refactor: 增加数据源、部分数据集api权限

0445176e · fit2cloud-chenyw · 64fce599 · 0445176e · 0445176e · 0445176e
--- a/backend/src/main/java/io/dataease/base/mapper/ext/ExtAuthMapper.xml
+++ b/backend/src/main/java/io/dataease/base/mapper/ext/ExtAuthMapper.xml
@@ -40,7 +40,7 @@
            sys_auth a
        LEFT JOIN sys_auth_detail d on d.auth_id = a.id
        WHERE
-            auth_source_type = 'datasource'
+            auth_source_type = 'link'
            AND auth_target_type = 'user'
            AND auth_target = #{userId}
            AND d.privilege_value = 1
@@ -80,7 +80,7 @@
            sys_auth a
        LEFT JOIN sys_auth_detail d on d.auth_id = a.id
        WHERE
-            auth_source_type = 'datasource'
+            auth_source_type = 'link'
            AND auth_target_type = 'role'
            AND auth_target = #{roleId}
            AND d.privilege_value = 1
@@ -119,7 +119,7 @@
            sys_auth a
        LEFT JOIN sys_auth_detail d on d.auth_id = a.id
        WHERE
-            auth_source_type = 'datasource'
+            auth_source_type = 'link'
            AND auth_target_type = 'dept'
            AND auth_target = #{deptId}
            AND d.privilege_value = 1

--- a/backend/src/main/java/io/dataease/commons/utils/AuthUtils.java
+++ b/backend/src/main/java/io/dataease/commons/utils/AuthUtils.java
@@ -4,6 +4,7 @@ import io.dataease.auth.api.dto.CurrentRoleDto;
 import io.dataease.auth.api.dto.CurrentUserDto;
 import io.dataease.auth.entity.AuthItem;
 import io.dataease.auth.service.ExtAuthService;
+import io.dataease.commons.constants.DePermissionType;
 import io.dataease.commons.constants.ResourceAuthLevel;
 import io.dataease.commons.model.AuthURD;
 import org.apache.commons.lang3.StringUtils;
@@ -56,7 +57,7 @@ public class AuthUtils {
        Long deptId = user.getDeptId();
        List<CurrentRoleDto> roles = user.getRoles();
        Set<AuthItem> result = new HashSet<>();
-        if (StringUtils.equals("link", type)) {
+        if (StringUtils.equals(DePermissionType.DATASOURCE.name().toLowerCase(), type)) {
            Set<AuthItem> userSet = extAuthService.dataSourceIdByUser(userId).stream().collect(Collectors.toSet());
            Set<AuthItem> roleSet = roles.stream().map(role -> extAuthService.dataSourceIdByRole(role.getId())).flatMap(Collection::stream).collect(Collectors.toSet());
            Set<AuthItem> deptSet = extAuthService.dataSourceIdByDept(deptId).stream().collect(Collectors.toSet());
@@ -69,7 +70,7 @@ public class AuthUtils {
            return result;
        }
-        else if (StringUtils.equals("dataset", type)) {
+        else if (StringUtils.equals(DePermissionType.DATASET.name().toLowerCase(), type)) {
            Set<AuthItem> userSet = extAuthService.dataSetIdByUser(userId).stream().collect(Collectors.toSet());
            Set<AuthItem> roleSet = roles.stream().map(role -> extAuthService.dataSetIdByRole(role.getId())).flatMap(Collection::stream).collect(Collectors.toSet());
            Set<AuthItem> deptSet = extAuthService.dataSetIdByDept(deptId).stream().collect(Collectors.toSet());
@@ -81,7 +82,7 @@ public class AuthUtils {
            });
            return result;
        }
-        else if (StringUtils.equals("panel", type)) {
+        else if (StringUtils.equals(DePermissionType.PANEL.name().toLowerCase(), type)) {
            Set<AuthItem> userSet = extAuthService.panelIdByUser(userId).stream().collect(Collectors.toSet());
            Set<AuthItem> roleSet = roles.stream().map(role -> extAuthService.panelIdByRole(role.getId())).flatMap(Collection::stream).collect(Collectors.toSet());
            Set<AuthItem> deptSet = extAuthService.panelIdByDept(deptId).stream().collect(Collectors.toSet());

