增强后端权限控制

fuint-application/pom.xml

@@ -32,6 +32,10 @@
             <groupId>org.springframework.ws</groupId>
             <artifactId>spring-ws-core</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.aspectj</groupId>  
             <artifactId>aspectjweaver</artifactId>  
@@ -121,6 +125,11 @@
             <artifactId>aliyun-java-sdk-core</artifactId>
             <version>4.4.6</version>
         </dependency>
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>transmittable-thread-local</artifactId>
+            <version>2.2.0</version>
+        </dependency>
         <dependency>
             <groupId>com.github.javen205</groupId>
             <artifactId>IJPay-WxPay</artifactId>

fuint-application/src/main/java/com/fuint/common/config/SecurityConfig.java

@@ -0,0 +1,98 @@
+package com.fuint.common.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+
+/**
+ * 安全中心配置
+ *
+ * Created by FSQ
+ * CopyRight https://www.fuint.cn
+ */
+@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+
+    /**
+     * 解决 无法直接注入 AuthenticationManager
+     *
+     * @return
+     * @throws Exception
+     */
+    @Bean
+    @Override
+    public AuthenticationManager authenticationManagerBean() throws Exception {
+        return super.authenticationManagerBean();
+    }
+
+    /**
+     * anyRequest          |   匹配所有请求路径
+     * access              |   SpringEl表达式结果为true时可以访问
+     * anonymous           |   匿名可以访问
+     * denyAll             |   用户不能访问
+     * fullyAuthenticated  |   用户完全认证可以访问（非remember-me下自动登录）
+     * hasAnyAuthority     |   如果有参数，参数表示权限，则其中任何一个权限可以访问
+     * hasAnyRole          |   如果有参数，参数表示角色，则其中任何一个角色可以访问
+     * hasAuthority        |   如果有参数，参数表示权限，则其权限可以访问
+     * hasIpAddress        |   如果有参数，参数表示IP地址，如果用户IP和参数匹配，则可以访问
+     * hasRole             |   如果有参数，参数表示角色，则其角色可以访问
+     * permitAll           |   用户可以任意访问
+     * rememberMe          |   允许通过remember-me登录的用户访问
+     * authenticated       |   用户登录后可访问
+     */
+    @Override
+    protected void configure(HttpSecurity httpSecurity) throws Exception {
+        httpSecurity
+                // CSRF禁用，因为不使用session
+                .csrf().disable()
+                // 基于token，所以不需要session
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
+                // 过滤请求
+                .authorizeRequests()
+                // 允许匿名访问
+                .antMatchers(
+                        "/clientApi/**",
+                        "/backendApi/**"
+                        ).anonymous()
+                .antMatchers(
+                        HttpMethod.GET,
+                        "/",
+                        "/*.html",
+                        "/**/*.html",
+                        "/**/*.css",
+                        "/**/*.js",
+                        "/profile/**"
+                ).permitAll()
+                .antMatchers("/swagger-ui.html").anonymous()
+                .antMatchers("/swagger-resources/**").anonymous()
+                .antMatchers("/webjars/**").anonymous()
+                .antMatchers("/*/api-docs").anonymous()
+                .antMatchers("/druid/**").anonymous()
+                // 除上面外的所有请求全部需要鉴权认证
+                .anyRequest().authenticated()
+                .and()
+                .headers().frameOptions().disable();
+    }
+
+    /**
+     * 强散列哈希加密实现
+     */
+    @Bean
+    public BCryptPasswordEncoder bCryptPasswordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    /**
+     * 身份认证接口
+     */
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) {
+        // empty
+    }
+}

fuint-application/src/main/java/com/fuint/common/domain/TreeNode.java

@@ -28,13 +28,13 @@ public class TreeNode implements Serializable {
     private String ename;
 
     @ApiModelProperty("节点是否打开")
-    private boolean open;
+    private Boolean open;
 
     @ApiModelProperty("是否菜单")
     private int isMenu;
 
     @ApiModelProperty("节点是否选中")
-    private boolean checked;
+    private Boolean checked;
 
     @ApiModelProperty("url")
     private String url;
@@ -46,7 +46,7 @@ public class TreeNode implements Serializable {
     private String perms;
 
     @ApiModelProperty("子菜单")
-    private List<TreeNode> childrens = new ArrayList<TreeNode>();
+    private List<TreeNode> childrens = new ArrayList<>();
 
     @ApiModelProperty("菜单级别")
     private int level;

fuint-application/src/main/java/com/fuint/common/permission/PermissionService.java

