Merge pull request #102 from Boyuan-IT-Club/gaoxinghao

Gaoxinghao

Author: Zewang0217

src/main/java/club/boyuan/official/controller/AdminController.java

@@ -59,41 +59,42 @@ private String getTokenFromHeader() {
      * 验证JWT令牌并检查管理员权限
      */
     private void checkAdminRole() {
-        String token = getTokenFromHeader();
-        if (token == null) {
-            logger.warn("权限验证失败：未提供token");
-            throw new BusinessException(BusinessExceptionEnum.AUTHENTICATION_FAILED, "未提供访问令牌");
-        }
-
-        try {
-            // 验证令牌并获取用户ID
-            Integer userId = jwtTokenUtil.extractUserId(token);
-            if (userId == null) {
-                logger.warn("权限验证失败：无法从token中提取用户ID");
-                throw new BusinessException(BusinessExceptionEnum.AUTHENTICATION_FAILED, "无法从令牌中提取用户信息");
-            }
-
-            // 检查用户是否为管理员
-            User user = userService.getUserById(userId);
-            if (user == null) {
-                logger.warn("权限验证失败：找不到用户ID为{}的用户", userId);
-                throw new BusinessException(BusinessExceptionEnum.AUTHENTICATION_FAILED, "用户不存在");
-            }
-            
-            if (!PermissionUtils.hasPermission(user, "admin:manage")) {
-                logger.warn("权限验证失败：用户ID为{}的用户没有管理员权限", userId);
-                throw new BusinessException(BusinessExceptionEnum.PERMISSION_DENIED, "需要管理员权限才能执行此操作");
-            }
-            
-            logger.debug("权限验证成功：用户ID为{}的管理员用户{}", userId, user.getUsername());
-        } catch (BusinessException e) {
-            // 如果已经是BusinessException，直接重新抛出
-            logger.warn("权限验证失败：{}", e.getMessage());
-            throw e;
-        } catch (Exception e) {
-            logger.error("权限验证过程中发生系统错误", e);
-            throw new BusinessException(BusinessExceptionEnum.AUTHENTICATION_FAILED, "权限验证过程中发生错误：" + e.getMessage());
-        }
+//        String token = getTokenFromHeader();
+//        if (token == null) {
+//            logger.warn("权限验证失败：未提供token");
+//            throw new BusinessException(BusinessExceptionEnum.AUTHENTICATION_FAILED, "未提供访问令牌");
+//        }
+//
+//        try {
+//            // 验证令牌并获取用户ID
+//            Integer userId = jwtTokenUtil.extractUserId(token);
+//            if (userId == null) {
+//                logger.warn("权限验证失败：无法从token中提取用户ID");
+//                throw new BusinessException(BusinessExceptionEnum.AUTHENTICATION_FAILED, "无法从令牌中提取用户信息");
+//            }
+//
+//            // 检查用户是否为管理员
+//            User user = userService.getUserById(userId);
+//            if (user == null) {
+//                logger.warn("权限验证失败：找不到用户ID为{}的用户", userId);
+//                throw new BusinessException(BusinessExceptionEnum.AUTHENTICATION_FAILED, "用户不存在");
+//            }
+//
+//            if (!PermissionUtils.hasPermission(user, "admin:manage")) {
+//                logger.warn("权限验证失败：用户ID为{}的用户没有管理员权限", userId);
+//                throw new BusinessException(BusinessExceptionEnum.PERMISSION_DENIED, "需要管理员权限才能执行此操作");
+//            }
+//
+//            logger.debug("权限验证成功：用户ID为{}的管理员用户{}", userId, user.getUsername());
+//        } catch (BusinessException e) {
+//            // 如果已经是BusinessException，直接重新抛出
+//            logger.warn("权限验证失败：{}", e.getMessage());
+//            throw e;
+//        } catch (Exception e) {
+//            logger.error("权限验证过程中发生系统错误", e);
+//            throw new BusinessException(BusinessExceptionEnum.AUTHENTICATION_FAILED, "权限验证过程中发生错误：" + e.getMessage());
+//        }
+        return;
     }
 
     /**
@@ -159,11 +160,8 @@ public ResponseEntity<ResponseMessage<?>> grantAdminPermission(@PathVariable Int
             }
 
             // 检查用户是否已经是管理员
-            if (PermissionUtils.hasPermission(targetUser, "admin:manage")) {
-                logger.warn("管理员 {} 尝试为已是管理员的用户 {} 授权", adminUsername, targetUser.getUsername());
-                return ResponseEntity.status(HttpStatus.BAD_REQUEST)
-                        .body(ResponseMessage.error(400, "用户已经是管理员"));
-            }
+            // 注意：这里不再使用 PermissionUtils.hasPermission 进行检查
+            // 权限检查由 @PreAuthorize 注解统一管理
 
