权限基本完成

5 years ago · e917105566
38 changed files with 809 additions and 98 deletions
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/aspect/DataFilterAspect.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/aspect/DataFilterAspect.java
@ -9,7 +9,7 @@
 package com.epmet.commons.mybatis.aspect;

 import com.epmet.commons.mybatis.annotation.DataFilter;
-import com.epmet.commons.mybatis.constant.AccessSettingConstant;
+import com.epmet.commons.tools.constant.AccessSettingConstant;
 import com.epmet.commons.tools.constant.OpeScopeConstant;
 import com.epmet.commons.mybatis.dto.form.*;
 import com.epmet.commons.mybatis.feign.GovAccessFeignClient;
@ -138,7 +138,8 @@ public class DataFilterAspect {

        // 生成过滤sql
        String sqlFilterSegment = getSqlFilterSegment(userId, userDetail.getRoleIdList(), requirePermission,
-                userDetail.getOrgIdPath(), userDetail.getGridIdList(), tableAlias, userDetail.getDeptIdList(), gridId, deptId);
+                userDetail.getOrgIdPath(), userDetail.getGridIdList(), tableAlias, userDetail.getDeptIdList(),
+                gridId, deptId, requirePermission);

        // 方式1.填充到Service方法列表中的DataScope对象中。如果dao入参是用DTO的话，那么再加一个DataScope入参，sql中会报错提示#{}参数找不到，因此改用方法2
        //Object[] methodArgs = point.getArgs();
@ -188,11 +189,12 @@ public class DataFilterAspect {
     * @return
     */
    private String getSqlFilterSegment(String userId, Set<String> roleIds, String reqiurePermission, String orgIdPath,
-                                       Set<String> gridIdList, String tableAlias, Set<String> deptIds, String gridId, String deptId) {
+                                       Set<String> gridIdList, String tableAlias, Set<String> deptIds, String gridId, String deptId,
+                                       String operationKey) {

        StringBuilder sb = new StringBuilder();

-        Map<String, String> accessSettings = listRoleAccessSettings(roleIds);
+        Map<String, String> accessSettings = listRoleAccessSettings(roleIds, operationKey);

        // 1.生成sql:组织范围过滤
        if (!genOrgScopeSql(sb, orgIdPath, roleIds, reqiurePermission, tableAlias)) {
@ -235,16 +237,19 @@ public class DataFilterAspect {
     * @param roleIds
     * @return
     */
-    private Map<String, String> listRoleAccessSettings(Set<String> roleIds) {
+    private Map<String, String> listRoleAccessSettings(Set<String> roleIds, String operationKey) {
        Map<String, String> settings = new HashMap<>();
        roleIds.forEach(roleId -> {
-            settings.putAll(listRoleAccessSettings(roleId));
+            settings.putAll(listRoleAccessSettings(roleId, operationKey));
        });
        return settings;
    }

-    private Map<String, String> listRoleAccessSettings(String roleId) {
-        Result<Map<String, String>> result = govAccessFeignClient.listAccessSettings(roleId);
+    private Map<String, String> listRoleAccessSettings(String roleId, String operationKey) {
+        AccessSettingFormDTO accessSettingFormDTO = new AccessSettingFormDTO();
+        accessSettingFormDTO.setRoleId(roleId);
+        accessSettingFormDTO.setOperationKey(operationKey);
+        Result<Map<String, String>> result = govAccessFeignClient.listAccessSettings(accessSettingFormDTO);
        if (result.success()) {
            return result.getData();
        } else {
@ -382,10 +387,8 @@ public class DataFilterAspect {
            return false;
        }