@@ -0,0 +1,73 @@
+package com.fuint.common.permission;
+
+import com.fuint.common.dto.AccountInfo;
+import com.fuint.common.service.SourceService;
+import com.fuint.common.util.AuthUserUtil;
+import com.fuint.framework.exception.BusinessCheckException;
+import com.fuint.repository.model.TSource;
+import com.fuint.utils.StringUtil;
+import org.springframework.stereotype.Service;
+
+import javax.annotation.Resource;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * 权限控制业务接口
+ *
+ * Created by FSQ
+ * CopyRight https://www.fuint.cn
+ */
+@Service("pms")
+public class PermissionService {
+
+    /**
+     * 所有权限标识
+     */
+    private static final String ALL_PERMISSION = "*:*:*";
+
+    /**
+     * 后台菜单接口
+     * */
+    @Resource
+    SourceService sourceService;
+
+    /**
+     * 验证用户是否具备某权限
+     *
+     * @param  permission 权限字符串
+     * @return 用户是否具备某权限
+     */
+    public boolean hasPermission(String permission) throws BusinessCheckException {
+        if (StringUtil.isEmpty(permission)) {
+            return false;
+        }
+
+        AccountInfo accountInfo = AuthUserUtil.get();
+        if (accountInfo == null) {
+            return false;
+        }
+
+        Set<String> allPermission = new HashSet<>();
+        List<TSource> sources = sourceService.getMenuListByUserId(accountInfo.getMerchantId(), accountInfo.getId());
+        if (sources != null && sources.size() > 0) {
+            for (TSource tSource : sources) {
+                allPermission.add(tSource.getPath().replaceAll("/", ":"));
+            }
+        }
+
+        return hasPermissions(allPermission, permission);
+    }
+
+    /**
+     * 判断是否包含权限
+     *
+     * @param permissions 权限列表
+     * @param permission  权限字符串
+     * @return boolean
+     */
+    private boolean hasPermissions(Set<String> permissions, String permission) {
+        return permissions.contains(ALL_PERMISSION) || permissions.contains(StringUtil.trim(permission));
+    }
+}

fuint-application/src/main/java/com/fuint/common/service/impl/StoreServiceImpl.java

@@ -121,12 +121,15 @@ public class StoreServiceImpl extends ServiceImpl<MtStoreMapper, MtStore> implem
     @Override
     @Transactional(rollbackFor = Exception.class)
     @OperationServiceLog(description = "保存店铺信息")
-    public MtStore saveStore(StoreDto storeDto) {
+    public MtStore saveStore(StoreDto storeDto) throws BusinessCheckException {
         MtStore mtStore = new MtStore();
 
         // 编辑店铺
         if (storeDto.getId() != null) {
             mtStore = queryStoreById(storeDto.getId());
+            if (mtStore == null) {
+                throw new BusinessCheckException("该店铺不存在");
+            }
         }
 
         mtStore.setName(storeDto.getName());

fuint-application/src/main/java/com/fuint/common/util/AuthUserUtil.java

@@ -0,0 +1,29 @@
+package com.fuint.common.util;
+
+import com.alibaba.ttl.TransmittableThreadLocal;
+import com.fuint.common.dto.AccountInfo;
+
+/**
+ * 用户认证工具
+ *
+ * Created by FSQ
+ * CopyRight https://www.fuint.cn
+ */
+public class AuthUserUtil {
+
+    private static final ThreadLocal<AccountInfo> USER_INFO_IN_TOKEN_HOLDER = new TransmittableThreadLocal<>();
+
+    public static AccountInfo get() {
+        return USER_INFO_IN_TOKEN_HOLDER.get();
+    }
+
+    public static void set(AccountInfo userInfoInTokenBo) {
+        USER_INFO_IN_TOKEN_HOLDER.set(userInfoInTokenBo);
+    }
+
+    public static void clean() {
+      if (USER_INFO_IN_TOKEN_HOLDER.get() != null) {
+            USER_INFO_IN_TOKEN_HOLDER.remove();
+      }
+    }
+}

fuint-application/src/main/java/com/fuint/common/util/TokenUtil.java

@@ -100,6 +100,7 @@ public class TokenUtil {
      * */
     public static boolean removeToken(String token) {
         RedisUtil.remove(token);
+        AuthUserUtil.clean();
         return true;
     }
 

fuint-application/src/main/java/com/fuint/common/web/AdminUserInterceptor.java

@@ -2,6 +2,7 @@ package com.fuint.common.web;
 
 import com.fuint.common.Constants;
 import com.fuint.common.dto.AccountInfo;
+import com.fuint.common.util.AuthUserUtil;
 import com.fuint.common.util.TokenUtil;
 import com.fuint.utils.PropertiesUtil;
 import org.apache.commons.lang.StringUtils;
@@ -31,7 +32,8 @@ public class AdminUserInterceptor implements AsyncHandlerInterceptor {
 
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(accessToken);
         // 验证session中的Token
-        if (accountInfo != null && accountInfo.getToken().equals(accessToken)){
+        if (accountInfo != null && accountInfo.getToken().equals(accessToken)) {
+            AuthUserUtil.set(accountInfo);
             return true;
         }
 