--- a/backend/src/main/java/io/dataease/controller/dataset/DataSetGroupController.java
+++ b/backend/src/main/java/io/dataease/controller/dataset/DataSetGroupController.java
 package io.dataease.controller.dataset;
 import com.github.xiaoymin.knife4j.annotations.ApiSupport;
+import io.dataease.auth.annotation.DePermission;
+import io.dataease.auth.annotation.DePermissions;
 import io.dataease.base.domain.DatasetGroup;
+import io.dataease.commons.constants.DePermissionType;
+import io.dataease.commons.constants.ResourceAuthLevel;
 import io.dataease.controller.request.dataset.DataSetGroupRequest;
 import io.dataease.dto.dataset.DataSetGroupDTO;
 import io.dataease.service.dataset.DataSetGroupService;
 import io.dataease.service.dataset.ExtractDataService;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+import org.apache.shiro.authz.annotation.Logical;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import springfox.documentation.annotations.ApiIgnore;
@@ -28,12 +34,18 @@ public class DataSetGroupController {
    @Resource
    private ExtractDataService extractDataService;
+    @RequiresPermissions("data:read")
+    @DePermissions(value = {
+            @DePermission(type = DePermissionType.DATASET, value = "id"),
+            @DePermission(type = DePermissionType.DATASET, value = "pid", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE)
+    }, logical = Logical.AND)
    @ApiOperation("保存")
    @PostMapping("/save")
    public DataSetGroupDTO save(@RequestBody DatasetGroup datasetGroup) {
        return dataSetGroupService.save(datasetGroup);
    }
+    @RequiresPermissions("data:read")
    @ApiOperation("查询树")
    @PostMapping("/tree")
    public List<DataSetGroupDTO> tree(@RequestBody DataSetGroupRequest datasetGroup) {
@@ -46,6 +58,8 @@ public class DataSetGroupController {
        return dataSetGroupService.treeNode(datasetGroup);
    }
+    @RequiresPermissions("data:read")
+    @DePermission(type = DePermissionType.DATASET, level = ResourceAuthLevel.DATASET_LEVEL_MANAGE)
    @ApiOperation("删除")
    @PostMapping("/delete/{id}")
    public void tree(@PathVariable String id) throws Exception {

--- a/backend/src/main/java/io/dataease/controller/dataset/DataSetTableController.java
+++ b/backend/src/main/java/io/dataease/controller/dataset/DataSetTableController.java
 package io.dataease.controller.dataset;
 import com.github.xiaoymin.knife4j.annotations.ApiSupport;
+import io.dataease.auth.annotation.DePermission;
+import io.dataease.auth.annotation.DePermissions;
 import io.dataease.base.domain.DatasetTable;
 import io.dataease.base.domain.DatasetTableField;
 import io.dataease.base.domain.DatasetTableIncrementalConfig;
+import io.dataease.commons.constants.DePermissionType;
+import io.dataease.commons.constants.ResourceAuthLevel;
 import io.dataease.controller.request.dataset.DataSetTableRequest;
 import io.dataease.controller.response.DataSetDetail;
 import io.dataease.dto.datasource.TableFiled;
@@ -11,6 +15,8 @@ import io.dataease.dto.dataset.DataSetTableDTO;
 import io.dataease.dto.dataset.ExcelFileData;
 import io.dataease.service.dataset.DataSetTableService;
 import io.swagger.annotations.*;
+import org.apache.shiro.authz.annotation.Logical;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
@@ -30,12 +36,24 @@ public class DataSetTableController {
    @Resource
    private DataSetTableService dataSetTableService;
+    @RequiresPermissions("data:read")
+    @DePermissions(value = {
+        @DePermission(type = DePermissionType.DATASET, value = "id"),
+        @DePermission(type = DePermissionType.DATASET, value = "sceneId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE),
+        @DePermission(type = DePermissionType.DATASOURCE, value = "dataSourceId", level = ResourceAuthLevel.DATASET_LEVEL_USE)
+    }, logical = Logical.AND)
    @ApiOperation("批量保存")
    @PostMapping("batchAdd")
    public void batchAdd(@RequestBody List<DataSetTableRequest> datasetTable) throws Exception {
        dataSetTableService.batchInsert(datasetTable);
    }
+    @RequiresPermissions("data:read")
+    @DePermissions(value = {
+            @DePermission(type = DePermissionType.DATASET, value = "id", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE),
+            @DePermission(type = DePermissionType.DATASET, value = "sceneId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE),
+            @DePermission(type = DePermissionType.DATASOURCE, value = "dataSourceId", level = ResourceAuthLevel.DATASET_LEVEL_USE)
+    }, logical = Logical.AND)
    @ApiOperation("更新")
    @PostMapping("update")
    public void save(@RequestBody DataSetTableRequest datasetTable) throws Exception {
@@ -46,12 +64,19 @@ public class DataSetTableController {
        }
    }
+    @RequiresPermissions("data:read")
+    @DePermissions(value = {
+            @DePermission(type = DePermissionType.DATASET, value = "id", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE),
+            @DePermission(type = DePermissionType.DATASET, value = "sceneId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE),
+            @DePermission(type = DePermissionType.DATASOURCE, value = "dataSourceId", level = ResourceAuthLevel.DATASET_LEVEL_USE)
+    }, logical = Logical.AND)
    @ApiOperation("修改")
    @PostMapping("alter")
    public void alter(@RequestBody DataSetTableRequest request) throws Exception {
        dataSetTableService.alter(request);
    }
+    @DePermission(type = DePermissionType.DATASET, level = ResourceAuthLevel.DATASET_LEVEL_MANAGE)
    @ApiOperation("删除")
    @PostMapping("delete/{id}")
    public void delete(@ApiParam(name = "id", value = "数据集ID", required = true) @PathVariable String id) throws Exception {
@@ -70,6 +95,7 @@ public class DataSetTableController {
        return dataSetTableService.listAndGroup(dataSetTableRequest);
    }
+    @DePermission(type = DePermissionType.DATASET, level = ResourceAuthLevel.DATASET_LEVEL_USE)
    @ApiOperation("详息")
    @PostMapping("get/{id}")
    public DatasetTable get(@ApiParam(name = "id", value = "数据集ID", required = true) @PathVariable String id) {