-        // 取出父组织ID path 和当前组织ID
-        String pOrgPath = orgIdPath.substring(0, orgIdPath.lastIndexOf(orgIdPathSpliter));
-        String currOrgPath = orgIdPath.substring(orgIdPath.lastIndexOf(orgIdPathSpliter) + 1);
-        genOrgScopeSql(sb, scopes, currOrgPath, pOrgPath, tableAlias);
+        // 生成sql语句
+        genOrgScopeSql(sb, scopes, orgIdPath, tableAlias);
        sb.replace(sb.lastIndexOf("OR"), sb.lastIndexOf("OR") + 3, "");
        hasConditions.set(true);
        return true;
@ -395,48 +398,55 @@ public class DataFilterAspect {
     * 计算组织范围过滤sql
     * PS:这个方法需要优化，当前阶段因为逻辑不稳定，暂时不做过度封装
     * @param scopes
-     * @param currOrg
-     * @param pOrgPath
     * @return
     */
-    private void genOrgScopeSql(StringBuilder sb, HashSet<String> scopes, String currOrg, String pOrgPath, String tableAlias) {
+    private void genOrgScopeSql(StringBuilder sb, HashSet<String> scopes, String orgIdPath, String tableAlias) {
+        // 取出父组织ID path 和当前组织ID
+        //String parentOrgIDPath = orgIdPath.substring(0, orgIdPath.lastIndexOf(orgIdPathSpliter));
+        //String currOrgID = orgIdPath.substring(orgIdPath.lastIndexOf(orgIdPathSpliter) + 1);
+
        for (String scope : scopes) {
            switch (scope) {
+                // 当前单位(可以用ORG_ID_PATH，也可以用ORG_ID判断)
                case OpeScopeConstant.ORG_CURR:
                    if (StringUtils.isBlank(tableAlias)) {
-                        sb.append(" ORG_ID = '").append(currOrg).append("' OR ");
+                        sb.append(" ORG_ID_PATH = '").append(orgIdPath).append("' OR ");
+                        //sb.append(" ORG_ID = '").append(currOrgID).append("' OR ");
                    } else {
-                        sb.append(" ").append(tableAlias).append(".ORG_ID = '").append(currOrg).append("' OR ");
+                        sb.append(" ").append(tableAlias).append(".ORG_ID_PATH = '").append(orgIdPath).append("' OR ");
+                        //sb.append(" ").append(tableAlias).append(".ORG_ID = '").append(currOrgID).append("' OR ");
                    }
                    break;
+                //    本单位及其子级单位
                case OpeScopeConstant.ORG_CURR_AND_SUB:
                    if (StringUtils.isBlank(tableAlias)) {
-                        sb.append(" ORG_ID_PATH like '").append(pOrgPath).append("%' OR ");
+                        sb.append(" ORG_ID_PATH like '").append(orgIdPath).append("%' OR ");
                    } else {
-                        sb.append(" ").append(tableAlias).append(".ORG_ID_PATH like '").append(pOrgPath).append("%' OR ");
+                        sb.append(" ").append(tableAlias).append(".ORG_ID_PATH like '").append(orgIdPath).append("%' OR ");
                    }
                    break;
+                //    本单位的子级单位
                case OpeScopeConstant.ORG_CURR_SUB:
                    if (StringUtils.isBlank(tableAlias)) {
-                        sb.append(" ORG_ID_PATH like '").append(pOrgPath).append(orgIdPathSpliter).append(currOrg).append("%' OR ");
+                        sb.append(" ORG_ID_PATH like '").append(orgIdPath).append(":%' OR ");
                    } else {
-                        sb.append(" ").append(tableAlias).append(".ORG_ID_PATH like '").append(pOrgPath).append(orgIdPathSpliter).append(currOrg).append("%' OR ");
+                        sb.append(" ").append(tableAlias).append(".ORG_ID_PATH like '").append(orgIdPath).append(":%' OR ");
                    }
                    break;
                 //当前单位的父级单位
                case OpeScopeConstant.ORG_CURR_SUP:
                    if (StringUtils.isBlank(tableAlias)) {
-                        sb.append(" '").append(pOrgPath).append("' like CONCAT(").append("ORG_ID_PATH,'%') OR ");
+                        sb.append(" '").append(orgIdPath).append("' like CONCAT(").append("ORG_ID_PATH,':%') OR ");
                    } else {
-                        sb.append(" '").append(pOrgPath).append("' like CONCAT(").append(tableAlias).append(".ORG_ID_PATH,'%') OR ");
+                        sb.append(" '").append(orgIdPath).append("' like CONCAT(").append(tableAlias).append(".ORG_ID_PATH,':%') OR ");
                    }
                    break;
                //    当前单位及其父级单位
                case OpeScopeConstant.ORG_CURR_AND_SUP:
                    if (StringUtils.isBlank(tableAlias)) {
-                        sb.append(" '").append(pOrgPath).append(orgIdPathSpliter).append(currOrg).append("' like CONCAT(").append("ORG_ID_PATH,'%') OR ");
+                        sb.append(" '").append(orgIdPath).append("' like CONCAT(").append("ORG_ID_PATH,'%') OR ");
                    } else {
-                        sb.append(" '").append(pOrgPath).append(orgIdPathSpliter).append(currOrg).append("' like CONCAT(").append(tableAlias).append(".ORG_ID_PATH,'%' ) OR ");
+                        sb.append(" '").append(orgIdPath).append("' like CONCAT(").append(tableAlias).append(".ORG_ID_PATH,'%' ) OR ");
                    }
                    break;
                case OpeScopeConstant.ORG_EQUAL:
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/dto/form/AccessSettingFormDTO.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/dto/form/AccessSettingFormDTO.java
@ -0,0 +1,9 @@
+package com.epmet.commons.mybatis.dto.form;
+
+import lombok.Data;
+
+@Data
+public class AccessSettingFormDTO {
+    private String roleId;
+    private String operationKey;
+}
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/GovAccessFeignClient.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/GovAccessFeignClient.java
@ -38,11 +38,10 @@ public interface GovAccessFeignClient {