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendAccountController.java

@@ -24,6 +24,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
@@ -75,6 +76,7 @@ public class BackendAccountController extends BaseController {
     @ApiOperation(value = "账户信息列表")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:account:index')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -205,6 +207,7 @@ public class BackendAccountController extends BaseController {
     @ApiOperation(value = "新增账户")
     @RequestMapping(value = "/doCreate", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:account:add')")
     public ResponseObject doCreate(HttpServletRequest request, @RequestBody Map<String, Object> param) {
         String token = request.getHeader("Access-Token");
         AccountInfo loginAccount = TokenUtil.getAccountInfoByToken(token);
@@ -264,6 +267,7 @@ public class BackendAccountController extends BaseController {
     @ApiOperation(value = "修改账户信息")
     @RequestMapping(value = "/update", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:account:edit')")
     public ResponseObject update(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
 
@@ -334,6 +338,7 @@ public class BackendAccountController extends BaseController {
     @ApiOperation(value = "删除账户信息")
     @RequestMapping(value = "/delete/{userIds}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:account:delete')")
     public ResponseObject deleteAccount(HttpServletRequest request, @PathVariable("userIds") String userIds) {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -372,6 +377,7 @@ public class BackendAccountController extends BaseController {
     @ApiOperation(value = "更新账户状态")
     @RequestMapping(value = "/updateStatus", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:account:edit')")
     public ResponseObject updateStatus(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer userId = param.get("userId") == null ? 0 : Integer.parseInt(param.get("userId").toString());
@@ -401,6 +407,7 @@ public class BackendAccountController extends BaseController {
     @ApiOperation(value = "修改账户密码")
     @RequestMapping(value = "/resetPwd", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:account:edit')")
     public ResponseObject resetPwd(HttpServletRequest request, @RequestBody Map<String, Object> param) {
         String token = request.getHeader("Access-Token");
         Integer userId = param.get("userId") == null ? 0 : Integer.parseInt(param.get("userId").toString());

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendBalanceController.java

@@ -24,6 +24,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import java.math.BigDecimal;
@@ -67,6 +68,7 @@ public class BackendBalanceController extends BaseController {
     @ApiOperation(value = "余额明细列表查询")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('balance:list')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -122,6 +124,7 @@ public class BackendBalanceController extends BaseController {
     @ApiOperation(value = "提交充值")
     @RequestMapping(value = "/doRecharge", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('balance:modify')")
     public ResponseObject doRecharge(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String amount = param.get("amount") == null ? "0" : param.get("amount").toString();
@@ -174,6 +177,7 @@ public class BackendBalanceController extends BaseController {
     @ApiOperation(value = "发放余额")
     @RequestMapping(value = "/distribute", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('balance:distribute')")
     public ResponseObject distribute(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String amount = param.get("amount") == null ? "0" : param.get("amount").toString();
@@ -199,6 +203,7 @@ public class BackendBalanceController extends BaseController {
     @ApiOperation(value = "充值设置详情")
     @RequestMapping(value = "/setting", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('balance:setting')")
     public ResponseObject setting(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -250,6 +255,7 @@ public class BackendBalanceController extends BaseController {
     @ApiOperation(value = "保存充值设置")
     @RequestMapping(value = "/saveSetting", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('balance:setting')")
     public ResponseObject saveSettingHandler(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String status = param.get("status") == null ? StatusEnum.ENABLED.getKey() : param.get("status").toString();

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendBannerController.java

@@ -19,6 +19,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import java.util.HashMap;
@@ -63,6 +64,7 @@ public class BackendBannerController extends BaseController {
     @ApiOperation(value = "焦点图列表查询")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('content:banner:list')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -130,6 +132,7 @@ public class BackendBannerController extends BaseController {
     @ApiOperation(value = "更新焦点图状态")
     @RequestMapping(value = "/updateStatus", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('content:banner:edit')")
     public ResponseObject updateStatus(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String status = params.get("status") != null ? params.get("status").toString() : StatusEnum.ENABLED.getKey();
@@ -165,6 +168,7 @@ public class BackendBannerController extends BaseController {
     @ApiOperation(value = "保存焦点图")
     @RequestMapping(value = "/save", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('content:banner:add')")
     public ResponseObject saveHandler(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String id = params.get("id") == null ? "" : params.get("id").toString();
@@ -210,6 +214,7 @@ public class BackendBannerController extends BaseController {
     @ApiOperation(value = "获取焦点图详情")
     @RequestMapping(value = "/info/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('content:banner:list')")
     public ResponseObject info(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendCateController.java

