Merge remote-tracking branch 'origin/dev_govorg' into dev

6 years ago · 93a33f371c
32 changed files with 494 additions and 223 deletions
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/annotation/DataFilter.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/annotation/DataFilter.java
@ -25,4 +25,19 @@ public @interface DataFilter {
     */
    String[] tableAliases() default "";

+    /**
+     * 网格ID参数名
+     * 如果权限管理中配置开启了"网格内"权限过滤，那此处必须指定，并且在方法列表中使用该方法名传参，供过滤器使用
+     *  例如： @DataFilter(gridIdArgName="gridId")
+     *        public void test(String a, String b, String gridId) {...}
+     * @return
+     */
+    String gridIdArgName() default "";
+
+    /**
+     * 部门ID参数名
+     * @return
+     */
+    String deptIdArgName() default "";
+
 }
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/aspect/DataFilterAspect.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/aspect/DataFilterAspect.java
@ -19,6 +19,7 @@ import com.epmet.commons.tools.exception.EpmetErrorCode;
 import com.epmet.commons.tools.exception.RenException;
 import com.epmet.commons.tools.security.user.LoginUserUtil;
 import com.epmet.commons.tools.utils.Result;
+import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.aspectj.lang.JoinPoint;
 import org.aspectj.lang.annotation.Aspect;
@ -52,6 +53,9 @@ public class DataFilterAspect {

    public static final ThreadLocal<String> sqlFilter = new ThreadLocal();

+    //public static final ThreadLocal<String> gridIdTL = new ThreadLocal();
+    //public static final ThreadLocal<String> deptIdTL = new ThreadLocal();
+
    @Autowired
    private LoginUserUtil loginUserUtil;

@ -69,10 +73,30 @@ public class DataFilterAspect {
        //清空
        sqlFilter.set(null);

-        // 通过反射，取到注解属性
-        DataFilter dataFilterAnno = ((MethodSignature) point.getSignature()).getMethod().getAnnotation(DataFilter.class);
-        String[] tableAliases = dataFilterAnno.tableAliases();
-        String tableAlias = tableAliases[0];
+        // 取到注解属性
+        MethodSignature methodSignature = (MethodSignature) point.getSignature();
+        DataFilter dataFilterAnno = methodSignature.getMethod().getAnnotation(DataFilter.class);
+        String tableAlias = dataFilterAnno.tableAliases()[0];
+        String gridIdArgName = dataFilterAnno.gridIdArgName();
+        String deptIdArgName = dataFilterAnno.deptIdArgName();
+
+        String[] parameterNames = methodSignature.getParameterNames();
+
+        // 取出注解参数中指定的gridId和deptId的入参的值
+        String gridId = null;
+        String deptId = null;
+        if (StringUtils.isNotBlank(gridIdArgName)) {
+            int gridIdArgIndex = ArrayUtils.indexOf(parameterNames, gridIdArgName);
+            if (gridIdArgIndex >-1){
+                gridId = (String) point.getArgs()[gridIdArgIndex];
+            }
+        }
+        if (StringUtils.isNotBlank(deptIdArgName)) {
+            int deptArgIndex = ArrayUtils.indexOf(parameterNames, deptIdArgName);
+            if (deptArgIndex > -1) {
+                deptId = (String) point.getArgs()[deptArgIndex];
+            }
+        }

        // 从ThreadLocal中取所需权限
        String requirePermission = AccessOpeAspect.requirePermissionTl.get();
@ -114,7 +138,7 @@ public class DataFilterAspect {

        // 生成过滤sql
        String sqlFilterSegment = getSqlFilterSegment(userId, userDetail.getRoleIdList(), requirePermission,
-                userDetail.getOrgIdPath(), userDetail.getDeptIdList(), tableAlias, userDetail.getDeptIdList());
+                userDetail.getOrgIdPath(), userDetail.getGridIdList(), tableAlias, userDetail.getDeptIdList(), gridId, deptId);

        // 方式1.填充到Service方法列表中的DataScope对象中。如果dao入参是用DTO的话，那么再加一个DataScope入参，sql中会报错提示#{}参数找不到，因此改用方法2
        //Object[] methodArgs = point.getArgs();
@ -135,13 +159,13 @@ public class DataFilterAspect {
        Set<String> permissions = new HashSet<>();
        roleIdList.forEach(role -> {
            // 找出该角色的所有功能操作列表
-            Result<Set<RoleOpeScopeResultDTO>> result = govAccessFeignClient.listRoleAllOperationScopesByRoleId(role);
+            Result<List<RoleOpeScopeResultDTO>> result = govAccessFeignClient.listRoleAllOperationScopesByRoleId(role);
            if (!result.success()) {
                // 获取operation异常
                log.error("调用GovAccess，根据RoleId查询Operation列表失败:{}", result.getMsg());
                throw new RenException(EpmetErrorCode.SERVER_ERROR.getCode());
            }
-            Set<RoleOpeScopeResultDTO> roleOperations = result.getData();
+            List<RoleOpeScopeResultDTO> roleOperations = result.getData();
            permissions.addAll(roleOperations.stream().map(ope -> ope.getOperationKey()).collect(Collectors.toSet()));
        });
        return permissions;
@ -164,31 +188,42 @@ public class DataFilterAspect {
     * @return
     */
    private String getSqlFilterSegment(String userId, Set<String> roleIds, String reqiurePermission, String orgIdPath,
-                                       Set<String> gridIdList, String tableAlias, Set<String> deptIds) {
+                                       Set<String> gridIdList, String tableAlias, Set<String> deptIds, String gridId, String deptId) {

        StringBuilder sb = new StringBuilder();

        Map<String, String> accessSettings = listRoleAccessSettings(roleIds);

        // 1.生成sql:组织范围过滤
-        genOrgScopeSql(sb, orgIdPath, roleIds, reqiurePermission, tableAlias);
+        if (!genOrgScopeSql(sb, orgIdPath, roleIds, reqiurePermission, tableAlias)) {
+            // 返回false，说明已经开启了all所有范围，后续条件不在拼接入sql，结束执行
+            return sb.toString();
+        }

        // 2.生成sql:我发起的
        String iCreated = accessSettings.get(AccessSettingConstant.I_CREATED_KEY);
-        if (StringUtils.isNotBlank(iCreated) && AccessSettingConstant.I_CREATED_YES.equals(iCreated)) {
+        if (StringUtils.isNotBlank(iCreated) && AccessSettingConstant.I_CREATED_ON.equals(iCreated)) {
            genICreatedSql(sb, userId, tableAlias);
        }

        // 3.生成sql:本网格的
        String inGrid = accessSettings.get(AccessSettingConstant.IN_GRID_KEY);
-        if (StringUtils.isNotBlank(inGrid) && AccessSettingConstant.IN_GRID_YES.equals(inGrid)) {
-            genInGrid(sb, gridIdList, tableAlias);
+        if (StringUtils.isNotBlank(inGrid) && AccessSettingConstant.IN_GRID_ON.equals(inGrid)) {
+            if (StringUtils.isBlank(gridId)) {
+                log.error("DataFilter:拼接SQL语句出错:需要in grid权限，但是代码中没有获取到:{}", gridId);
+                throw new RenException(EpmetErrorCode.SERVER_ERROR.getCode());
+            }
+            genInGrid(sb, gridId, tableAlias);
        }