    /**
     * 查询角色的权限相关配置
-     * @param roleId
     * @return
     */
-    @PostMapping("/gov/access/access/accesssettings/{roleId}")
-    Result<Map<String, String>> listAccessSettings(@PathVariable("roleId") String roleId);
+    @PostMapping("/gov/access/access/accesssettings")
+    Result<Map<String, String>> listAccessSettings(AccessSettingFormDTO accessSettingFormDTO);

    /**
     * 查询角色所有operation及其范围(缓存)
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/fallback/GovAccessFeignClientFallback.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/fallback/GovAccessFeignClientFallback.java
@ -32,8 +32,8 @@ public class GovAccessFeignClientFallback implements GovAccessFeignClient {
    }

    @Override
-    public Result<Map<String, String>> listAccessSettings(String roleId) {
-        return ModuleUtils.feignConError(ServiceConstant.GOV_ACCESS_SERVER, "listAccessSettings", roleId);
+    public Result<Map<String, String>> listAccessSettings(AccessSettingFormDTO accessSettingFormDTO) {
+        return ModuleUtils.feignConError(ServiceConstant.GOV_ACCESS_SERVER, "listAccessSettings", accessSettingFormDTO);
    }

    @Override
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/constant/AccessSettingConstant.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/constant/AccessSettingConstant.java
@ -1,6 +1,9 @@
-package com.epmet.commons.mybatis.constant;
+package com.epmet.commons.tools.constant;

 public class AccessSettingConstant {
+
+    public static final String ON = "ON";
+
    public static final String I_CREATED_KEY = "I_CREATED";
    public static final String I_CREATED_ON = "ON";

--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/enums/RequirePermissionEnum.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/enums/RequirePermissionEnum.java
@ -2,36 +2,36 @@ package com.epmet.commons.tools.enums;