@@ -22,6 +22,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
@@ -74,6 +75,7 @@ public class BackendCateController extends BaseController {
     @ApiOperation(value = "获取商品分类列表")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:cate:index')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -142,6 +144,7 @@ public class BackendCateController extends BaseController {
     @ApiOperation(value = "更新商品分类状态")
     @RequestMapping(value = "/updateStatus", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:cate:index')")
     public ResponseObject updateStatus(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String status = params.get("status") != null ? params.get("status").toString() : StatusEnum.ENABLED.getKey();
@@ -181,6 +184,7 @@ public class BackendCateController extends BaseController {
      */
     @ApiOperation(value = "保存商品分类")
     @RequestMapping(value = "/save", method = RequestMethod.POST)
+    @PreAuthorize("@pms.hasPermission('goods:cate:index')")
     public ResponseObject save(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String id = params.get("id") == null ? "" : params.get("id").toString();
@@ -231,6 +235,7 @@ public class BackendCateController extends BaseController {
     @ApiOperation(value = "商品分类详情")
     @RequestMapping(value = "/info/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:cate:index')")
     public ResponseObject info(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountDto = TokenUtil.getAccountInfoByToken(token);

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendCouponController.java

@@ -20,6 +20,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
@@ -94,6 +95,7 @@ public class BackendCouponController extends BaseController {
     @ApiOperation(value = "查询卡券列表")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('coupon:coupon:index')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -250,6 +252,7 @@ public class BackendCouponController extends BaseController {
     @ApiOperation(value = "删除卡券")
     @RequestMapping(value = "/delete/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('coupon:coupon:index')")
     public ResponseObject delete(HttpServletRequest request, @PathVariable("id") Long id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -275,6 +278,7 @@ public class BackendCouponController extends BaseController {
     @ApiOperation(value = "保存卡券")
     @RequestMapping(value = "/save", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('coupon:coupon:add')")
     public ResponseObject saveCouponHandler(HttpServletRequest request, @RequestBody ReqCouponDto reqCouponDto) throws BusinessCheckException,ParseException {
         String token = request.getHeader("Access-Token");
 
@@ -318,6 +322,7 @@ public class BackendCouponController extends BaseController {
     @ApiOperation(value = "卡券详情")
     @RequestMapping(value = "/info/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('coupon:coupon:index')")
     public ResponseObject info(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -417,6 +422,7 @@ public class BackendCouponController extends BaseController {
     @ApiOperation(value = "发放卡券")
     @RequestMapping(value = "/sendCoupon", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('coupon:coupon:index')")
     public ResponseObject sendCoupon(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String mobile = request.getParameter("mobile");

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendDoConfirmController.java

@@ -23,6 +23,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
@@ -80,6 +81,7 @@ public class BackendDoConfirmController extends BaseController {
     @ApiOperation(value = "核销详情")
     @RequestMapping(value = "/info", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('coupon:confirm:index')")
     public ResponseObject info(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String userCouponId = param.get("id") == null ? "" : param.get("id").toString();
@@ -159,6 +161,7 @@ public class BackendDoConfirmController extends BaseController {
     @ApiOperation(value = "确认核销")
     @RequestMapping(value = "/doConfirm", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('coupon:confirm:index')")
     public ResponseObject doConfirm(HttpServletRequest request, @RequestBody Map<String, Object> param) {
         String token = request.getHeader("Access-Token");
         String userCouponId = param.get("userCouponId") == null ? "" : param.get("userCouponId").toString();

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendDutyController.java

@@ -24,6 +24,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.PageImpl;
 import org.springframework.data.domain.PageRequest;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
@@ -58,6 +59,7 @@ public class BackendDutyController extends BaseController {
     @ApiOperation(value = "获取角色列表")
     @RequestMapping(value = "/list")
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:role:index')")
     public ResponseObject list(HttpServletRequest request) {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -120,6 +122,7 @@ public class BackendDutyController extends BaseController {
     @ApiOperation(value = "新增角色")
     @RequestMapping(value = "/add", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:role:add')")
     public ResponseObject addHandler(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         List<Integer> menuIds = (List) param.get("menuIds");
@@ -165,6 +168,7 @@ public class BackendDutyController extends BaseController {
     @ApiOperation(value = "获取角色详情")
     @RequestMapping(value = "/info/{roleId}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:role:index')")
     public ResponseObject info(HttpServletRequest request, @PathVariable("roleId") Long roleId) {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -201,6 +205,7 @@ public class BackendDutyController extends BaseController {
     @ApiOperation(value = "修改角色")
     @RequestMapping(value = "/update", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:role:edit')")
     public ResponseObject updateHandler(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         List<Integer> menuIds = (List) param.get("menuIds");
@@ -252,6 +257,7 @@ public class BackendDutyController extends BaseController {
     @ApiOperation(value = "删除角色信息")
     @RequestMapping(value = "/delete/{roleId}", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:role:delete')")
     public ResponseObject deleteRole(HttpServletRequest request, @PathVariable("roleId") Long roleId) {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -275,6 +281,7 @@ public class BackendDutyController extends BaseController {
     @ApiOperation(value = "修改角色状态")
     @RequestMapping(value = "/changeStatus", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('system:role:edit')")
     public ResponseObject changeStatus(HttpServletRequest request, @RequestBody DutyStatusRequest dutyStatusRequest) {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendGoodsController.java

