,
  `url` varchar(255) NULL DEFAULT NULL,
  PRIMARY KEY (`pid`) USING BTREE ) ENGINE = InnoDB 
INSERT INTO `permission` VALUES (1,'查询报表', '/reportform/find');
INSERT INTO `permission` VALUES (2,'查询工资', '/salary/find');
INSERT INTO `permission` VALUES (3,'查询税务', '/tax/find');

用户和角色表

CREATE TABLE `users_role`  (
  `uid` int(255) NOT NULL,
  `rid` int(11) NOT NULL,
  PRIMARY KEY (`uid`, `rid`) USING BTREE,
  INDEX `rid`(`rid`) USING BTREE,
  CONSTRAINT `users_role_ibfk_1` FOREIGN KEY(`uid`) REFERENCES `users` (`uid`) ON DELETE
RESTRICT ON UPDATE RESTRICT,
  CONSTRAINT `users_role_ibfk_2` FOREIGN KEY(`rid`) REFERENCES `role` (`rid`) ON DELETE
RESTRICT ON UPDATE RESTRICT ) ENGINE = InnoDB CHARACTER SET = utf8
COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
INSERT INTO `users_role` VALUES (1, 2);
INSERT INTO `users_role` VALUES (1, 3);

角色和权限表

CREATE TABLE `role_permission`  (
  `rid` int(11) NOT NULL,
  `pid` int(11) NOT NULL,
   PRIMARY KEY (`rid`, `pid`) USING BTREE,
   INDEX `pid`(`pid`) USING BTREE,
   CONSTRAINT `role_permission_ibfk_1` FOREIGN KEY (`rid`) REFERENCES `role`
(`rid`) ON DELETE RESTRICT ON UPDATE
RESTRICT,
  CONSTRAINT `role_permission_ibfk_2`
FOREIGN KEY (`pid`) REFERENCES `permission`
(`pid`) ON DELETE RESTRICT ON UPDATE
RESTRICT
) ENGINE = InnoDB CHARACTER SET = utf8
COLLATE = utf8_general_ci ROW_FORMAT =
Dynamic;
INSERT INTO `role_permission` VALUES (1, 1);
INSERT INTO `role_permission` VALUES (2, 1);
INSERT INTO `role_permission` VALUES (1, 2);
INSERT INTO `role_permission` VALUES (3, 2);
INSERT INTO `role_permission` VALUES (1, 3);
INSERT INTO `role_permission` VALUES (2, 3);

1.3. 代码设计

  • 实现验证用户登录信息的拦截器
  • 实现验证用户权限的拦截器(先从用户角色开始过滤,不符合要求的角色直接在controller层ban掉,之后再根据对资源的操作权限进行过滤,分增、删、改、查权限,不符合要求的角色不能执行相关操作) ["user-add", "user-delete", "user-get", "user-update"]
CATALOG
    FEATURED TAGS
    Java Python Windows MySQL MyBatis Spring 系统设计 Web C Maven Vue IDE 前端三大件 Docker SpringBoot SpringMVC Redis Linux 消息队列 GitHub 计算机网络 计算机基础 Nginx 业务场景 Node JavaWeb Quasar Google GitLab 架构 React
    FRIENDS
    本站总访问量