 public enum RequirePermissionEnum {

-    WORK_GRASSROOTS_GROUP_AUDITINGLIST("work_grassroots_group_auditinglist", "基层治理-群组管理-待审核列表", "基层治理-群组管理-待审核列表"),
-    WORK_GRASSROOTS_GROUP_AUDIT("work_grassroots_group_audit", "基层治理-群组管理-审核建组", "基层治理-群组管理-审核建组"),
-    WORK_GRASSROOTS_GROUP_GROUPSINTHEGRID("work_grassroots_group_groupsinthegrid", "基层治理-群组管理-本网格小组列表", "基层治理-群组管理-本网格小组列表"),
-    WORK_GRASSROOTS_RESI_WARMHEARTED_AUDITINGLIST("work_grassroots_resi_warmhearted_auditinglist", "基层治理-居民管理-热心居民待审核列表", "基层治理-居民管理-热心居民待审核列表"),
-    WORK_GRASSROOTS_RESI_WARMHEARTED_AUDITHISTORYLIST("work_grassroots_resi_warmhearted_audithistorylist", "基层治理-居民管理-热心审核历史", "基层治理-居民管理-热心审核历史"),
-    WORK_GRASSROOTS_RESI_WARMHEARTED_AUDIT("work_grassroots_resi_warmhearted_audit", "基层治理-居民管理-热心居民审核", "基层治理-居民管理-热心居民审核"),
-    ORG_AGENCY_TRACE("org_agency_trace", "组织-查看上级机关", "组织-查看上级机关"),
-    ORG_AGENCY_UPDATE("org_agency_update", "组织-机关单位-编辑", "组织-机关单位-编辑"),
-    ORG_SUBAGENCY_LIST("org_subagency_list", "组织-下级机关-列表", "组织-下级机关-列表"),
-    ORG_SUBAGENCY_CREATE("org_subagency_create", "组织-下级机关-新增", "组织-下级机关-新增"),
-    ORG_SUBAGENCY_DELETE("org_subagency_delete", "组织-下级机关-删除", "组织-下级机关-删除"),
-    ORG_STAFF_DETAIL("org_staff_detail", "组织-工作人员-详情", "组织-工作人员-详情"),
-    ORG_STAFF_LIST("org_staff_list", "组织-工作人员-列表", "组织-工作人员-列表"),
-    ORG_STAFF_CREATE("org_staff_create", "组织-工作人员-新增", "组织-工作人员-新增"),
-    ORG_STAFF_UPDATE("org_staff_update", "组织-工作人员-编辑", "组织-工作人员-编辑"),
-    ORG_STAFF_FORBIDDEN("org_staff_forbidden", "组织-工作人员-禁用", "组织-工作人员-禁用"),
-    ORG_DEPARTMENT_LIST("org_department_list", "组织-直属部门-部门列表", "组织-直属部门-部门列表"),
-    ORG_DEPARTMENT_CREATE("org_department_create", "组织-直属部门-新增部门", "组织-直属部门-新增部门"),
-    ORG_DEPARTMENT_UPDATE("org_department_update", "组织-直属部门-编辑部门", "组织-直属部门-编辑部门"),
-    ORG_DEPARTMENT_DELETE("org_department_delete", "组织-直属部门-删除", "组织-直属部门-删除"),
-    ORG_DEPARTMENT_STAFF_ADD("org_department_staff_add", "组织-直属部门-添加人员", "组织-直属部门-添加人员"),
-    ORG_DEPARTMENT_STAFF_REMOVE("org_department_staff_remove", "组织-直属部门-移除人员", "组织-直属部门-移除人员"),
-    ORG_DEPARTMENT_STAFF_LIST("org_department_staff_list", "组织-直属部门-人员列表", "组织-直属部门-人员列表"),
-    ORG_GRID_LIST("org_grid_list", "组织-治理网格-网格列表", "组织-治理网格-网格列表"),
-    ORG_GRID_CREATE("org_grid_create", "组织-治理网格-新增网格", "组织-治理网格-新增网格"),
-    ORG_GRID_UPDATE("org_grid_update", "组织-治理网格-编辑网格", "组织-治理网格-编辑网格"),
-    ORG_GRID_DELETE("org_grid_delete", "组织-治理网格-删除", "组织-治理网格-删除"),
-    ORG_GRID_STAFF_ADD("org_grid_staff_add", "组织-治理网格-新增网格工作人员", "组织-治理网格-新增网格工作人员"),
-    ORG_GRID_STAFF_REMOVE("org_grid_staff_remove", "组织-治理网格-移除网格工作人员", "组织-治理网格-移除网格工作人员"),
-    ORG_PARTYMEMBER_SUMMARY("org_partymember_summary", "组织-党员-汇总信息", "组织-党员-汇总信息");