@@ -23,6 +23,7 @@ import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.BeanUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
@@ -88,6 +89,7 @@ public class BackendGoodsController extends BaseController {
     @ApiOperation(value = "分页查询商品列表")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:goods:index')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -175,6 +177,7 @@ public class BackendGoodsController extends BaseController {
     @ApiOperation(value = "删除商品")
     @RequestMapping(value = "/delete/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:goods:edit')")
     public ResponseObject delete(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
 
@@ -195,6 +198,7 @@ public class BackendGoodsController extends BaseController {
     @ApiOperation(value = "更新商品状态")
     @RequestMapping(value = "/updateStatus", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:goods:edit')")
     public ResponseObject updateStatus(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String status = params.get("status") != null ? params.get("status").toString() : StatusEnum.ENABLED.getKey();
@@ -231,6 +235,7 @@ public class BackendGoodsController extends BaseController {
     @ApiOperation(value = "获取商品详情")
     @RequestMapping(value = "/info/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:goods:index')")
     public ResponseObject info(HttpServletRequest request, @PathVariable("id") Integer goodsId) throws BusinessCheckException, InvocationTargetException, IllegalAccessException {
         String token = request.getHeader("Access-Token");
 
@@ -354,6 +359,7 @@ public class BackendGoodsController extends BaseController {
     @ApiOperation(value = "保存商品信息")
     @RequestMapping(value = "/save", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:goods:add')")
     public ResponseObject saveHandler(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -575,6 +581,7 @@ public class BackendGoodsController extends BaseController {
     @ApiOperation(value = "保存商品规格")
     @RequestMapping(value = "/saveSpecName", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:goods:add')")
     public ResponseObject saveSpecName(HttpServletRequest request, @RequestBody Map<String, Object> param) {
         String token = request.getHeader("Access-Token");
         String goodsId = param.get("goodsId") == null ? "0" : param.get("goodsId").toString();
@@ -628,6 +635,7 @@ public class BackendGoodsController extends BaseController {
     @ApiOperation(value = "保存商品规格值")
     @RequestMapping(value = "/saveSpecValue", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:goods:add')")
     public ResponseObject saveSpecValue(HttpServletRequest request, @RequestBody Map<String, Object> param) {
         String token = request.getHeader("Access-Token");
         String specName = param.get("specName") == null ? "" : param.get("specName").toString();
@@ -715,6 +723,7 @@ public class BackendGoodsController extends BaseController {
     @ApiOperation(value = "删除商品规格")
     @RequestMapping(value = "/deleteSpec", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:goods:add')")
     public ResponseObject deleteSpec(HttpServletRequest request) {
         String specName = request.getParameter("specName") == null ? "" : request.getParameter("specName");
         String goodsId = request.getParameter("goodsId") == null ? "0" : request.getParameter("goodsId");
@@ -745,6 +754,7 @@ public class BackendGoodsController extends BaseController {
     @ApiOperation(value = "删除商品规格值")
     @RequestMapping(value = "/deleteSpecValue", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('goods:goods:add')")
     public ResponseObject deleteSpecValue(HttpServletRequest request) {
         Integer specId = request.getParameter("id") == null ? 0 : Integer.parseInt(request.getParameter("id"));
 

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendMemberController.java

@@ -23,6 +23,7 @@ import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.BeanUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import java.text.ParseException;
@@ -78,6 +79,7 @@ public class BackendMemberController extends BaseController {
     @ApiOperation(value = "查询会员列表")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('member:index')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String mobile = request.getParameter("mobile");
@@ -191,6 +193,7 @@ public class BackendMemberController extends BaseController {
     @ApiOperation(value = "更新会员状态")
     @RequestMapping(value = "/updateStatus", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('member:index')")
     public ResponseObject updateStatus(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer userId = param.get("userId") == null ? 0 : Integer.parseInt(param.get("userId").toString());
@@ -221,6 +224,7 @@ public class BackendMemberController extends BaseController {
     @ApiOperation(value = "删除会员")
     @RequestMapping(value = "/delete/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('member:index')")
     public ResponseObject delete(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -243,6 +247,7 @@ public class BackendMemberController extends BaseController {
     @ApiOperation(value = "保存会员信息")
     @RequestMapping(value = "/save", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('member:add')")
     public ResponseObject save(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException, ParseException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -315,6 +320,7 @@ public class BackendMemberController extends BaseController {
     @ApiOperation(value = "获取会员详情")
     @RequestMapping(value = "/info/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('member:index')")
     public ResponseObject info(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -362,6 +368,7 @@ public class BackendMemberController extends BaseController {
     @ApiOperation(value = "获取会员设置")
     @RequestMapping(value = "/setting", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('member:setting')")
     public ResponseObject setting(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -402,6 +409,7 @@ public class BackendMemberController extends BaseController {
     @ApiOperation(value = "保存设置")
     @RequestMapping(value = "/saveSetting", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('member:setting')")
     public ResponseObject saveSetting(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String getCouponNeedPhone = param.get("getCouponNeedPhone") != null ? param.get("getCouponNeedPhone").toString() : "false";
@@ -450,6 +458,7 @@ public class BackendMemberController extends BaseController {
     @ApiOperation(value = "获取会员分组")
     @RequestMapping(value = "/groupList", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('member:group:index')")
     public ResponseObject groupList(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendMemberGroupController.java