--- a/backend/src/main/java/io/dataease/controller/datasource/DatasourceController.java
+++ b/backend/src/main/java/io/dataease/controller/datasource/DatasourceController.java
@@ -3,7 +3,11 @@ package io.dataease.controller.datasource;
 import com.github.pagehelper.Page;
 import com.github.pagehelper.PageHelper;
 import com.github.xiaoymin.knife4j.annotations.ApiSupport;
+import io.dataease.auth.annotation.DePermission;
+import io.dataease.auth.annotation.DePermissions;
 import io.dataease.base.domain.Datasource;
+import io.dataease.commons.constants.DePermissionType;
+import io.dataease.commons.constants.ResourceAuthLevel;
 import io.dataease.commons.utils.AuthUtils;
 import io.dataease.commons.utils.PageUtils;
 import io.dataease.commons.utils.Pager;
@@ -15,6 +19,8 @@ import io.dataease.service.datasource.DatasourceService;
 import io.dataease.dto.DatasourceDTO;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+import org.apache.shiro.authz.annotation.Logical;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import springfox.documentation.annotations.ApiIgnore;
@@ -31,18 +37,24 @@ public class DatasourceController {
    @Resource
    private DatasourceService datasourceService;
+    @RequiresPermissions("datasource:add")
+    @DePermission(type = DePermissionType.DATASOURCE, value = "id")
    @ApiOperation("新增数据源")
    @PostMapping("/add")
    public Datasource addDatasource(@RequestBody Datasource datasource) throws Exception{
        return datasourceService.addDatasource(datasource);
    }
+    @RequiresPermissions("datasource:read")
+    @DePermission(type = DePermissionType.DATASOURCE, value = "id")
    @ApiOperation("验证数据源")
    @PostMapping("/validate")
    public ResultHolder validate(@RequestBody Datasource datasource) throws Exception {
        return datasourceService.validate(datasource);
    }
+    @RequiresPermissions("datasource:read")
+    @DePermission(type = DePermissionType.DATASOURCE)
    @ApiOperation("验证数据源")
    @GetMapping("/validate/{datasourceId}")
    public ResultHolder validate(@PathVariable String datasourceId) {
@@ -64,6 +76,7 @@ public class DatasourceController {
        return getDatasourceList().stream().filter(datasourceDTO -> datasourceDTO.getType().equalsIgnoreCase(type)).collect(Collectors.toList());
    }
+    @RequiresPermissions("datasource:read")
    @ApiIgnore
    @PostMapping("/list/{goPage}/{pageSize}")
    public Pager<List<DatasourceDTO>> getDatasourceList(@RequestBody BaseGridRequest request, @PathVariable int goPage, @PathVariable int pageSize) throws Exception {
@@ -71,12 +84,15 @@ public class DatasourceController {
        return PageUtils.setPageInfo(page, datasourceService.gridQuery(request));
    }
+    @DePermission(type = DePermissionType.DATASOURCE, level = ResourceAuthLevel.LINK_LEVEL_MANAGE)
    @ApiOperation("删除数据源")
    @PostMapping("/delete/{datasourceID}")
    public void deleteDatasource(@PathVariable(value = "datasourceID") String datasourceID) throws Exception {
        datasourceService.deleteDatasource(datasourceID);
    }
+    @RequiresPermissions("datasource:add")
+    @DePermission(type = DePermissionType.DATASOURCE, value = "id", level = ResourceAuthLevel.LINK_LEVEL_MANAGE)
    @ApiOperation("更新数据源")
    @PostMapping("/update")
    public void updateDatasource(@RequestBody Datasource Datasource) {