        // 4.生成sql:根据部门列表
        String inDept = accessSettings.get(AccessSettingConstant.IN_DEPARTMENT_KEY);
-        if (StringUtils.isNotBlank(inDept) && AccessSettingConstant.IN_DEPARTMENT_YES.equals(inDept)) {
-            genDepartmentFilterSql(sb, deptIds);
+        if (StringUtils.isNotBlank(inDept) && AccessSettingConstant.IN_DEPARTMENT_ON.equals(inDept)) {
+            if (StringUtils.isBlank(deptId)) {
+                log.error("DataFilter:拼接SQL语句出错:需要in department权限，但是代码中没有获取到:{}", deptId);
+                throw new RenException(EpmetErrorCode.SERVER_ERROR.getCode());
+            }
+            genDepartmentFilterSql(sb, deptId, tableAlias);
        }

        return sb.toString();
@ -196,6 +231,7 @@ public class DataFilterAspect {

    /**
     * 列出角色对应的权限设置项
+     *
     * @param roleIds
     * @return
     */
@ -216,51 +252,81 @@ public class DataFilterAspect {
        }
        return new HashMap<>();
    }
+
    /**
     * 生成部门过滤sql
     *
     * @param sb
     */
-    private void genDepartmentFilterSql(StringBuilder sb, Set<String> deptIdList) {
+    private void genDepartmentFilterSql(StringBuilder sb, String deptId, String tableAlias) {
        //Result<List<DepartmentListResultDTO>> deptListResult = govOrgFeignClient.getDepartmentListByStaffId(staffId);
-        if (CollectionUtils.isEmpty(deptIdList)) {
-            return;
+        if (hasConditions.get()) {
+            // 之前没有条件
+            sb.append(" OR ");
+        }
+        if (StringUtils.isBlank(tableAlias)) {
+            sb.append(" DEPARTMENT_ID = '").append(deptId).append("' ");
+        } else {
+            sb.append(" ").append(tableAlias).append(".DEPARTMENT_ID ='").append(deptId).append("' ");
        }
-        deptIdList.forEach(deptId -> {
-            sb.append(hasConditions.get() ? " OR " : "").append(" DEPARTMENT_ID = '").append(deptId).append("' ");
-        });
        hasConditions.set(true);
    }

+    //private void genDepartmentFilterSql(StringBuilder sb, Set<String> deptIdList) {
+    //    //Result<List<DepartmentListResultDTO>> deptListResult = govOrgFeignClient.getDepartmentListByStaffId(staffId);
+    //    if (CollectionUtils.isEmpty(deptIdList)) {
+    //        return;
+    //    }
+    //    deptIdList.forEach(deptId -> {
+    //        sb.append(hasConditions.get() ? " OR " : "").append(" DEPARTMENT_ID = '").append(deptId).append("' ");
+    //    });
+    //    hasConditions.set(true);
+    //}
+
    /**
     * 网格sql
     *
     * @param sb
     * @param tableAlias
     */
-    private void genInGrid(StringBuilder sb, Set<String> gridIdList, String tableAlias) {
-        //if (StringUtils.isBlank(tableAlias)) {
-        //    sb.append(hasConditions.get() ? " OR " : "").append(" GRID_ID ='").append(gridId).append("' ");
-        //} else {
-        //    sb.append(hasConditions.get() ? " OR " : "").append(tableAlias).append(".GRID_ID ='").append(gridId).append("' ");
-        //}
-
+    private void genInGrid(StringBuilder sb, String gridId, String tableAlias) {
        if (hasConditions.get()) {
            // 之前没有条件
            sb.append(" OR ");
        }
+
        // OR     GRID_ID = 'XXX' OR GRID_ID = 'QQQ'
-        for (String gridId : gridIdList) {
-            if (StringUtils.isBlank(tableAlias)) {
-                sb.append(" GRID_ID = '").append(gridId).append("' OR");
-            } else {
-                sb.append(" ").append(tableAlias).append(".GRID_ID ='").append(gridId).append("' OR ");
-            }
+        if (StringUtils.isBlank(tableAlias)) {
+            sb.append(" GRID_ID = '").append(gridId).append("' ");
+        } else {
+            sb.append(" ").append(tableAlias).append(".GRID_ID ='").append(gridId).append("' ");
        }
-        sb.replace(sb.lastIndexOf("OR"), sb.lastIndexOf("OR") + 3, "");
        hasConditions.set(true);
    }

+    //private void genInGrid(StringBuilder sb, Set<String> gridIdList, String tableAlias) {
+    //    //if (StringUtils.isBlank(tableAlias)) {
+    //    //    sb.append(hasConditions.get() ? " OR " : "").append(" GRID_ID ='").append(gridId).append("' ");
+    //    //} else {
+    //    //    sb.append(hasConditions.get() ? " OR " : "").append(tableAlias).append(".GRID_ID ='").append(gridId).append("' ");
+    //    //}
+    //
+    //    if (hasConditions.get()) {
+    //        // 之前没有条件
+    //        sb.append(" OR ");
+    //    }
+    //    // OR     GRID_ID = 'XXX' OR GRID_ID = 'QQQ'
+    //    for (String gridId : gridIdList) {
+    //        if (StringUtils.isBlank(tableAlias)) {
+    //            sb.append(" GRID_ID = '").append(gridId).append("' OR");
+    //        } else {
+    //            sb.append(" ").append(tableAlias).append(".GRID_ID ='").append(gridId).append("' OR ");
+    //        }
+    //    }
+    //    sb.replace(sb.lastIndexOf("OR"), sb.lastIndexOf("OR") + 3, "");
+    //    hasConditions.set(true);
+    //}
+
    /**
     * sql：我发起的
     *
@ -277,41 +343,43 @@ public class DataFilterAspect {

    /**
     * 计算组织范围过滤sql，整体入口
-     *
     * @param sb
     * @param orgIdPath
+     * @param roleIds
+     * @param reqiurePermission
+     * @param tableAlias
+     * @return Boolean 是否继续往下执行。true:继续执行，false:不继续执行
     */
-    public void genOrgScopeSql(StringBuilder sb, String orgIdPath, Set<String> roleIds, String reqiurePermission, String tableAlias) {
+    public boolean genOrgScopeSql(StringBuilder sb, String orgIdPath, Set<String> roleIds, String reqiurePermission, String tableAlias) {