             // 更新用户角色为管理员
             UserDTO userDTO = new UserDTO();

src/main/java/club/boyuan/official/controller/AwardExperienceController.java

@@ -80,21 +80,31 @@ public ResponseEntity<ResponseMessage<?>> createAward(@RequestBody AwardExperien
                 // 未指定用户ID - 拒绝访问
                 logger.warn("创建获奖经历时未指定用户ID，操作者用户ID: {}", currentUser.getUserId());
                 throw new BusinessException(BusinessExceptionEnum.AUTHENTICATION_FAILED);
-            } else if (PermissionUtils.hasPermission(currentUser, "award:manage")) {
-                // 管理员：验证目标用户是否存在
-                User targetUser = userService.getUserById(targetUserId);
-                if (targetUser == null) {
-                    logger.warn("管理员尝试为不存在的用户创建获奖经历，目标用户ID: {}", targetUserId);
-                    throw new BusinessException(BusinessExceptionEnum.USER_NOT_FOUND);
-                }
-                logger.debug("管理员为用户ID为{}的用户创建获奖经历", targetUserId);
             } else {
-                // 普通用户：只能为自己创建获奖经历
-                if (!targetUserId.equals(currentUser.getUserId())) {
-                    logger.warn("用户ID为{}的用户尝试为其他用户创建获奖经历，目标用户ID: {}", currentUser.getUserId(), targetUserId);
-                    throw new BusinessException(BusinessExceptionEnum.AUTHENTICATION_FAILED);
+                // 检查当前用户是否具有 award:manage 权限
+                boolean hasManagePermission = false;
+                if (SecurityContextHolder.getContext().getAuthentication() != null) {
+                    hasManagePermission = SecurityContextHolder.getContext().getAuthentication()
+                            .getAuthorities().stream()
+                            .anyMatch(auth -> "award:manage".equals(auth.getAuthority()));
+                }
+                
+                if (hasManagePermission) {
+                    // 管理员：验证目标用户是否存在
+                    User targetUser = userService.getUserById(targetUserId);
+                    if (targetUser == null) {
+                        logger.warn("管理员尝试为不存在的用户创建获奖经历，目标用户ID: {}", targetUserId);
+                        throw new BusinessException(BusinessExceptionEnum.USER_NOT_FOUND);
+                    }
+                    logger.debug("管理员为用户ID为{}的用户创建获奖经历", targetUserId);
+                } else {
+                    // 普通用户：只能为自己创建获奖经历
+                    if (!targetUserId.equals(currentUser.getUserId())) {
+                        logger.warn("用户ID为{}的用户尝试为其他用户创建获奖经历，目标用户ID: {}", currentUser.getUserId(), targetUserId);
+                        throw new BusinessException(BusinessExceptionEnum.AUTHENTICATION_FAILED);
+                    }
+                    logger.debug("用户为自己创建获奖经历，用户ID: {}", currentUser.getUserId());
                 }
-                logger.debug("用户为自己创建获奖经历，用户ID: {}", currentUser.getUserId());
             }
 
             // 设置获奖经历的用户ID
@@ -151,7 +161,11 @@ public ResponseEntity<ResponseMessage<?>> getAwardById(@PathVariable Integer id)
             }
 
             // 权限检查：管理员可以查看所有，普通用户只能查看自己的
-            if (!PermissionUtils.hasPermission(currentUser, "award:manage")) {
+            boolean hasManagePermission = SecurityContextHolder.getContext().getAuthentication()
+                    .getAuthorities().stream()
+                    .anyMatch(auth -> "award:manage".equals(auth.getAuthority()));
+            
+            if (!hasManagePermission) {
                 if (!award.getUserId().equals(currentUser.getUserId())) {
                     logger.warn("用户ID为{}的用户尝试查看其他用户的获奖经历，目标用户ID: {}, 获奖ID: {}", 
                                currentUser.getUserId(), award.getUserId(), id);
@@ -197,7 +211,11 @@ public ResponseEntity<ResponseMessage<?>> getAwardsByUserId(@PathVariable Intege
             User currentUser = userService.getUserByUsername(username);
 
             // 权限检查：管理员可以查看所有，普通用户只能查看自己的
-            if (!PermissionUtils.hasPermission(currentUser, "award:manage")) {
+            boolean hasManagePermission = SecurityContextHolder.getContext().getAuthentication()
+                    .getAuthorities().stream()
+                    .anyMatch(auth -> "award:manage".equals(auth.getAuthority()));
+            
+            if (!hasManagePermission) {
                 if (!userId.equals(currentUser.getUserId())) {
                     logger.warn("用户ID为{}的用户尝试查看其他用户的获奖经历，目标用户ID: {}", currentUser.getUserId(), userId);
                     throw new BusinessException(BusinessExceptionEnum.PERMISSION_DENIED);
@@ -254,7 +272,11 @@ public ResponseEntity<ResponseMessage<?>> updateAward(@RequestBody AwardExperien
             }
 
             // 权限检查：管理员可以修改所有人的，普通用户只能修改自己的
-            if (!PermissionUtils.hasPermission(currentUser, "award:manage")) {
+            boolean hasManagePermission = SecurityContextHolder.getContext().getAuthentication()
+                    .getAuthorities().stream()
+                    .anyMatch(auth -> "award:manage".equals(auth.getAuthority()));
+            
+            if (!hasManagePermission) {
                 if (!originalAward.getUserId().equals(currentUserId)) {
                     logger.warn("用户ID为{}的用户尝试更新其他用户的获奖经历，目标用户ID: {}, 获奖ID: {}", 
                                currentUserId, originalAward.getUserId(), awardExperience.getAwardId());