@@ -19,6 +19,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
@@ -56,6 +57,7 @@ public class BackendMemberGroupController extends BaseController {
     @ApiOperation(value = "查询会员分组列表")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('member:group:index')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? 1 : Integer.parseInt(request.getParameter("page"));

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendMerchantController.java

@@ -3,7 +3,6 @@ package com.fuint.module.backendApi.controller;
 import com.fuint.common.Constants;
 import com.fuint.common.dto.AccountInfo;
 import com.fuint.common.dto.ParamDto;
-import com.fuint.common.enums.CouponTypeEnum;
 import com.fuint.common.enums.MerchantTypeEnum;
 import com.fuint.common.enums.StatusEnum;
 import com.fuint.common.service.MerchantService;
@@ -20,6 +19,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
@@ -59,6 +59,7 @@ public class BackendMerchantController extends BaseController {
     @ApiOperation(value = "分页查询商户列表")
     @RequestMapping(value = "/list")
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('merchant:index')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -149,6 +150,7 @@ public class BackendMerchantController extends BaseController {
     @ApiOperation(value = "更新商户状态")
     @RequestMapping(value = "/updateStatus")
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('merchant:index')")
     public ResponseObject updateStatus(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String status = params.get("status") != null ? params.get("status").toString() : StatusEnum.ENABLED.getKey();
@@ -177,6 +179,7 @@ public class BackendMerchantController extends BaseController {
     @ApiOperation(value = "保存商户信息")
     @RequestMapping(value = "/save", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('merchant:index')")
     public ResponseObject saveHandler(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -247,6 +250,7 @@ public class BackendMerchantController extends BaseController {
     @ApiOperation(value = "获取商户详情")
     @RequestMapping(value = "/info/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('merchant:index')")
     public ResponseObject getMerchantInfo(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendOrderController.java

@@ -17,6 +17,7 @@ import com.fuint.utils.TimeUtils;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
@@ -83,6 +84,7 @@ public class BackendOrderController extends BaseController {
     @ApiOperation(value = "订单列表查询")
     @RequestMapping(value = "/list", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('order:index')")
     public ResponseObject list(HttpServletRequest request, @RequestBody OrderListParam orderListParam) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -184,6 +186,7 @@ public class BackendOrderController extends BaseController {
     @ApiOperation(value = "获取订单详情")
     @RequestMapping(value = "/info/{orderId}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('order:detail')")
     public ResponseObject info(HttpServletRequest request, @PathVariable("orderId") Integer orderId) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -231,6 +234,7 @@ public class BackendOrderController extends BaseController {
     @ApiOperation(value = "确认发货")
     @RequestMapping(value = "/delivered", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('order:delivery')")
     public ResponseObject delivered(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer orderId = param.get("orderId") == null ? 0 : Integer.parseInt(param.get("orderId").toString());
@@ -287,6 +291,7 @@ public class BackendOrderController extends BaseController {
     @ApiOperation(value = "修改订单")
     @RequestMapping(value = "/save", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('order:edit')")
     public ResponseObject save(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer orderId = param.get("orderId") == null ? 0 : Integer.parseInt(param.get("orderId").toString());
@@ -336,6 +341,7 @@ public class BackendOrderController extends BaseController {
     @ApiOperation(value = "验证并核销订单")
     @RequestMapping(value = "/verify", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('cashier:confirmOrder')")
     public ResponseObject verify(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer orderId = param.get("orderId") == null ? 0 : Integer.parseInt(param.get("orderId").toString());
@@ -409,6 +415,7 @@ public class BackendOrderController extends BaseController {
     @ApiOperation(value = "删除订单")
     @RequestMapping(value = "/delete/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('order:delete')")
     public ResponseObject delete(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -431,6 +438,7 @@ public class BackendOrderController extends BaseController {
     @ApiOperation(value = "订单设置详情")
     @RequestMapping(value = "/setting", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('order:setting')")
     public ResponseObject setting(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -466,6 +474,7 @@ public class BackendOrderController extends BaseController {
     @ApiOperation(value = "保存订单设置")
     @RequestMapping(value = "/saveSetting", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('order:setting')")
     public ResponseObject saveSetting(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String deliveryFee = param.get("deliveryFee") != null ? param.get("deliveryFee").toString() : "0";