        // 根据角色列表查询操作范围列表
        Set<RoleOpeScopeResultDTO> opeAndScopes = new HashSet<>();
-        //roleIds.forEach(roleId -> {
-        //    OperationScopeFormDTO osformDto = new OperationScopeFormDTO();
-        //    osformDto.setRoleId(roleId);
-        //    osformDto.setOperationKey(reqiurePermission);
-        //    Result<Set<OperationScopeDTO>> result = govAccessFeignClient.getOperationScopesByRoleId(osformDto);
-        //    if (result.success()) {
-        //        scopeDTOS.addAll(result.getData());
-        //    }
-        //});

        roleIds.forEach(roleId -> {
-            Result<Set<RoleOpeScopeResultDTO>> opeResult = govAccessFeignClient.listRoleAllOperationScopesByRoleId(roleId);
+            Result<List<RoleOpeScopeResultDTO>> opeResult = govAccessFeignClient.listRoleAllOperationScopesByRoleId(roleId);
            if (!opeResult.success()) {
                log.error("DataFilter：根据角色查询角色所有的操作列表出错:{}", opeResult.getMsg());
            } else {
-                Set<RoleOpeScopeResultDTO> opes = opeResult.getData();
+                List<RoleOpeScopeResultDTO> opes = opeResult.getData();
                if (!CollectionUtils.isEmpty(opes)) {
-                    opeAndScopes.addAll(opes);
+                    opes.forEach(ope -> {
+                        if (reqiurePermission.equals(ope.getOperationKey())) {
+                            // 拿到当前操作对应的 RoleOpeScopeResultDTO
+                            opeAndScopes.add(ope);
+                        }
+                    });
                }
            }
        });

-        // 过滤范围
+        // 过滤出最大的范围
        HashSet<String> scopes = filteScopes(opeAndScopes);
        if (CollectionUtils.isEmpty(scopes)) {
            // 没有范围限制
-            return;
+            return true;
+        }
+        if (scopes.contains(OpeScopeConstant.ORG_ALL)) {
+            return false;
        }

        // 取出父组织ID path 和当前组织ID
@ -320,11 +388,12 @@ public class DataFilterAspect {
        genOrgScopeSql(sb, scopes, currOrgPath, pOrgPath, tableAlias);
        sb.replace(sb.lastIndexOf("OR"), sb.lastIndexOf("OR") + 3, "");
        hasConditions.set(true);
+        return true;
    }

    /**
     * 计算组织范围过滤sql
-     *
+     * PS:这个方法需要优化，当前阶段因为逻辑不稳定，暂时不做过度封装
     * @param scopes
     * @param currOrg
     * @param pOrgPath
@ -342,16 +411,32 @@ public class DataFilterAspect {
                    break;
                case OpeScopeConstant.ORG_CURR_AND_SUB:
                    if (StringUtils.isBlank(tableAlias)) {
-                        sb.append(" ORG_ID_PATH like '").append(pOrgPath).append("%' ").append(" OR ");
+                        sb.append(" ORG_ID_PATH like '").append(pOrgPath).append("%' OR ");
                    } else {
-                        sb.append(" ").append(tableAlias).append(".ORG_ID_PATH like '").append(pOrgPath).append("%' ").append(" OR ");
+                        sb.append(" ").append(tableAlias).append(".ORG_ID_PATH like '").append(pOrgPath).append("%' OR ");
                    }
                    break;
                case OpeScopeConstant.ORG_CURR_SUB:
                    if (StringUtils.isBlank(tableAlias)) {
-                        sb.append(" ORG_ID_PATH like '").append(pOrgPath).append(orgIdPathSpliter).append(currOrg).append("%' ").append(" OR ");
+                        sb.append(" ORG_ID_PATH like '").append(pOrgPath).append(orgIdPathSpliter).append(currOrg).append("%' OR ");
+                    } else {
+                        sb.append(" ").append(tableAlias).append(".ORG_ID_PATH like '").append(pOrgPath).append(orgIdPathSpliter).append(currOrg).append("%' OR ");
+                    }
+                    break;
+                 //当前单位的父级单位
+                case OpeScopeConstant.ORG_CURR_SUP:
+                    if (StringUtils.isBlank(tableAlias)) {
+                        sb.append(" '").append(pOrgPath).append("' like CONCAT(").append("ORG_ID_PATH,'%') OR ");
                    } else {
-                        sb.append(" ").append(tableAlias).append(".ORG_ID_PATH like '").append(pOrgPath).append(orgIdPathSpliter).append(currOrg).append("%' ").append(" OR ");
+                        sb.append(" '").append(pOrgPath).append("' like CONCAT(").append(tableAlias).append(".ORG_ID_PATH,'%') OR ");
+                    }
+                    break;
+                //    当前单位及其父级单位
+                case OpeScopeConstant.ORG_CURR_AND_SUP:
+                    if (StringUtils.isBlank(tableAlias)) {
+                        sb.append(" '").append(pOrgPath).append(orgIdPathSpliter).append(currOrg).append("' like CONCAT(").append("ORG_ID_PATH,'%') OR ");
+                    } else {
+                        sb.append(" '").append(pOrgPath).append(orgIdPathSpliter).append(currOrg).append("' like CONCAT(").append(tableAlias).append(".ORG_ID_PATH,'%' ) OR ");
                    }
                    break;
                case OpeScopeConstant.ORG_EQUAL:
@ -366,6 +451,14 @@ public class DataFilterAspect {
                    // todo 同级的子级
                    //sb.append(" OR ");
                    break;
+                case OpeScopeConstant.ORG_EQUAL_AND_SUP:
+                    // todo 同级及其上级
+                    //sb.append(" OR ");
+                    break;
+                case OpeScopeConstant.ORG_EQUAL_SUP:
+                    // todo 同级的上级
+                    //sb.append(" OR ");
+                    break;
            }
        }
    }
@ -378,12 +471,16 @@ public class DataFilterAspect {
     */
    private HashSet<String> filteScopes(Set<RoleOpeScopeResultDTO> scopeDTOS) {
        HashMap<String, RoleOpeScopeResultDTO> filtedScopes = new HashMap<>();
-
        for (RoleOpeScopeResultDTO scope : scopeDTOS) {
            String scopeIndex = scope.getScopeIndex();
            if (StringUtils.isBlank(scopeIndex)) {
                continue;
            }
+            if (OpeScopeConstant.ORG_ALL.equals(scope.getScopeKey())) {
+                // 该操作具有all的权限，直接放入
+                filtedScopes.put(scopeIndex, scope);
+                break;
+            }
            String[] currArr = scopeIndex.split("_");
            if ("0".equals(currArr[1])) {
                // 为0，说明没有包含关系，直接放入
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/constant/AccessSettingConstant.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/constant/AccessSettingConstant.java
@ -2,14 +2,14 @@ package com.epmet.commons.mybatis.constant;

 public class AccessSettingConstant {
    public static final String I_CREATED_KEY = "I_CREATED";
-    public static final String I_CREATED_YES = "YES";
+    public static final String I_CREATED_ON = "ON";

    public static final String I_PART_KEY = "I_PART";
-    public static final String I_PART_YES = "YES";
+    public static final String I_PART_ON = "ON";

    public static final String IN_GRID_KEY = "IN_GRID";
-    public static final String IN_GRID_YES = "YES";
+    public static final String IN_GRID_ON = "ON";

    public static final String IN_DEPARTMENT_KEY = "IN_DEPARTMENT";
-    public static final String IN_DEPARTMENT_YES = "YES";
+    public static final String IN_DEPARTMENT_ON = "ON";
 }
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/dto/form/RoleAccessSettingResultDTO.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/dto/form/RoleAccessSettingResultDTO.java
@ -1,13 +0,0 @@
-package com.epmet.commons.mybatis.dto.form;
-
-import lombok.Data;
-
-@Data
-public class RoleAccessSettingResultDTO {
-
-    private String settingKey;
-    private String id;
-    private String settingName;
-    private String roleId;
-
-}
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/GovAccessFeignClient.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/GovAccessFeignClient.java
@ -41,7 +41,7 @@ public interface GovAccessFeignClient {
     * @param roleId
     * @return
     */
-    @PostMapping("/gov/access/access/role/{roleId}/accesssettings")
+    @PostMapping("/gov/access/access/accesssettings/{roleId}")
    Result<Map<String, String>> listAccessSettings(@PathVariable("roleId") String roleId);