--- a/backend/src/main/java/io/dataease/controller/sys/SystemParameterController.java
+++ b/backend/src/main/java/io/dataease/controller/sys/SystemParameterController.java
@@ -11,6 +11,7 @@ import io.dataease.service.FileService;
 import io.dataease.service.system.EmailService;
 import io.dataease.service.system.SystemParameterService;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
@@ -39,11 +40,13 @@ public class SystemParameterController {
    private EmailService emailService;
+    @RequiresPermissions("sysparam:read")
    @GetMapping("/mail/info")
    public MailInfo mailInfo() {
        return emailService.mailInfo();
    }
+    @RequiresPermissions("sysparam:read")
    @GetMapping("/basic/info")
    public BasicInfo basicInfo() {
        return systemParameterService.basicInfo();
@@ -55,11 +58,13 @@ public class SystemParameterController {
        return StringUtils.isNotBlank(basicInfo.getFrontTimeOut()) ? Integer.parseInt(basicInfo.getFrontTimeOut()) : 10;
    }
+    @RequiresPermissions("sysparam:read")
    @PostMapping("/edit/email")
    public void editMail(@RequestBody List<SystemParameter> systemParameter) {
        emailService.editMail(systemParameter);
    }
+    @RequiresPermissions("sysparam:read")
    @PostMapping("/edit/basic")
    public void editBasic(@RequestBody List<SystemParameter> systemParameter) {
        systemParameterService.editBasic(systemParameter);
@@ -76,6 +81,7 @@ public class SystemParameterController {
    }
+    @RequiresPermissions("sysparam:read")
    @GetMapping("/base/info")
    public List<SystemParameterDTO> getBaseInfo() {
        return systemParameterService.getSystemParameterInfo(ParamConstants.Classify.BASE.getValue());

--- a/backend/src/main/java/io/dataease/plugins/server/ThemeServer.java
+++ b/backend/src/main/java/io/dataease/plugins/server/ThemeServer.java
@@ -3,6 +3,7 @@ package io.dataease.plugins.server;
 import java.util.List;
 import org.apache.commons.lang3.ObjectUtils;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -36,6 +37,7 @@ public class ThemeServer {
        return themeXpackService.queryItems(themeId);
    }
+    @RequiresPermissions("sysparam:read")
    @PostMapping("/save")
    public void save(@RequestPart("request") ThemeRequest request,
            @RequestPart(value = "file", required = false) MultipartFile bodyFile) {
@@ -55,6 +57,7 @@ public class ThemeServer {
    }
+    @RequiresPermissions("sysparam:read")
    @PostMapping("/delete/{themeId}")
    public void delete(@PathVariable("themeId") int themeId) {
        ThemeXpackService themeXpackService = SpringContextUtil.getBean(ThemeXpackService.class);