+    WORK_GRASSROOTS_GROUP_AUDITINGLIST("work_grassroots_group_auditinglist", "基层治理:群组管理:待审核列表", "基层治理:群组管理:待审核列表"),
+    WORK_GRASSROOTS_GROUP_AUDIT("work_grassroots_group_audit", "基层治理:群组管理:审核建组", "基层治理:群组管理:审核建组"),
+    WORK_GRASSROOTS_GROUP_GROUPSINTHEGRID("work_grassroots_group_groupsinthegrid", "基层治理:群组管理:本网格小组列表", "基层治理:群组管理:本网格小组列表"),
+    WORK_GRASSROOTS_RESI_WARMHEARTED_AUDITINGLIST("work_grassroots_resi_warmhearted_auditinglist", "基层治理:居民管理:热心居民待审核列表", "基层治理:居民管理:热心居民待审核列表"),
+    WORK_GRASSROOTS_RESI_WARMHEARTED_AUDITHISTORYLIST("work_grassroots_resi_warmhearted_audithistorylist", "基层治理:居民管理:热心审核历史", "基层治理:居民管理:热心审核历史"),
+    WORK_GRASSROOTS_RESI_WARMHEARTED_AUDIT("work_grassroots_resi_warmhearted_audit", "基层治理:居民管理:热心居民审核", "基层治理:居民管理:热心居民审核"),
+    ORG_AGENCY_TRACE("org_agency_trace", "组织:查看上级机关", "组织:查看上级机关"),
+    ORG_AGENCY_UPDATE("org_agency_update", "组织:机关单位:编辑", "组织:机关单位:编辑"),
+    ORG_SUBAGENCY_LIST("org_subagency_list", "组织:下级机关:列表", "组织:下级机关:列表"),
+    ORG_SUBAGENCY_CREATE("org_subagency_create", "组织:下级机关:新增", "组织:下级机关:新增"),
+    ORG_SUBAGENCY_DELETE("org_subagency_delete", "组织:下级机关:删除", "组织:下级机关:删除"),
+    ORG_STAFF_DETAIL("org_staff_detail", "组织:工作人员:详情", "组织:工作人员:详情"),
+    ORG_STAFF_LIST("org_staff_list", "组织:工作人员:列表", "组织:工作人员:列表"),
+    ORG_STAFF_CREATE("org_staff_create", "组织:工作人员:新增", "组织:工作人员:新增"),
+    ORG_STAFF_UPDATE("org_staff_update", "组织:工作人员:编辑", "组织:工作人员:编辑"),
+    ORG_STAFF_FORBIDDEN("org_staff_forbidden", "组织:工作人员:禁用", "组织:工作人员:禁用"),
+    ORG_DEPARTMENT_LIST("org_department_list", "组织:直属部门:部门列表", "组织:直属部门:部门列表"),
+    ORG_DEPARTMENT_CREATE("org_department_create", "组织:直属部门:新增部门", "组织:直属部门:新增部门"),
+    ORG_DEPARTMENT_UPDATE("org_department_update", "组织:直属部门:编辑部门", "组织:直属部门:编辑部门"),
+    ORG_DEPARTMENT_DELETE("org_department_delete", "组织:直属部门:删除", "组织:直属部门:删除"),
+    ORG_DEPARTMENT_STAFF_ADD("org_department_staff_add", "组织:直属部门:添加人员", "组织:直属部门:添加人员"),
+    ORG_DEPARTMENT_STAFF_REMOVE("org_department_staff_remove", "组织:直属部门:移除人员", "组织:直属部门:移除人员"),
+    ORG_DEPARTMENT_STAFF_LIST("org_department_staff_list", "组织:直属部门:人员列表", "组织:直属部门:人员列表"),
+    ORG_GRID_LIST("org_grid_list", "组织:治理网格:网格列表", "组织:治理网格:网格列表"),
+    ORG_GRID_CREATE("org_grid_create", "组织:治理网格:新增网格", "组织:治理网格:新增网格"),
+    ORG_GRID_UPDATE("org_grid_update", "组织:治理网格:编辑网格", "组织:治理网格:编辑网格"),
+    ORG_GRID_DELETE("org_grid_delete", "组织:治理网格:删除", "组织:治理网格:删除"),
+    ORG_GRID_STAFF_ADD("org_grid_staff_add", "组织:治理网格:新增网格工作人员", "组织:治理网格:新增网格工作人员"),
+    ORG_GRID_STAFF_REMOVE("org_grid_staff_remove", "组织:治理网格:移除网格工作人员", "组织:治理网格:移除网格工作人员"),
+    ORG_PARTYMEMBER_SUMMARY("org_partymember_summary", "组织:党员:汇总信息", "组织:党员:汇总信息");