    /**
@ -49,5 +49,5 @@ public interface GovAccessFeignClient {
     * @return
     */
    @PostMapping("/gov/access/access/roleallopesandscopes/{roleId}")
-    Result<Set<RoleOpeScopeResultDTO>> listRoleAllOperationScopesByRoleId(@PathVariable("roleId") String roleId);
+    Result<List<RoleOpeScopeResultDTO>> listRoleAllOperationScopesByRoleId(@PathVariable("roleId") String roleId);
 }
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/fallback/GovAccessFeignClientFallback.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/fallback/GovAccessFeignClientFallback.java
@ -8,6 +8,7 @@ import com.epmet.commons.tools.utils.Result;
 import org.springframework.stereotype.Component;
 import org.springframework.web.bind.annotation.PathVariable;

+import java.util.List;
 import java.util.Map;
 import java.util.Set;

@ -36,7 +37,7 @@ public class GovAccessFeignClientFallback implements GovAccessFeignClient {
    }

    @Override
-    public Result<Set<RoleOpeScopeResultDTO>> listRoleAllOperationScopesByRoleId(@PathVariable("roleId") String roleId){
+    public Result<List<RoleOpeScopeResultDTO>> listRoleAllOperationScopesByRoleId(@PathVariable("roleId") String roleId){
        return ModuleUtils.feignConError(ServiceConstant.GOV_ACCESS_SERVER, "listRoleAllOperationScopesByRoleId", roleId);
    }
 }
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/interceptor/DataFilterInterceptor.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/interceptor/DataFilterInterceptor.java
@ -8,11 +8,9 @@

 package com.epmet.commons.mybatis.interceptor;

-import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import com.baomidou.mybatisplus.core.toolkit.PluginUtils;
 import com.baomidou.mybatisplus.extension.handlers.AbstractSqlParserHandler;
 import com.epmet.commons.mybatis.aspect.DataFilterAspect;
-import com.epmet.commons.mybatis.entity.DataScope;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.ibatis.executor.statement.StatementHandler;
 import org.apache.ibatis.mapping.BoundSql;
@ -23,7 +21,6 @@ import org.apache.ibatis.reflection.MetaObject;
 import org.apache.ibatis.reflection.SystemMetaObject;

 import java.sql.Connection;
-import java.util.Map;
 import java.util.Properties;

 /**
@ -43,16 +40,17 @@ public class DataFilterInterceptor extends AbstractSqlParserHandler implements I
        // SQL解析
        this.sqlParser(metaObject);

-        // 先判断是不是SELECT操作
-        //MappedStatement mappedStatement = (MappedStatement) metaObject.getValue("delegate.mappedStatement");
-        //if (!SqlCommandType.SELECT.equals(mappedStatement.getSqlCommandType())) {
-        //    return invocation.proceed();
-        //}
+        // 先判断是不是INSERT操作,insert不过滤
+        MappedStatement mappedStatement = (MappedStatement) metaObject.getValue("delegate.mappedStatement");
+        if (SqlCommandType.INSERT.equals(mappedStatement.getSqlCommandType())) {
+            return invocation.proceed();
+        }

        // 针对定义了rowBounds，做为mapper接口方法的参数
        BoundSql boundSql = (BoundSql) metaObject.getValue("delegate.boundSql");
        String originalSql = boundSql.getSql();
-        Object paramObj = boundSql.getParameterObject();
+
+        //Object paramObj = boundSql.getParameterObject();

        // 方式1.判断参数里是否有DataScope对象
        /*DataScope scope = null;
--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/constant/OpeScopeConstant.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/constant/OpeScopeConstant.java
@ -1,5 +1,8 @@
 package com.epmet.commons.tools.constant;

+/**
+ * 操作范围常量
+ */
 public class OpeScopeConstant {

    // 权限覆盖所有范围
@ -9,6 +12,10 @@ public class OpeScopeConstant {
    public static final String ORG_EQUAL_SUB = "org_equal_sub";
    //"同级组织及下级"
    public static final String ORG_EQUAL_AND_SUB = "org_equal_and_sub";
+    // 同级组织的上级
+    public static final String ORG_EQUAL_SUP = "org_equal_sup";
+    // 同级组织及上级
+    public static final String ORG_EQUAL_AND_SUP = "org_equal_and_sup";
    //"同级组织"
    public static final String ORG_EQUAL = "org_equal";

--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/AccessSettingFormDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/AccessSettingFormDTO.java
@ -0,0 +1,8 @@
+package com.epmet.dto.form;
+
+import lombok.Data;
+
+@Data
+public class AccessSettingFormDTO {
+    private String roleId;
+}
--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/AccessSettingResultDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/AccessSettingResultDTO.java
@ -0,0 +1,58 @@
+/**
+ * Copyright 2018 人人开源 https://www.renren.io
+ * <p>
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package com.epmet.dto.result;
+
+import lombok.Data;
+
+/**
+ * 权限配置
+ *
+ * @author generator generator@elink-cn.com
+ * @since v1.0.0 2020-04-29
+ */
+@Data
+public class AccessSettingResultDTO {
+
+	private static final long serialVersionUID = 1L;
+
+    /**
+     * 角色ID
+     */
+	private String roleId;
+
+    /**
+     * 操作key
+     */
+	private String operationKey;
+
+    /**
+     * 配置KEY
+     */
+	private String settingKey;
+
+    /**
+     * 配置值
+     */
+	private String settingValue;
+
+	/**
+	 * 配置名称
+	 */
+	private String settingName;
+
+}
--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/RoleAccessSettingResultDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/RoleAccessSettingResultDTO.java
@ -1,14 +0,0 @@
-package com.epmet.dto.result;
-
-import lombok.Data;
-
-@Data
-public class RoleAccessSettingResultDTO {
-
-    private String settingKey;
-    private String id;
-    private String settingName;
-    private String settingValue;
-    private String roleId;
-
-}
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/controller/AccessController.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/controller/AccessController.java
@ -3,19 +3,15 @@ package com.epmet.controller;
 import com.epmet.commons.tools.security.dto.GovTokenDto;
 import com.epmet.commons.tools.utils.Result;
 import com.epmet.commons.tools.validator.ValidatorUtils;
-import com.epmet.dto.OperationScopeDTO;
+import com.epmet.dto.form.AccessSettingFormDTO;
 import com.epmet.dto.form.OperationScopeFormDTO;
 import com.epmet.dto.form.StaffPermCacheFormDTO;
 import com.epmet.dto.result.LoginUserInfoResultDTO;
-import com.epmet.dto.result.RoleAccessSettingResultDTO;
 import com.epmet.dto.result.RoleOpeScopeResultDTO;
-import com.epmet.entity.OperationScopeEntity;
 import com.epmet.service.AccessService;
-import org.springframework.beans.BeanUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;