--- a/backend/src/main/java/io/dataease/plugins/server/XAuthServer.java
+++ b/backend/src/main/java/io/dataease/plugins/server/XAuthServer.java
@@ -14,6 +14,7 @@ import io.dataease.plugins.xpack.auth.dto.response.XpackSysAuthDetailDTO;
 import io.dataease.plugins.xpack.auth.dto.response.XpackVAuthModelDTO;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import io.dataease.plugins.xpack.auth.service.AuthXpackService;
@@ -25,6 +26,7 @@ public class XAuthServer {
    private static final Set<String> cacheTypes = new HashSet<>();
+    @RequiresPermissions("auth:read")
    @PostMapping("/authModels")
    @I18n
    public List<XpackVAuthModelDTO> authModels(@RequestBody XpackBaseTreeRequest request) {
@@ -33,12 +35,14 @@ public class XAuthServer {
        return sysAuthService.searchAuthModelTree(request, user.getUserId(), user.getIsAdmin());
    }
+    @RequiresPermissions("auth:read")
    @PostMapping("/authDetails")
    public Map<String, List<XpackSysAuthDetailDTO>> authDetails(@RequestBody XpackSysAuthRequest request) {
        AuthXpackService sysAuthService = SpringContextUtil.getBean(AuthXpackService.class);
        return sysAuthService.searchAuthDetails(request);
    }
+    @RequiresPermissions("auth:read")
    @GetMapping("/authDetailsModel/{authType}/{direction}")
    @I18n
    public List<XpackSysAuthDetail> authDetailsModel(@PathVariable String authType, @PathVariable String direction) {
@@ -54,6 +58,7 @@ public class XAuthServer {
        return authDetails;
    }
+    @RequiresPermissions("auth:read")
    @PostMapping("/authChange")
    public void authChange(@RequestBody XpackSysAuthRequest request) {
        AuthXpackService sysAuthService = SpringContextUtil.getBean(AuthXpackService.class);

--- a/backend/src/main/java/io/dataease/plugins/server/XDeptServer.java
+++ b/backend/src/main/java/io/dataease/plugins/server/XDeptServer.java
@@ -14,6 +14,7 @@ import io.dataease.plugins.xpack.dept.dto.response.XpackSysDept;
 import io.dataease.plugins.xpack.dept.service.DeptXpackService;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
 import springfox.documentation.annotations.ApiIgnore;
@@ -66,6 +67,7 @@ public class XDeptServer {
        return nodes;
    }
+    @RequiresPermissions("dept:add")
    @ApiOperation("创建")
    @PostMapping("/create")
    public int create(@RequestBody XpackCreateDept dept){
@@ -73,6 +75,7 @@ public class XDeptServer {
        return deptService.add(dept);
    }
+    @RequiresPermissions("dept:del")
    @ApiOperation("删除")
    @PostMapping("/delete")
    public void delete(@RequestBody List<XpackDeleteDept> requests){
@@ -83,6 +86,7 @@ public class XDeptServer {
        deptService.batchDelete(requests);
    }
+    @RequiresPermissions("dept:edit")
    @ApiOperation("更新")
    @PostMapping("/update")
    public int update(@RequestBody XpackCreateDept dept){
@@ -91,6 +95,7 @@ public class XDeptServer {
    }
+    @RequiresPermissions("dept:del")
    @ApiIgnore
    @ApiOperation("删除")
    @PostMapping("/nodesByDeptId/{deptId}")

--- a/backend/src/main/java/io/dataease/plugins/server/XDisplayServer.java
+++ b/backend/src/main/java/io/dataease/plugins/server/XDisplayServer.java
@@ -4,6 +4,7 @@ package io.dataease.plugins.server;
 import io.dataease.plugins.config.SpringContextUtil;
 import io.dataease.plugins.xpack.display.dto.response.SysSettingDto;
 import io.dataease.plugins.xpack.display.service.DisplayXpackService;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 import java.util.List;
@@ -22,6 +23,7 @@ public class XDisplayServer {
        return disPlayXpackService.systemSettings();
    }
+    @RequiresPermissions("sysparam:read")
    @PostMapping(value="/save", consumes = {"multipart/form-data"})
    public void saveUIInfo(@RequestPart("request") Map<String,List<SysSettingDto>> systemParameterMap, @RequestPart(value = "files", required = false) List<MultipartFile> bodyFiles) throws Exception {
        DisplayXpackService disPlayXpackService = SpringContextUtil.getBean(DisplayXpackService.class);