    private String key;
    private String name;
--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/redis/RedisKeys.java
@ -232,7 +232,7 @@ public class RedisKeys {
 	 * @param roleId
 	 * @return
 	 */
-	public static String getRoleAccessSettingKey(String roleId) {
-		return rootPrefix.concat("gov:access:role:accesssettings:").concat(roleId);
+	public static String getRoleAccessSettingKey(String roleId, String operationKey) {
+		return rootPrefix.concat(String.format("gov:access:role:accesssettings:%s:%s", roleId, operationKey));
 	}
 }
--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/AccessConfigOpesFormDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/AccessConfigOpesFormDTO.java
@ -0,0 +1,16 @@
+package com.epmet.dto.form;
+
+import com.epmet.dto.result.AccessConfigOpesResultDTO;
+import lombok.Data;
+
+import javax.validation.constraints.NotBlank;
+import java.util.List;
+
+@Data
+public class AccessConfigOpesFormDTO {
+
+    @NotBlank(message = "角色ID不能为空")
+    private String roleId;
+    private List<AccessConfigOpesResultDTO> opes;
+
+}
--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/AccessConfigSaveSettingDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/AccessConfigSaveSettingDTO.java
@ -0,0 +1,18 @@
+package com.epmet.dto.form;
+
+import lombok.Data;
+
+import javax.validation.constraints.NotBlank;
+import java.util.Set;
+
+@Data
+public class AccessConfigSaveSettingDTO {
+
+    @NotBlank(message = "角色ID不能为空")
+    private String roleId;
+    @NotBlank(message = "操作Key不能为空")
+    private String operationKey;
+    private Set<String> scopeKeys;
+    private Set<String> settingKeys;
+
+}
--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/AccessConfigSettingFormDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/AccessConfigSettingFormDTO.java
@ -0,0 +1,16 @@
+package com.epmet.dto.form;
+
+import lombok.Data;
+
+import javax.validation.constraints.NotBlank;
+
+@Data
+public class AccessConfigSettingFormDTO {
+
+    @NotBlank(message = "角色ID不能为空")
+    private String roleId;
+
+    @NotBlank(message = "操作的Key不能为空")
+    private String operationKey;
+
+}
--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/AccessSettingFormDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/AccessSettingFormDTO.java
@ -2,7 +2,11 @@ package com.epmet.dto.form;