-import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@ -88,17 +84,16 @@ public class AccessController {
     * @return
     */
    @PostMapping("roleallopesandscopes/{roleId}")
-    public Result<Set<RoleOpeScopeResultDTO>> listRoleAllOperationScopesByRoleId(@PathVariable("roleId") String roleId) {
-        Set<RoleOpeScopeResultDTO> scopes = accessService.listAllRoleOperationScopesByRoleId(roleId);
-        return new Result<Set<RoleOpeScopeResultDTO>>().ok(scopes);
+    public Result<List<RoleOpeScopeResultDTO>> listRoleAllOperationScopesByRoleId(@PathVariable("roleId") String roleId) {
+        List<RoleOpeScopeResultDTO> scopes = accessService.listAllRoleOperationScopesByRoleId(roleId);
+        return new Result<List<RoleOpeScopeResultDTO>>().ok(scopes);
    }

    /**
     * 查询角色的权限相关配置
-     * @param roleId
     * @return
     */
-    @PostMapping("/role/{roleId}/accesssettings")
+    @PostMapping("/accesssettings/{roleId}")
    public Result<Map<String, String>> listAccessSettings(@PathVariable("roleId") String roleId) {
        Map<String, String> settings = accessService.listAccessSettings(roleId);
        return new Result<Map<String, String>>().ok(settings);
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/AccessSettingDao.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/AccessSettingDao.java
@ -0,0 +1,43 @@
+/**
+ * Copyright 2018 人人开源 https://www.renren.io
+ * <p>
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package com.epmet.dao;
+
+import com.epmet.commons.mybatis.dao.BaseDao;
+import com.epmet.dto.result.AccessSettingResultDTO;
+import com.epmet.entity.AccessSettingEntity;
+import org.apache.ibatis.annotations.Mapper;
+
+import java.util.List;
+
+/**
+ * 权限配置
+ *
+ * @author generator generator@elink-cn.com
+ * @since v1.0.0 2020-04-29
+ */
+@Mapper
+public interface AccessSettingDao extends BaseDao<AccessSettingEntity> {
+
+    /**
+     * 根据角色查询配置列表
+     * @param roleId
+     * @return
+     */
+    List<AccessSettingResultDTO> listAccessSettingsByRoleId(String roleId);
+
+}
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/AccessSettingOptionsDao.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/AccessSettingOptionsDao.java
@ -18,20 +18,16 @@
 package com.epmet.dao;

 import com.epmet.commons.mybatis.dao.BaseDao;
-import com.epmet.dto.result.RoleAccessSettingResultDTO;
-import com.epmet.entity.RoleAccessSettingEntity;
+import com.epmet.entity.AccessSettingOptionsEntity;
 import org.apache.ibatis.annotations.Mapper;

-import java.util.List;
-
 /**
- * 权限配置
+ * 权限配置选项
 *
 * @author generator generator@elink-cn.com
- * @since v1.0.0 2020-04-26
+ * @since v1.0.0 2020-04-29
 */
@Mapper
-public interface RoleAccessSettingDao extends BaseDao<RoleAccessSettingEntity> {
-
-    List<RoleAccessSettingResultDTO> listRoleAccessSettingsByRoleId(String roleId);
+public interface AccessSettingOptionsDao extends BaseDao<AccessSettingOptionsEntity> {
+	
 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/OperationScopeDao.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/OperationScopeDao.java
@ -49,7 +49,7 @@ public interface OperationScopeDao extends BaseDao<OperationScopeEntity> {
     * 查询角色所有operation及其范围
     * @param roleId
     */
-    Set<RoleOpeScopeResultDTO> listAllRoleOperationScopesByRoleId(String roleId);
+    List<RoleOpeScopeResultDTO> listAllRoleOperationScopesByRoleId(String roleId);

    String getDefaultScopeKeyForOperation(@Param("operationKey") String operationKey);

--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/entity/RoleAccessSettingEntity.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/entity/RoleAccessSettingEntity.java
@ -29,37 +29,33 @@ import java.util.Date;
 * 权限配置
 *
 * @author generator generator@elink-cn.com
- * @since v1.0.0 2020-04-26
+ * @since v1.0.0 2020-04-29
 */
@Data
@EqualsAndHashCode(callSuper=false)
-@TableName("role_access_setting")
-public class RoleAccessSettingEntity extends BaseEpmetEntity {
+@TableName("access_setting")
+public class AccessSettingEntity extends BaseEpmetEntity {

 	private static final long serialVersionUID = 1L;

    /**
-     * 配置KEY
+     * 角色ID
     */
-	private String settingKey;
+	private String roleId;

    /**
-     * 配置name
+     * 操作key
     */
-	private String settingName;
-	/**
-	 * 配置值
-	 */
-	private String settingValue;
+	private String operationKey;

    /**
-     * 角色ID
+     * 配置KEY
     */
-	private String roleId;
+	private String settingKey;

    /**
-     * 操作简介
+     * 配置值
     */
-	private String brief;
+	private String settingValue;

 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/entity/AccessSettingOptionsEntity.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/entity/AccessSettingOptionsEntity.java
@ -0,0 +1,56 @@
+/**
+ * Copyright 2018 人人开源 https://www.renren.io
+ * <p>
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package com.epmet.entity;
+
+import com.baomidou.mybatisplus.annotation.TableName;
+
+import com.epmet.commons.mybatis.entity.BaseEpmetEntity;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+
+import java.util.Date;
+
+/**
+ * 权限配置选项
+ *
+ * @author generator generator@elink-cn.com
+ * @since v1.0.0 2020-04-29
+ */
+@Data
+@EqualsAndHashCode(callSuper=false)
+@TableName("access_setting_options")
+public class AccessSettingOptionsEntity extends BaseEpmetEntity {
+
+	private static final long serialVersionUID = 1L;
+
+    /**
+     * 配置KEY
+     */
+	private String settingKey;
+
+    /**
+     * 配置name
+     */
+	private String settingName;
+
+    /**
+     * 简介
+     */
+	private String brief;
+
+}
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/redis/RoleAccessSettingRedis.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/redis/RoleAccessSettingRedis.java
@ -2,14 +2,11 @@ package com.epmet.redis;

 import com.epmet.commons.tools.redis.RedisKeys;
 import com.epmet.commons.tools.redis.RedisUtils;
-import com.epmet.dto.result.RoleAccessSettingResultDTO;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;

 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
-import java.util.function.BiConsumer;

@Component
 public class RoleAccessSettingRedis {
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/redis/RoleOpeScopeRedis.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/redis/RoleOpeScopeRedis.java
@ -1,12 +1,12 @@
 package com.epmet.redis;

-import cn.hutool.core.bean.BeanUtil;
 import com.epmet.commons.tools.redis.RedisKeys;
 import com.epmet.commons.tools.redis.RedisUtils;
 import com.epmet.dto.result.RoleOpeScopeResultDTO;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;

+import java.util.List;
 import java.util.Set;

