对数据权限控制的实验
List getOrders(String userId){
String sql;
Role role = orgService.getRoleForUser(userId);
if (( " admin " ).equals(role.getName()))
sql = " select * from order " ;
else
sql = " select * from order where author= " + userId;
Object o = excuteSql(sql);
return excute(o);
}
String sql;
Role role = orgService.getRoleForUser(userId);
if (( " admin " ).equals(role.getName()))
sql = " select * from order " ;
else
sql = " select * from order where author= " + userId;
Object o = excuteSql(sql);
return excute(o);
}
恩,不错,很好的完成了权限控制。过了没多久,公司发展了,老板增加了人手,老板发话了,我要设置区域管理员分管不同区域的订单。管理员分为北京地区管理员,上海地区管理员,其他地区管理员和总管理员。怎么办?修改代码吧
List getOrders(String userId){
String sql;
Role role = orgService.getRoleForUser(userId);
if (( " admin " ).equals(role.getName()))
sql = " select * from order " ;
else if ( " bjadmin " ).equals(role.getName()))
sql = " select * from order where area='beijing' " ;
else if ( " shadmin " ).equals(role.getName()))
sql = " select * from order where area='shanghai' " ;
else if ( " qtadmin " ).equals(role.getName()))
sql = " select * from order where area='qita' " ;
else
sql = " select * from order where author= " + userId;
Object o = excuteSql(sql);
return excute(o);
}
String sql;
Role role = orgService.getRoleForUser(userId);
if (( " admin " ).equals(role.getName()))
sql = " select * from order " ;
else if ( " bjadmin " ).equals(role.getName()))
sql = " select * from order where area='beijing' " ;
else if ( " shadmin " ).equals(role.getName()))
sql = " select * from order where area='shanghai' " ;
else if ( " qtadmin " ).equals(role.getName()))
sql = " select * from order where area='qita' " ;
else
sql = " select * from order where author= " + userId;
Object o = excuteSql(sql);
return excute(o);
}
恩恩,这就搞定了,可怎么也感觉不爽,也许该做点什么。一堆if/else权限判断让人心烦,再写个类把这些sql管理起来好了,那就动手吧
public
class
SqlManager{
String getSql(String userId){
String sql;
Role role = orgService.getRoleForUser(userId);
if (( " admin " ).equals(role.getName()))
sql = " select * from order " ;
else if ( " bjadmin " ).equals(role.getName()))
sql = " select * from order where area='beijing' " ;
else if ( " shadmin " ).equals(role.getName()))
sql = " select * from order where area='shanghai' " ;
else if ( " qtadmin " ).equals(role.getName()))
sql = " select * from order where area='qita' " ;
else
sql = " select * from order where author= " + userId;
return sql;
}
}
String getSql(String userId){
String sql;
Role role = orgService.getRoleForUser(userId);
if (( " admin " ).equals(role.getName()))
sql = " select * from order " ;
else if ( " bjadmin " ).equals(role.getName()))
sql = " select * from order where area='beijing' " ;
else if ( " shadmin " ).equals(role.getName()))
sql = " select * from order where area='shanghai' " ;
else if ( " qtadmin " ).equals(role.getName()))
sql = " select * from order where area='qita' " ;
else
sql = " select * from order where author= " + userId;
return sql;
}
}
这样把权限判断移到SqlManager里,业务代码就清爽了很多,再增加管理员就修改SqlManager好了
List getOrders(String userId){
String sql = sqlManager.getSql(userId);
Object o = excuteSql(sql);
return excute(o);
}
String sql = sqlManager.getSql(userId);
Object o = excuteSql(sql);
return excute(o);
}
呵呵,看起来还不错。但是等等,我们的业务方法为什么需要userId这个参数呢,是啊是啊,权限判断用到了它,但是那和我业务又有什么关系呢,不爽。现在AOP不是很流行吗,你不用AOP怎么能说明你技术高呢?快用吧快用吧,用不着也要想着方法用。
业务方法简化为
List getOrders(){
String sql = "" ;
Object o = excuteSql(sql);
return excute(o);
}
String sql = "" ;
Object o = excuteSql(sql);
return excute(o);
}
对excuteSql方法我们来AOP一下,注入权限判断过的sql.嘿嘿,技术水平又一次得到了显现。业务方法是简单了,可我的SqlManager倒是复杂了,还是很不幸福。咋办?用个配置文件吧,hibernate不是老鼓励我们把sql写在配置文件里吗?
<xml>
<sql role = " admin " >select * from order</sql>
<sql role = " bjadmin " >select * from order where area = 'beijing'</sql>
<sql role = " shadmin " >select * from order where area = 'shanghai'</sql>
<sql role = " qtadmin " >select * from order where area = 'qita'</sql>
<sql role = " none " >select * from order where author = ?</sql>
</xml>
<sql role = " admin " >select * from order</sql>
<sql role = " bjadmin " >select * from order where area = 'beijing'</sql>
<sql role = " shadmin " >select * from order where area = 'shanghai'</sql>
<sql role = " qtadmin " >select * from order where area = 'qita'</sql>
<sql role = " none " >select * from order where author = ?</sql>
</xml>
这样SqlManager就可以把行数缩小了,就可以敏捷一点了。
public
class
SqlManager{
String getSql(String userId){
String sql;
Role role = orgService.getRoleForUser(userId);
sql = getSqlfromXml(role.getName());
return sql;
}
String getSqlfromXml(String rolename){
![]()
.
}
}
String getSql(String userId){
String sql;
Role role = orgService.getRoleForUser(userId);
sql = getSqlfromXml(role.getName());
return sql;
}
String getSqlfromXml(String rolename){
}
}
以后再增加权限连类都不用修改了,改xml好了。等等,你是不是把问题太简单化了。现在不仅仅是订单,货物也要这么分区域管理。
不错,我们应该想着通用一下了。这样,把SqlManager抽象一下
String
abstract
getSqlfromXml(String rolename);
然后做几个子类好了 OrderSqlManager, GoodsSqlManager .
可是,哥们,书上说,要面向接口编程,你这样不太好吧。没事,再接口一下:
public
interface
SqlManagerInterface{
String getSql(String userId);
}
String getSql(String userId);
}
还是没法用啊。也许现在可以看看acegi的provider机制了,把这一大堆SqlManager全部作为provider,根据不同的模块选择不同的provider,统一拦截excuteSql方法,生成不同的sql到数据库执行。xml不爽?db也可以。然后,再然后呢?改你的类名,重构,和acegi整合一下。
呵呵,完全是个人的一些想法,希望多批评提提意见。我想表达的意思是:也许把数据权限再抽象一些,以组件的形式来减少侵入是可以做到的。
http://www.blogjava.net/ronghao 荣浩原创,转载请注明出处:)