fix: 列权限校验

backend/src/main/java/io/dataease/controller/dataset/DataSetTableFieldController.java

@@ -61,6 +61,19 @@ public class DataSetTableFieldController {
         return fields;
     }
 
+    @ApiOperation("查询表下属字段")
+    @PostMapping("listWithPermission/{tableId}")
+    public List<DatasetTableField> listWithPermission(@PathVariable String tableId) {
+        DatasetTableField datasetTableField = DatasetTableField.builder().build();
+        datasetTableField.setTableId(tableId);
+        List<DatasetTableField> fields = dataSetTableFieldsService.list(datasetTableField);
+        List<String> desensitizationList = new ArrayList<>();
+        fields = permissionService.filterColumnPermissons(fields, desensitizationList, tableId, null);
+        fields = fields.stream().filter(item -> !desensitizationList.contains(item.getDataeaseName())).collect(Collectors.toList());
+        return fields;
+    }
+
+    //管理权限，可以列出所有字段
     @ApiOperation("查询表下属字段")
     @PostMapping("listForPermissionSeting/{tableId}")
     public List<DatasetTableField> listForPermissionSeting(@PathVariable String tableId) {
@@ -70,6 +83,7 @@ public class DataSetTableFieldController {
         return fields;
     }
 
+    //管理权限，可以列出所有字段
     @ApiOperation("分组查询表下属字段")
     @PostMapping("listByDQ/{tableId}")
     public DatasetTableField4Type listByDQ(@PathVariable String tableId) {
@@ -77,10 +91,8 @@ public class DataSetTableFieldController {
         datasetTableField.setTableId(tableId);
         datasetTableField.setGroupType("d");
         List<DatasetTableField> dimensionList = dataSetTableFieldsService.list(datasetTableField);
-        dimensionList = permissionService.filterColumnPermissons(dimensionList, new ArrayList<>(), tableId, null);
         datasetTableField.setGroupType("q");
         List<DatasetTableField> quotaList = dataSetTableFieldsService.list(datasetTableField);
-        quotaList = permissionService.filterColumnPermissons(quotaList, new ArrayList<>(), tableId, null);
 
         DatasetTableField4Type datasetTableField4Type = new DatasetTableField4Type();
         datasetTableField4Type.setDimensionList(dimensionList);
@@ -134,7 +146,30 @@ public class DataSetTableFieldController {
     public List<Object> multFieldValues(@RequestBody MultFieldValuesRequest multFieldValuesRequest) throws Exception {
         List<Object> results = new ArrayList<>();
         for (String fieldId : multFieldValuesRequest.getFieldIds()) {
-            List<Object> fieldValues = dataSetFieldService.fieldValues(fieldId, multFieldValuesRequest.getUserId());
+            List<Object> fieldValues = dataSetFieldService.fieldValues(fieldId, multFieldValuesRequest.getUserId(), true);
+            if (CollectionUtil.isNotEmpty(fieldValues)) {
+                results.addAll(fieldValues);
+            }
+
+        }
+        ArrayList<Object> list = results.stream().collect(
+                Collectors.collectingAndThen(
+                        Collectors.toCollection(
+                                () -> new TreeSet<>(Comparator.comparing(t -> {
+                                    if (ObjectUtils.isEmpty(t))
+                                        return "";
+                                    return t.toString();
+                                }))),
+                        ArrayList::new));
+        return list;
+    }
+
+    @ApiOperation("多字段值枚举")
+    @PostMapping("multFieldValuesForPermissions")
+    public List<Object> multFieldValuesForPermissions(@RequestBody MultFieldValuesRequest multFieldValuesRequest) throws Exception {
+        List<Object> results = new ArrayList<>();
+        for (String fieldId : multFieldValuesRequest.getFieldIds()) {
+            List<Object> fieldValues = dataSetFieldService.fieldValues(fieldId, multFieldValuesRequest.getUserId(), false);
             if (CollectionUtil.isNotEmpty(fieldValues)) {
                 results.addAll(fieldValues);
             }

backend/src/main/java/io/dataease/service/chart/ChartViewService.java

@@ -305,6 +305,10 @@ public class ChartViewService {
                         filterRequest.setFieldId(fId);
 
                         DatasetTableField datasetTableField = dataSetTableFieldsService.get(fId);
+                        if(datasetTableField == null){
+                            continue;
+                        }
+                        if(!desensitizationList.contains(datasetTableField.getDataeaseName()) && dataeaseNames.contains(datasetTableField.getDataeaseName())){
                             filterRequest.setDatasetTableField(datasetTableField);
                             if (StringUtils.equalsIgnoreCase(datasetTableField.getTableId(), view.getTableId())) {
                                 if (CollectionUtils.isNotEmpty(filterRequest.getViewIds())) {
@@ -319,11 +323,13 @@ public class ChartViewService {
                     }
                 }
             }
+        }
 