 /**
@ -34,7 +34,7 @@ public class RoleOpeScopeRedis {
     * @param roleId
     * @param scopes
     */
-    public void setRoleAllOpeScopes(String roleId, Set<RoleOpeScopeResultDTO> scopes) {
+    public void setRoleAllOpeScopes(String roleId, List<RoleOpeScopeResultDTO> scopes) {
        String roleAllOpeScopesKey = RedisKeys.getRoleAllOpeScopesKey(roleId);
        redisUtils.set(roleAllOpeScopesKey, scopes);
    }
@ -55,9 +55,10 @@ public class RoleOpeScopeRedis {
     * @param roleId
     * @return
     */
-    public Set<RoleOpeScopeResultDTO> getRoleAllOpeScopes(String roleId) {
+    public List<RoleOpeScopeResultDTO> getRoleAllOpeScopes(String roleId) {
        String roleOpeScopesKey = RedisKeys.getRoleAllOpeScopesKey(roleId);
-        return (Set<RoleOpeScopeResultDTO>)redisUtils.get(roleOpeScopesKey);
+        Object o = redisUtils.get(roleOpeScopesKey);
+        return (List<RoleOpeScopeResultDTO>)o;
    }

 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/AccessService.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/AccessService.java
@ -1,9 +1,7 @@
 package com.epmet.service;

 import com.epmet.commons.tools.security.dto.GovTokenDto;
-import com.epmet.dto.result.RoleAccessSettingResultDTO;
 import com.epmet.dto.result.RoleOpeScopeResultDTO;
-import com.epmet.entity.OperationScopeEntity;

 import java.util.List;
 import java.util.Map;
@ -43,5 +41,5 @@ public interface AccessService {
     * @param roleId
     * @return
     */
-    Set<RoleOpeScopeResultDTO> listAllRoleOperationScopesByRoleId(String roleId);
+    List<RoleOpeScopeResultDTO> listAllRoleOperationScopesByRoleId(String roleId);
 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/impl/AccessServiceImpl.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/impl/AccessServiceImpl.java
@ -4,18 +4,14 @@ import com.epmet.commons.tools.exception.ExceptionUtils;
 import com.epmet.commons.tools.security.dto.GovTokenDto;
 import com.epmet.commons.tools.utils.CpUserDetailRedis;
 import com.epmet.dao.OperationScopeDao;
-import com.epmet.dao.RoleAccessSettingDao;
-import com.epmet.dto.result.RoleAccessSettingResultDTO;
 import com.epmet.dto.result.RoleOpeScopeResultDTO;
 import com.epmet.redis.RoleAccessSettingRedis;
 import com.epmet.redis.RoleOpeScopeRedis;
 import com.epmet.service.AccessService;
-import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
-import org.springframework.util.CollectionUtils;

 import java.util.*;

@ -30,9 +26,6 @@ public class AccessServiceImpl implements AccessService {
    @Autowired
    private OperationScopeDao operationScopeDao;

-    @Autowired
-    private RoleAccessSettingDao roleAccessSettingDao;
-
    @Autowired
    private RoleOpeScopeRedis roleOpeScopeRedis;

@ -114,26 +107,11 @@ public class AccessServiceImpl implements AccessService {
    }

    @Override
-    public Set<RoleOpeScopeResultDTO> listAllRoleOperationScopesByRoleId(String roleId) {
-        Set<RoleOpeScopeResultDTO> roleAllOpeScopes = roleOpeScopeRedis.getRoleAllOpeScopes(roleId);
+    public List<RoleOpeScopeResultDTO> listAllRoleOperationScopesByRoleId(String roleId) {
+        List<RoleOpeScopeResultDTO> roleAllOpeScopes = roleOpeScopeRedis.getRoleAllOpeScopes(roleId);
+        // 防止缓存穿透
        if (roleAllOpeScopes == null) {
-            roleAllOpeScopes = new HashSet<>();
-            Set<RoleOpeScopeResultDTO> roleAllOpeScopesResult = operationScopeDao.listAllRoleOperationScopesByRoleId(roleId);
-            for (RoleOpeScopeResultDTO opeAndScope : roleAllOpeScopesResult) {
-                if (StringUtils.isBlank(opeAndScope.getScopeKey())) {
-                    // 没有人为配置scope，则使用角色默认配置
-                    String scopeKey = operationScopeDao.getDefaultScopeKeyForOperation(opeAndScope.getOperationKey());
-                    if (StringUtils.isNotBlank(scopeKey)) {
-                        String scopeIndex = operationScopeDao.getScopeIndexByScopeKey(scopeKey);
-                        opeAndScope.setScopeKey(scopeKey);
-                        opeAndScope.setScopeIndex(scopeIndex);
-                        roleAllOpeScopes.add(opeAndScope);
-                        // 有默认scope配置的才返回
-                    }
-                } else {
-                    roleAllOpeScopes.add(opeAndScope);
-                }
-            }
+            roleAllOpeScopes = operationScopeDao.listAllRoleOperationScopesByRoleId(roleId);
            roleOpeScopeRedis.setRoleAllOpeScopes(roleId, roleAllOpeScopes);
        }
        return roleAllOpeScopes;
--- a/epmet-module/gov-access/gov-access-server/src/main/resources/db.migration/epmet_gov_access.sql
+++ b/epmet-module/gov-access/gov-access-server/src/main/resources/db.migration/epmet_gov_access.sql
@ -75,22 +75,45 @@ CREATE TABLE `role_scope`  (
  PRIMARY KEY (`ID`) USING BTREE
 ) ENGINE = InnoDB CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci COMMENT = '角色能操作哪些范围' ROW_FORMAT = Dynamic;

-- 2020.04.26 wxz --
+-- SET FOREIGN_KEY_CHECKS = 1;

-CREATE TABLE `role_access_setting` (
-  `ID` varchar(64) NOT NULL COMMENT '主键',
-  `SETTING_KEY` varchar(30) NOT NULL COMMENT '配置KEY',
-  `SETTING_NAME` varchar(30) NOT NULL COMMENT '配置name',
-  `SETTING_VALUE` varchar(30) NOT NULL COMMENT '配置值',
-  `ROLE_ID` varchar(64) DEFAULT NULL COMMENT '角色ID',
-  `BRIEF` varchar(255) DEFAULT NULL COMMENT '操作简介',
-  `DEL_FLAG` tinyint(1) DEFAULT NULL,
-  `REVISION` int(10) DEFAULT NULL,
-  `CREATED_BY` varchar(64) DEFAULT NULL,
-  `CREATED_TIME` datetime DEFAULT NULL,
-  `UPDATED_BY` varchar(64) DEFAULT NULL,
-  `UPDATED_TIME` datetime DEFAULT NULL,
-  PRIMARY KEY (`ID`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='权限配置'
+-- 2020.04.29 wxz
+CREATE TABLE `access_setting`  (
+  `ID` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '主键',
+  `ROLE_ID` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '角色ID',
+  `OPERATION_KEY` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '操作key',
+  `SETTING_KEY` varchar(30) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '配置KEY',
+  `SETTING_VALUE` varchar(30) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '配置值',
+  `DEL_FLAG` tinyint(1) NULL DEFAULT NULL,
+  `REVISION` int(10) NULL DEFAULT NULL,
+  `CREATED_BY` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL,
+  `CREATED_TIME` datetime(0) NULL DEFAULT NULL,
+  `UPDATED_BY` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL,
+  `UPDATED_TIME` datetime(0) NULL DEFAULT NULL,
+  PRIMARY KEY (`ID`) USING BTREE,
+  UNIQUE INDEX `uni_access_setting_role_key_opt`(`ROLE_ID`, `OPERATION_KEY`, `SETTING_KEY`) USING BTREE
+) ENGINE = InnoDB CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci COMMENT = '权限配置' ROW_FORMAT = Dynamic;