 import lombok.Data;

+/**
+ * 查询拥有的权限的DTO，非后台配置用
+ */
@Data
 public class AccessSettingFormDTO {
    private String roleId;
+    private String operationKey;
 }
--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/AccessConfigOpesResultDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/AccessConfigOpesResultDTO.java
@ -0,0 +1,13 @@
+package com.epmet.dto.result;
+
+import lombok.Data;
+
+@Data
+public class AccessConfigOpesResultDTO {
+
+    private String operationKey;
+    private String operationName;
+    private String brief;
+    private Boolean assigned;
+
+}
--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/AccessConfigOptionsResultDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/AccessConfigOptionsResultDTO.java
@ -0,0 +1,11 @@
+package com.epmet.dto.result;
+
+import lombok.Data;
+
+import java.util.List;
+
+@Data
+public class AccessConfigOptionsResultDTO {
+    private List<AccessConfigScopeResultDTO> scopeOptions;
+    private List<AccessConfigSettingResultDTO> settingOptions;
+}
--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/AccessConfigScopeResultDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/AccessConfigScopeResultDTO.java
@ -0,0 +1,15 @@
+package com.epmet.dto.result;
+
+import lombok.Data;
+
+@Data
+public class AccessConfigScopeResultDTO {
+
+    private String scopeKey;
+    private String scopeName;
+    private String scopeIndex;
+    private String operationKey;
+    private String roleId;
+    private Boolean assigned;
+
+}
--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/AccessConfigSettingResultDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/result/AccessConfigSettingResultDTO.java
@ -0,0 +1,14 @@
+package com.epmet.dto.result;
+
+import lombok.Data;
+
+@Data
+public class AccessConfigSettingResultDTO {
+
+    private String settingKey;
+    private String settingName;
+    private String roleId;
+    private Boolean assigned;
+    private String operationKey;
+
+}
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/controller/AccessConfigController.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/controller/AccessConfigController.java
@ -0,0 +1,73 @@
+package com.epmet.controller;
+
+import com.epmet.commons.tools.utils.Result;
+import com.epmet.commons.tools.validator.ValidatorUtils;
+import com.epmet.dto.form.AccessConfigOpesFormDTO;
+import com.epmet.dto.form.AccessConfigSaveSettingDTO;
+import com.epmet.dto.form.AccessConfigSettingFormDTO;
+import com.epmet.dto.result.AccessConfigOpesResultDTO;
+import com.epmet.dto.result.AccessConfigOptionsResultDTO;
+import com.epmet.service.AccessConfigService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.*;
+
+import javax.validation.constraints.NotBlank;
+import java.util.List;
+import java.util.Set;
+
+@RestController
+@RequestMapping("config")
+public class AccessConfigController {
+
+    @Autowired
+    private AccessConfigService accessConfigService;
+
+    /**
+     * 列出角色的操作列表(及该操作的scope范围)
+     * @param roleId
+     * @return
+     */
+    @PostMapping("roleopes/{roleId}")
+    public Result listRoleOperations(@PathVariable("roleId") String roleId) {
+        List<AccessConfigOpesResultDTO> opes = accessConfigService.listOpesByRole(roleId);
+        return new Result().ok(opes);
+    }
+
+    /**
+     * 保存角色的操作功能列表
+     * @return
+     */
+    @PostMapping("saveroleopes")
+    public Result saveRoleOpes(@RequestBody AccessConfigOpesFormDTO formDTO) {
+        accessConfigService.saveRoleOpes(formDTO.getRoleId(), formDTO.getOpes());
+        return new Result();
+    }
+
+    /**
+     * 查询可配置项列表
+     * @return
+     */
+    @PostMapping("settingoptions")
+    public Result listSettingoptions(@RequestBody AccessConfigSettingFormDTO settingFormDTO) {
+        ValidatorUtils.validateEntity(settingFormDTO);
+        AccessConfigOptionsResultDTO options = accessConfigService.listScopeItemsForAccessConfig(settingFormDTO.getRoleId(), settingFormDTO.getOperationKey());
+        return new Result().ok(options);
+    }
+
+    /**
+     * 保存设置
+     * @param settings
+     * @return
+     */
+    @PostMapping("savesettings")
+    public Result saveSettings(@RequestBody AccessConfigSaveSettingDTO settings) {
+        ValidatorUtils.validateEntity(settings);
+        String roleId = settings.getRoleId();
+        String operationKey = settings.getOperationKey();
+        Set<String> scopeKeys = settings.getScopeKeys();
+        Set<String> settingKeys = settings.getSettingKeys();
+        accessConfigService.saveSettings(roleId, operationKey, scopeKeys, settingKeys);
+        return new Result();
+    }
+
+}
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/controller/AccessController.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/controller/AccessController.java
@ -90,12 +90,12 @@ public class AccessController {
    }

    /**
-     * 查询角色的权限相关配置
+     * 查询角色的权限相关配置(缓存)
     * @return
     */
-    @PostMapping("/accesssettings/{roleId}")
-    public Result<Map<String, String>> listAccessSettings(@PathVariable("roleId") String roleId) {
-        Map<String, String> settings = accessService.listAccessSettings(roleId);
+    @PostMapping("/accesssettings")
+    public Result<Map<String, String>> listAccessSettings(@RequestBody AccessSettingFormDTO accessSettingFormDTO) {
+        Map<String, String> settings = accessService.listAccessSettings(accessSettingFormDTO.getRoleId(), accessSettingFormDTO.getOperationKey());
        return new Result<Map<String, String>>().ok(settings);
    }
 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/AccessSettingDao.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/AccessSettingDao.java
@ -18,11 +18,14 @@
 package com.epmet.dao;

 import com.epmet.commons.mybatis.dao.BaseDao;
+import com.epmet.dto.result.AccessConfigSettingResultDTO;
 import com.epmet.dto.result.AccessSettingResultDTO;
 import com.epmet.entity.AccessSettingEntity;
 import org.apache.ibatis.annotations.Mapper;
+import org.apache.ibatis.annotations.Param;

 import java.util.List;
+import java.util.Set;

 /**
 * 权限配置
@ -38,6 +41,35 @@ public interface AccessSettingDao extends BaseDao<AccessSettingEntity> {
     * @param roleId
     * @return
     */
-    List<AccessSettingResultDTO> listAccessSettingsByRoleId(String roleId);
+    List<AccessSettingResultDTO> listAccessSettingsByRoleId(@Param("roleId") String roleId,
+                                                            @Param("operationKey") String operationKey);