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendPointController.java

@@ -23,6 +23,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
@@ -69,6 +70,7 @@ public class BackendPointController extends BaseController {
     @ApiOperation(value = "积分明细列表查询")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('point:list')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -130,6 +132,7 @@ public class BackendPointController extends BaseController {
     @ApiOperation(value = "积分设置详情")
     @RequestMapping(value = "/setting", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('point:setting')")
     public ResponseObject setting(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -176,6 +179,7 @@ public class BackendPointController extends BaseController {
     @ApiOperation(value = "提交积分设置")
     @RequestMapping(value = "/saveSetting", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('point:setting')")
     public ResponseObject saveSettingHandler(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String pointNeedConsume = param.get("pointNeedConsume") != null ? param.get("pointNeedConsume").toString() : "1";
@@ -233,6 +237,7 @@ public class BackendPointController extends BaseController {
     @ApiOperation(value = "提交积分充值")
     @RequestMapping(value = "/doRecharge", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('point:modify')")
     public ResponseObject doRecharge(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String amount = param.get("amount") == null ? "0" : param.get("amount").toString();

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendRefundController.java

@@ -21,6 +21,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
@@ -72,6 +73,7 @@ public class BackendRefundController extends BaseController {
     @ApiOperation(value = "退款列表查询")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('refund:index')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String orderSn = request.getParameter("orderSn");
@@ -171,6 +173,7 @@ public class BackendRefundController extends BaseController {
     @ApiOperation(value = "查询退款详情")
     @RequestMapping(value = "/info/{refundId}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('refund:index')")
     public ResponseObject info(HttpServletRequest request, @PathVariable("refundId") Integer refundId) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -198,6 +201,7 @@ public class BackendRefundController extends BaseController {
     @ApiOperation(value = "保存售后订单")
     @RequestMapping(value = "save", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('refund:edit')")
     public ResponseObject save(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer refundId = param.get("refundId") == null ? 0 : Integer.parseInt(param.get("refundId").toString());
@@ -233,6 +237,7 @@ public class BackendRefundController extends BaseController {
     @ApiOperation(value = "发起退款")
     @RequestMapping(value = "doRefund", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('refund:edit')")
     public ResponseObject doRefund(HttpServletRequest request, @RequestBody Map<String, Object> param) {
         String token = request.getHeader("Access-Token");
         Integer orderId = param.get("orderId") == null ? 0 : Integer.parseInt(param.get("orderId").toString());

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendSourceController.java

@@ -16,6 +16,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
@@ -49,6 +50,7 @@ public class BackendSourceController extends BaseController {
      */
     @ApiOperation(value = "获取菜单列表")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
+    @PreAuthorize("@pms.hasPermission('system:menu:index')")
     public ResponseObject list(HttpServletRequest request) {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -63,7 +65,7 @@ public class BackendSourceController extends BaseController {
     /**
      * 获取菜单详情
      *
-     * @param sourceId 菜单ID
+     * @param  sourceId 菜单ID
      * @return 菜单信息
      */
     @ApiOperation(value = "获取菜单详情")
@@ -99,6 +101,7 @@ public class BackendSourceController extends BaseController {
      */
     @ApiOperation(value = "新增菜单")
     @RequestMapping(value = "/add", method = RequestMethod.POST)
+    @PreAuthorize("@pms.hasPermission('system:menu:add')")
     public ResponseObject addSource(HttpServletRequest request, @RequestBody Map<String, Object> param) {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -155,6 +158,7 @@ public class BackendSourceController extends BaseController {
      */
     @ApiOperation(value = "修改菜单")
     @RequestMapping(value = "/update", method = RequestMethod.POST)
+    @PreAuthorize("@pms.hasPermission('system:menu:edit')")
     public ResponseObject update(HttpServletRequest request, @RequestBody Map<String, Object> param) {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -218,6 +222,7 @@ public class BackendSourceController extends BaseController {
      */
     @ApiOperation(value = "删除菜单")
     @RequestMapping(value = "/delete/{sourceId}", method = RequestMethod.GET)
+    @PreAuthorize("@pms.hasPermission('system:menu:delete')")
     public ResponseObject delete(HttpServletRequest request, @PathVariable("sourceId") Long sourceId) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendStaffController.java

@@ -19,6 +19,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
@@ -53,6 +54,7 @@ public class BackendStaffController extends BaseController {
     @ApiOperation(value = "获取员工列表")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('staff:list')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -122,6 +124,7 @@ public class BackendStaffController extends BaseController {
     @ApiOperation(value = "更新员工状态")
     @RequestMapping(value = "/updateStatus", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('staff:list')")
     public ResponseObject updateStatus(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String status = params.get("status") != null ? params.get("status").toString() : StatusEnum.ENABLED.getKey();
@@ -145,6 +148,7 @@ public class BackendStaffController extends BaseController {
     @ApiOperation(value = "保存员工信息")
     @RequestMapping(value = "/save", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('staff:list')")
     public ResponseObject saveHandler(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String id = params.get("id") == null ? "0" : params.get("id").toString();
@@ -199,6 +203,7 @@ public class BackendStaffController extends BaseController {
     @ApiOperation(value = "查询员工详情")
     @RequestMapping(value = "/info/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('staff:list')")
     public ResponseObject getStaffInfo(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
 