-- SET FOREIGN_KEY_CHECKS = 1;
+
+CREATE TABLE `access_setting_options`  (
+  `ID` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '主键',
+  `SETTING_KEY` varchar(30) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '配置KEY',
+  `SETTING_NAME` varchar(30) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '配置name',
+  `BRIEF` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '简介',
+  `DEL_FLAG` tinyint(1) NULL DEFAULT NULL,
+  `REVISION` int(10) NULL DEFAULT NULL,
+  `CREATED_BY` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL,
+  `CREATED_TIME` datetime(0) NULL DEFAULT NULL,
+  `UPDATED_BY` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL,
+  `UPDATED_TIME` datetime(0) NULL DEFAULT NULL,
+  PRIMARY KEY (`ID`) USING BTREE,
+  UNIQUE INDEX `uni_access_setting_opts`(`SETTING_KEY`) USING BTREE COMMENT '配置KEY不能重复'
+) ENGINE = InnoDB CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci COMMENT = '权限配置选项' ROW_FORMAT = Dynamic;
+
+-- ----------------------------
+-- Records of access_setting_options
+-- ----------------------------
+INSERT INTO `access_setting_options` VALUES ('1', 'I_CREATED', '我发起的', '我发起的条件过滤。ON为开启，OFF为关闭', 0, 0, NULL, NULL, NULL, NULL);
+INSERT INTO `access_setting_options` VALUES ('2', 'I_PART', '我参与的', '我参与的条件过滤', 0, 0, NULL, NULL, NULL, NULL);
+INSERT INTO `access_setting_options` VALUES ('3', 'IN_GRID', '网格内', '网格内', 0, 0, NULL, NULL, NULL, NULL);
+INSERT INTO `access_setting_options` VALUES ('4', 'IN_DEPARTMENT', '部门内', '部门内', 0, 0, NULL, NULL, NULL, NULL);
--- a/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/AccessSettingDao.xml
+++ b/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/AccessSettingDao.xml
@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
+
+<mapper namespace="com.epmet.dao.AccessSettingDao">
+
+    <resultMap type="com.epmet.entity.AccessSettingEntity" id="accessSettingMap">
+        <result property="id" column="ID"/>
+        <result property="roleId" column="ROLE_ID"/>
+        <result property="operationKey" column="OPERATION_KEY"/>
+        <result property="settingKey" column="SETTING_KEY"/>
+        <result property="settingValue" column="SETTING_VALUE"/>
+        <result property="delFlag" column="DEL_FLAG"/>
+        <result property="revision" column="REVISION"/>
+        <result property="createdBy" column="CREATED_BY"/>
+        <result property="createdTime" column="CREATED_TIME"/>
+        <result property="updatedBy" column="UPDATED_BY"/>
+        <result property="updatedTime" column="UPDATED_TIME"/>
+    </resultMap>
+
+    <!--根据角色查询配置列表-->
+    <select id="listAccessSettingsByRoleId" resultType="com.epmet.dto.result.AccessSettingResultDTO">
+        SELECT
+            s.*,
+            opt.SETTING_NAME
+        FROM
+            access_setting s
+            INNER JOIN access_setting_options opt ON ( s.SETTING_KEY = opt.SETTING_KEY AND opt.DEL_FLAG = 0)
+        WHERE
+            s.ROLE_ID = #{roleId}
+            AND s.DEL_FLAG = 0
+    </select>
+
+
+</mapper>
--- a/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/AccessSettingOptionsDao.xml
+++ b/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/AccessSettingOptionsDao.xml
@ -1,14 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">

-<mapper namespace="com.epmet.dao.RoleAccessSettingDao">
+<mapper namespace="com.epmet.dao.AccessSettingOptionsDao">

-    <resultMap type="com.epmet.entity.RoleAccessSettingEntity" id="roleAccessSettingMap">
+    <resultMap type="com.epmet.entity.AccessSettingOptionsEntity" id="accessSettingOptionsMap">
        <result property="id" column="ID"/>
        <result property="settingKey" column="SETTING_KEY"/>
        <result property="settingName" column="SETTING_NAME"/>
-        <result property="settingValue" column="SETTING_VALUE"/>
-        <result property="roleId" column="ROLE_ID"/>
        <result property="brief" column="BRIEF"/>
        <result property="delFlag" column="DEL_FLAG"/>
        <result property="revision" column="REVISION"/>
@ -18,13 +16,5 @@
        <result property="updatedTime" column="UPDATED_TIME"/>
    </resultMap>

-    <!--查询角色的权限相关配置-->
-    <select id="listRoleAccessSettingsByRoleId" resultType="com.epmet.dto.result.RoleAccessSettingResultDTO">
-        select settings.*
-        from role_access_setting settings
-        where ROLE_ID = #{roleId}
-            AND DEL_FLAG = '0'
-    </select>
-

 </mapper>
--- a/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/OperationScopeDao.xml
+++ b/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/OperationScopeDao.xml
@ -29,17 +29,22 @@

    <!--查询角色所有operation及其范围-->
    <select id="listAllRoleOperationScopesByRoleId" resultType="com.epmet.dto.result.RoleOpeScopeResultDTO">
-        SELECT ope.ROLE_ID,
-               ope.OPERATION_KEY,
-               ro.SCOPE_KEY,
-               os.SCOPE_INDEX
-        FROM role_operation ope
-                 LEFT JOIN role_scope ro
-                           ON (ope.ROLE_ID = ro.ROLE_ID AND ope.OPERATION_KEY = ro.OPERATION_KEY AND ro.DEL_FLAG = 0)
-                 LEFT JOIN operation_scope os
-                           ON (ro.SCOPE_KEY = os.SCOPE_KEY)
-        WHERE ope.ROLE_ID = #{roleId}
-          AND ope.DEL_FLAG = 0
+        SELECT t.*, os.SCOPE_INDEX
+        FROM (
+                 SELECT ope.ROLE_ID,
+                        ope.OPERATION_KEY,
+                        CASE
+                            WHEN ro.SCOPE_KEY IS NULL THEN d.SCOPE_KEY
+                            ELSE ro.SCOPE_KEY END AS SCOPE_KEY
+                 FROM role_operation ope
+                          LEFT JOIN role_scope ro
+                                    ON (ope.ROLE_ID = ro.ROLE_ID AND ope.OPERATION_KEY = ro.OPERATION_KEY AND ro.DEL_FLAG = 0)
+                          LEFT JOIN operation_scope_default d ON (ope.OPERATION_KEY = d.OPERATION_KEY AND d.DEL_FLAG = 0)
+                 WHERE ope.ROLE_ID = #{roleId}
+                   AND ope.DEL_FLAG = 0
+                 ORDER BY OPERATION_KEY ASC
+             ) t
+                 INNER JOIN operation_scope os ON (t.SCOPE_KEY = os.SCOPE_KEY)
    </select>