         //联动过滤条件联动条件全部加上
         if (ObjectUtils.isNotEmpty(requestList.getLinkageFilters())) {
             for (ChartExtFilterRequest request : requestList.getLinkageFilters()) {
                 DatasetTableField datasetTableField = dataSetTableFieldsService.get(request.getFieldId());
+                if(!desensitizationList.contains(datasetTableField.getDataeaseName()) && dataeaseNames.contains(datasetTableField.getDataeaseName())){
                     request.setDatasetTableField(datasetTableField);
                     if (StringUtils.equalsIgnoreCase(datasetTableField.getTableId(), view.getTableId())) {
                         if (CollectionUtils.isNotEmpty(request.getViewIds())) {
@@ -336,6 +342,7 @@ public class ChartViewService {
                     }
                 }
             }
+        }
 
         // 下钻
         List<ChartExtFilterRequest> drillFilters = new ArrayList<>();

backend/src/main/java/io/dataease/service/dataset/DataSetFieldService.java

@@ -5,5 +5,5 @@ import java.util.List;
 
 public interface DataSetFieldService {
 
-    List<Object> fieldValues(String fieldId, Long userId) throws Exception;
+    List<Object> fieldValues(String fieldId, Long userId, Boolean userPermissions) throws Exception;
 }

backend/src/main/java/io/dataease/service/dataset/impl/direct/DirectFieldService.java

@@ -42,7 +42,7 @@ public class DirectFieldService implements DataSetFieldService {
     private PermissionService permissionService;
 
     @Override
-    public List<Object> fieldValues(String fieldId, Long userId) throws Exception {
+    public List<Object> fieldValues(String fieldId, Long userId, Boolean userPermissions) throws Exception {
         DatasetTableField field = dataSetTableFieldsService.selectByPrimaryKey(fieldId);
         if (field == null || StringUtils.isEmpty(field.getTableId())) return null;
 
@@ -52,22 +52,23 @@ public class DirectFieldService implements DataSetFieldService {
         DatasetTableField datasetTableField = DatasetTableField.builder().tableId(field.getTableId()).checked(Boolean.TRUE).build();
         List<DatasetTableField> fields = dataSetTableFieldsService.list(datasetTableField);
 
+        List<ChartFieldCustomFilterDTO> customFilter = new ArrayList<>();
+        if(userPermissions){
             //列权限
             List<String> desensitizationList = new ArrayList<>();
             fields = permissionService.filterColumnPermissons(fields, desensitizationList, datasetTable.getId(), userId);
-
             //禁用的
             if(!fields.stream().map(DatasetTableField::getId).collect(Collectors.toList()).contains(fieldId)){
                 return new ArrayList<>();
             }
-
             if (CollectionUtils.isNotEmpty(desensitizationList) && desensitizationList.contains(field.getDataeaseName())) {
                 List<Object> results = new ArrayList<>();
                 results.add(ColumnPermissionConstants.Desensitization_desc);
                 return results;
             }
             //行权限
-        List<ChartFieldCustomFilterDTO> customFilter = permissionService.getCustomFilters(fields, datasetTable, userId);
+            customFilter = permissionService.getCustomFilters(fields, datasetTable, userId);
+        }
 
         DatasourceRequest datasourceRequest = new DatasourceRequest();
         DatasourceProvider datasourceProvider = null;

frontend/src/api/dataset/dataset.js

@@ -103,6 +103,14 @@ export function fieldList(id, showLoading = true) {
   })
 }
 
+export function fieldListWithPermission(id, showLoading = true) {
+  return request({
+    url: '/dataset/field/listWithPermission/' + id,
+    loading: showLoading,
+    method: 'post'
+  })
+}
+
 export function fieldListDQ(id, showLoading = true) {
   return request({
     url: '/dataset/field/listByDQ/' + id,

frontend/src/views/panel/filter/filterDialog.vue

@@ -184,7 +184,7 @@ import {
 } from 'vuex'
 import {
   groupTree,
-  fieldList,
+  fieldListWithPermission,
   post
 } from '@/api/dataset/dataset'
 import {
@@ -489,7 +489,7 @@ export default {
     },
 
     loadField(tableId) {
-      fieldList(tableId).then(res => {
+      fieldListWithPermission(tableId).then(res => {
         let datas = res.data
         if (this.widget && this.widget.filterFieldMethod) {
           datas = this.widget.filterFieldMethod(datas)
@@ -498,7 +498,7 @@ export default {
       })
     },
     comLoadField(tableId) {
-      fieldList(tableId).then(res => {
+      fieldListWithPermission(tableId).then(res => {
         let datas = res.data
         if (this.widget && this.widget.filterFieldMethod) {
           datas = this.widget.filterFieldMethod(datas)