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendStockController.java

@@ -19,6 +19,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
@@ -76,6 +77,7 @@ public class BackendStockController extends BaseController {
     @ApiOperation(value = "获取库存管理记录列表")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('stock:index')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -148,6 +150,7 @@ public class BackendStockController extends BaseController {
     @ApiOperation(value = "删除库存管理记录状态")
     @RequestMapping(value = "/delete", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('stock:index')")
     public ResponseObject delete(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer id = params.get("id") == null ? 0 : Integer.parseInt(params.get("id").toString());
@@ -176,6 +179,8 @@ public class BackendStockController extends BaseController {
      */
     @ApiOperation(value = "保存库存管理记录")
     @RequestMapping(value = "/save", method = RequestMethod.POST)
+    @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('stock:index')")
     public ResponseObject save(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String type = params.get("type") == null ? "" : CommonUtil.replaceXSS(params.get("type").toString());
@@ -215,6 +220,7 @@ public class BackendStockController extends BaseController {
     @ApiOperation(value = "获取库存管理记录详情")
     @RequestMapping(value = "/info/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('stock:index')")
     public ResponseObject info(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountDto = TokenUtil.getAccountInfoByToken(token);

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendStoreController.java

@@ -8,7 +8,6 @@ import com.fuint.common.enums.YesOrNoEnum;
 import com.fuint.common.service.MerchantService;
 import com.fuint.common.service.SettingService;
 import com.fuint.common.service.StoreService;
-import com.fuint.common.service.WeixinService;
 import com.fuint.common.util.CommonUtil;
 import com.fuint.common.util.TokenUtil;
 import com.fuint.framework.exception.BusinessCheckException;
@@ -22,6 +21,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import java.util.HashMap;
@@ -66,6 +66,7 @@ public class BackendStoreController extends BaseController {
     @ApiOperation(value = "获取店铺列表")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('store:list')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         Integer page = request.getParameter("page") == null ? Constants.PAGE_NUMBER : Integer.parseInt(request.getParameter("page"));
@@ -167,6 +168,7 @@ public class BackendStoreController extends BaseController {
     @ApiOperation(value = "更新店铺状态")
     @RequestMapping(value = "/updateStatus", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('store:add')")
     public ResponseObject updateStatus(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String status = params.get("status") != null ? params.get("status").toString() : StatusEnum.ENABLED.getKey();
@@ -192,6 +194,7 @@ public class BackendStoreController extends BaseController {
     @ApiOperation(value = "保存店铺")
     @RequestMapping(value = "/save", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('store:add')")
     public ResponseObject saveHandler(HttpServletRequest request, @RequestBody Map<String, Object> params) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -290,6 +293,7 @@ public class BackendStoreController extends BaseController {
     @ApiOperation(value = "获取店铺详情")
     @RequestMapping(value = "/info/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('store:list')")
     public ResponseObject getStoreInfo(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendUserGradeController.java

@@ -18,6 +18,7 @@ import com.fuint.utils.StringUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import java.math.BigDecimal;
@@ -52,6 +53,7 @@ public class BackendUserGradeController extends BaseController {
     @ApiOperation(value = "会员等级列表查询")
     @RequestMapping(value = "/list", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('userGrade:index')")
     public ResponseObject list(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         String name = request.getParameter("name");
@@ -123,6 +125,7 @@ public class BackendUserGradeController extends BaseController {
     @ApiOperation(value = "更新会员等级状态")
     @RequestMapping(value = "/updateStatus", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('userGrade:index')")
     public ResponseObject updateStatus(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -152,6 +155,7 @@ public class BackendUserGradeController extends BaseController {
     @ApiOperation(value = "删除会员等级")
     @RequestMapping(value = "/delete/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('userGrade:index')")
     public ResponseObject delete(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -174,6 +178,7 @@ public class BackendUserGradeController extends BaseController {
     @ApiOperation(value = "保存会员等级")
     @RequestMapping(value = "/save", method = RequestMethod.POST)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('userGrade:add')")
     public ResponseObject saveHandler(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
@@ -255,6 +260,7 @@ public class BackendUserGradeController extends BaseController {
     @ApiOperation(value = "获取会员等级信息")
     @RequestMapping(value = "/info/{id}", method = RequestMethod.GET)
     @CrossOrigin
+    @PreAuthorize("@pms.hasPermission('userGrade:index')")
     public ResponseObject info(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);

fuint-repository/src/main/java/com/fuint/repository/model/TSource.java

@@ -10,9 +10,7 @@ import lombok.Getter;
 import lombok.Setter;
 
 /**
- * <p>
  * 菜单表
- * </p>
  *
  * Created by FSQ
  * CopyRight https://www.fuint.cn
@@ -70,5 +68,4 @@ public class TSource implements Serializable {
     @ApiModelProperty("菜单图标")
     private String icon;
 
-
 }