    <select id="getDefaultScopeKeyForOperation" resultType="java.lang.String">
--- a/epmet-module/gov-access/gov-access-server/src/test/java/com/epmet/test/govaccess/AccessSettingTest.java
+++ b/epmet-module/gov-access/gov-access-server/src/test/java/com/epmet/test/govaccess/AccessSettingTest.java
@ -1,7 +1,7 @@
 package com.epmet.test.govaccess;

-import com.epmet.dao.RoleAccessSettingDao;
-import com.epmet.dto.result.RoleAccessSettingResultDTO;
+import com.epmet.dao.AccessSettingDao;
+import com.epmet.dto.result.AccessSettingResultDTO;
 import com.epmet.redis.RoleAccessSettingRedis;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@ -18,17 +18,17 @@ import java.util.Map;
 public class AccessSettingTest {

    @Autowired
-    private RoleAccessSettingDao roleAccessSettingDao;
+    private AccessSettingDao roleAccessSettingDao;

    @Autowired
    private RoleAccessSettingRedis roleAccessSettingRedis;

    @Test
-    public void  addAccessSettings2Redis() {
-        List<RoleAccessSettingResultDTO> settings = roleAccessSettingDao.listRoleAccessSettingsByRoleId("1");
+    public void addAccessSettings2Redis() {
+        List<AccessSettingResultDTO> settings = roleAccessSettingDao.listAccessSettingsByRoleId("1");
        HashMap<String, Object> objectObjectHashMap = new HashMap<>();
-        settings.forEach(s -> {
-            objectObjectHashMap.put(s.getSettingKey(), s.getSettingValue());
+        settings.forEach(setting -> {
+            objectObjectHashMap.put(setting.getSettingKey(), setting.getSettingValue());
        });
        roleAccessSettingRedis.set(objectObjectHashMap, "1");
        Map<String, String> map = roleAccessSettingRedis.get("1");
--- a/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/feign/GovAccessFeignClient.java
+++ b/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/feign/GovAccessFeignClient.java
@ -53,6 +53,6 @@ public interface GovAccessFeignClient {
     * @return
     */
    @PostMapping("/gov/access/access/roleallopesandscopes/{roleId}")
-    Result<Set<RoleOpeScopeResultDTO>> listRoleAllOperationScopesByRoleId(@PathVariable("roleId") String roleId);
+    Result<List<RoleOpeScopeResultDTO>> listRoleAllOperationScopesByRoleId(@PathVariable("roleId") String roleId);

 }
--- a/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/feign/fallback/GovAccessFeignClientFallback.java
+++ b/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/feign/fallback/GovAccessFeignClientFallback.java
@ -43,7 +43,7 @@ public class GovAccessFeignClientFallback implements GovAccessFeignClient {
 	}

 	@Override
-	public Result<Set<RoleOpeScopeResultDTO>> listRoleAllOperationScopesByRoleId(String roleId) {
+	public Result<List<RoleOpeScopeResultDTO>> listRoleAllOperationScopesByRoleId(String roleId) {
 		return ModuleUtils.feignConError(ServiceConstant.GOV_ACCESS_SERVER, "listRoleAllOperationScopesByRoleId", roleId);
 	}
 }
--- a/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/service/impl/AccessServiceImpl.java
+++ b/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/service/impl/AccessServiceImpl.java
@ -94,13 +94,13 @@ public class AccessServiceImpl implements AccessService {
        roleDTOS.forEach(roleDto -> {
            String roleId = roleDto.getId();
            // 找出该角色的所有功能操作列表
-            Result<Set<RoleOpeScopeResultDTO>> result = govAccessFeignClient.listRoleAllOperationScopesByRoleId(roleId);
+            Result<List<RoleOpeScopeResultDTO>> result = govAccessFeignClient.listRoleAllOperationScopesByRoleId(roleId);
            if (!result.success()) {
                // 获取operation异常
                logger.error("调用GovAccess，根据RoleId查询Operation列表失败:{}", result.getMsg());
                throw new RenException(EpmetErrorCode.SERVER_ERROR.getCode());
            }
-            Set<RoleOpeScopeResultDTO> roleOperations = result.getData();
+            List<RoleOpeScopeResultDTO> roleOperations = result.getData();
            filtedOps.addAll(filterOpesByScope(currOrgRelation, roleOperations));
        });
        return filtedOps;
@ -113,7 +113,7 @@ public class AccessServiceImpl implements AccessService {
     * @param roleOperations
     * @return
     */
-    private HashSet<String> filterOpesByScope(String currOrgRelation, Set<RoleOpeScopeResultDTO> roleOperations) {
+    private HashSet<String> filterOpesByScope(String currOrgRelation, List<RoleOpeScopeResultDTO> roleOperations) {
        HashSet<String> opeKeys = new HashSet<>();
        for (RoleOpeScopeResultDTO opeScope : roleOperations) {
            String scopeKey = opeScope.getScopeKey();
--- a/epmet-module/gov-org/gov-org-server/src/main/java/com/epmet/feign/EpmetUserFeignClient.java
+++ b/epmet-module/gov-org/gov-org-server/src/main/java/com/epmet/feign/EpmetUserFeignClient.java
@ -32,6 +32,7 @@ import java.util.List;
 * @dscription
 * @date 2020/3/19 9:32
 */
+//url = "8087"
@FeignClient(name = ServiceConstant.EPMET_USER_SERVER, fallback = EpmetUserFeignClientFallBack.class)
 public interface EpmetUserFeignClient {
 	/**
--- a/epmet-module/oper-access/oper-access-server/src/main/java/com/epmet/feign/EpmetUserFeignClient.java
+++ b/epmet-module/oper-access/oper-access-server/src/main/java/com/epmet/feign/EpmetUserFeignClient.java
@ -12,6 +12,7 @@ import org.springframework.web.bind.annotation.*;
 * @dscription
 * @date 2020/3/19 9:32
 */
+//, url = "localhost:8087"
@FeignClient(name = ServiceConstant.EPMET_USER_SERVER, path="/epmetuser", fallback = EpmetUserFeignClientFallback.class)
 public interface EpmetUserFeignClient {

--- a/epmet-user/epmet-user-server/src/main/java/com/epmet/dao/StaffRoleDao.java
+++ b/epmet-user/epmet-user-server/src/main/java/com/epmet/dao/StaffRoleDao.java
@ -45,7 +45,7 @@ public interface StaffRoleDao extends BaseDao<StaffRoleEntity> {
     * @param orgId
     * @return
     */
-    @DataFilter(tableAliases = { "sr" })
+    //@DataFilter(tableAliases = { "sr" }, gridIdArgName = "gridId", deptIdArgName = "deptId")
    List<GovStaffRoleResultDTO> listStaffIdsByRoleKeyAndOrgId(@Param("roleKey") String roleKey, @Param("orgId") String orgId,
                                                              @Param("dataScope") DataScope dataScope);