--- a/backend/src/main/java/io/dataease/plugins/server/XEmailTaskServer.java
+++ b/backend/src/main/java/io/dataease/plugins/server/XEmailTaskServer.java
@@ -20,6 +20,7 @@ import io.dataease.service.ScheduleService;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
@@ -39,6 +40,7 @@ public class XEmailTaskServer {
    @Resource
    private PriorityThreadPoolExecutor priorityExecutor;
+    @RequiresPermissions("task-email:read")
    @PostMapping("/queryTasks/{goPage}/{pageSize}")
    public Pager<List<XpackTaskGridDTO>> queryTask(@PathVariable int goPage, @PathVariable int pageSize,
            @RequestBody XpackGridRequest request) {
@@ -71,6 +73,7 @@ public class XEmailTaskServer {
        return listPager;
    }
+    @RequiresPermissions("task-email:add")
    @PostMapping("/save")
    public void save(@RequestBody XpackEmailCreate param) throws Exception {
        XpackEmailTaskRequest request = param.fillContent();
@@ -81,6 +84,7 @@ public class XEmailTaskServer {
        scheduleService.addSchedule(globalTask);
    }
+    @RequiresPermissions("task-email:read")
    @PostMapping("/queryForm/{taskId}")
    public XpackEmailCreate queryForm(@PathVariable Long taskId) {
        EmailXpackService emailXpackService = SpringContextUtil.getBean(EmailXpackService.class);
@@ -141,6 +145,7 @@ public class XEmailTaskServer {
    }
+    @RequiresPermissions("task-email:del")
    @PostMapping("/delete/{taskId}")
    public void delete(@PathVariable Long taskId) {
        EmailXpackService emailXpackService = SpringContextUtil.getBean(EmailXpackService.class);

--- a/backend/src/main/java/io/dataease/plugins/server/XLdapServer.java
+++ b/backend/src/main/java/io/dataease/plugins/server/XLdapServer.java
@@ -6,6 +6,7 @@ import io.dataease.plugins.config.SpringContextUtil;
 import io.dataease.plugins.xpack.display.dto.response.SysSettingDto;
 import io.dataease.plugins.xpack.ldap.dto.response.LdapInfo;
 import io.dataease.plugins.xpack.ldap.service.LdapXpackService;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import java.util.List;
@@ -21,6 +22,7 @@ public class XLdapServer {
        return ldapXpackService.info();
    }
+    @RequiresPermissions("sysparam:read")
    @PostMapping("/save")
    public void save(@RequestBody List<SysSettingDto> settings) {
        LdapXpackService ldapXpackService = SpringContextUtil.getBean(LdapXpackService.class);

--- a/backend/src/main/java/io/dataease/plugins/server/XOidcServer.java
+++ b/backend/src/main/java/io/dataease/plugins/server/XOidcServer.java
@@ -5,6 +5,7 @@ import io.dataease.plugins.config.SpringContextUtil;
 import io.dataease.plugins.xpack.display.dto.response.SysSettingDto;
 import io.dataease.plugins.xpack.oidc.service.OidcXpackService;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import java.util.HashMap;
 import java.util.List;
@@ -21,6 +22,7 @@ public class XOidcServer {
        return oidcXpackService.oidcSettings();
    }
+    @RequiresPermissions("sysparam:read")
    @PostMapping("/save")
    public void save(@RequestBody List<SysSettingDto> settings) {
        OidcXpackService oidcXpackService = SpringContextUtil.getBean(OidcXpackService.class);

--- a/backend/src/main/java/io/dataease/plugins/server/XRoleServer.java
+++ b/backend/src/main/java/io/dataease/plugins/server/XRoleServer.java
@@ -13,6 +13,7 @@ import io.dataease.plugins.xpack.role.dto.response.XpackRoleItemDto;
 import io.dataease.plugins.xpack.role.service.RoleXpackService;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
 import springfox.documentation.annotations.ApiIgnore;
@@ -26,6 +27,7 @@ public class XRoleServer {
    @Autowired
    private ExtAuthService extAuthService;
+    @RequiresPermissions("role:add")
    @ApiOperation("新增角色")
    @PostMapping("/create")
    public void create(@RequestBody XpackRoleDto role){
@@ -34,6 +36,7 @@ public class XRoleServer {
    }
+    @RequiresPermissions("role:del")
    @ApiOperation("删除角色")
    @PostMapping("/delete/{roleId}")
    public void delete(@PathVariable("roleId") Long roleId){
@@ -43,6 +46,7 @@ public class XRoleServer {
    }
+    @RequiresPermissions("role:edit")
    @ApiOperation("更新角色")
    @PostMapping("/update")
    public void update(@RequestBody XpackRoleDto role){
@@ -50,6 +54,7 @@ public class XRoleServer {
        roleXpackService.update(role);
    }
+    @RequiresPermissions("role:read")
    @ApiOperation("分页查询")
    @PostMapping("/roleGrid/{goPage}/{pageSize}")
    public Pager<List<XpackRoleDto>> roleGrid(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody XpackGridRequest request) {