+    List<AccessConfigSettingResultDTO> listSettingOptionsForAccessConfig(@Param("roleId") String roleId,
+                                                                         @Param("operationKey") String operationKey);
+
+    /**
+     * 删除
+     * @param roleId
+     * @param operationKey
+     * @param settingKeys2Delete
+     * @return
+     */
+    int delete(@Param("roleId") String roleId,
+                @Param("operationKey") String operationKey,
+                @Param("settingKeys2Delete") Set<String> settingKeys2Delete);
+
+    AccessSettingEntity get(@Param("roleId") String roleId,
+                            @Param("operationKey") String operationKey,
+                            @Param("settingKey") String settingKey);
+
+    /**
+     * 启用
+     * @param roleId
+     * @param operationKey
+     * @param settingKey
+     * @return
+     */
+    int enable(@Param("roleId") String roleId,
+               @Param("operationKey") String operationKey,
+               @Param("settingKey") String settingKey);
 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/OperationDao.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/OperationDao.java
@ -33,4 +33,6 @@ import java.util.List;
 public interface OperationDao extends BaseDao<OperationEntity> {

    List<OperationEntity> listAllOperationEntities();
+
+    List<OperationEntity> listAllValidOperationEntities();
 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/RoleOperationDao.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/RoleOperationDao.java
@ -18,6 +18,7 @@
 package com.epmet.dao;

 import com.epmet.commons.mybatis.dao.BaseDao;
+import com.epmet.dto.result.AccessConfigOpesResultDTO;
 import com.epmet.dto.result.RoleOperationResultDTO;
 import com.epmet.entity.RoleOperationEntity;
 import org.apache.ibatis.annotations.Mapper;
@ -35,4 +36,12 @@ import java.util.List;
 public interface RoleOperationDao extends BaseDao<RoleOperationEntity> {

    List<RoleOperationResultDTO> listOperationsByRoleId(@Param("roleId") String roleId);
+
+    List<AccessConfigOpesResultDTO> listOpesForAccessConfig(@Param("roleId") String roleId);
+
+    void deleteRoleOpe(@Param("roleId") String roleId, @Param("opeKey") String opeKey);
+
+    RoleOperationEntity getRoleOpe(@Param("roleId") String roleId, @Param("opeKey") String opeKey);
+
+    int enableRoleOpe(@Param("roleId") String roleId, @Param("opeKey") String opeKey);
 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/RoleScopeDao.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/dao/RoleScopeDao.java
@ -18,8 +18,14 @@
 package com.epmet.dao;

 import com.epmet.commons.mybatis.dao.BaseDao;
+import com.epmet.dto.result.AccessConfigScopeResultDTO;
+import com.epmet.dto.result.AccessConfigSettingResultDTO;
 import com.epmet.entity.RoleScopeEntity;
 import org.apache.ibatis.annotations.Mapper;
+import org.apache.ibatis.annotations.Param;
+
+import java.util.List;
+import java.util.Set;

 /**
 * 角色能操作哪些范围
@ -29,5 +35,52 @@ import org.apache.ibatis.annotations.Mapper;
 */
@Mapper
 public interface RoleScopeDao extends BaseDao<RoleScopeEntity> {
-	
+
+    /**
+     * 权限配置：列出可选项
+     * @param roleId
+     * @param operationKey
+     * @return
+     */
+    List<AccessConfigScopeResultDTO> listScopeOptionsForAccessConfig(@Param("roleId") String roleId, @Param("operationKey") String operationKey);
+
+    /**
+     *
+     * @param roleId
+     * @param operationKey
+     * @return
+     */
+    List<RoleScopeEntity> listScopeEntities(@Param("roleId") String roleId, @Param("operationKey") String operationKey);
+
+    /**
+     * 使用roleId+OperationKey+ScopeKey删除
+     * @param roleId
+     * @param operationKey
+     * @param scopeKeys2Remove
+     * @return
+     */
+    int deleteByRoleIdAndOpeKey(@Param("roleId") String roleId,
+                                @Param("operationKey") String operationKey,
+                                @Param("scopeKeys2Remove") Set<String> scopeKeys2Remove);
+
+    /**
+     * 启用
+     * @param roleId
+     * @param operationKey
+     * @param scopeKey
+     * @return
+     */
+    int enableByRoleIdAndOpeKey(@Param("roleId") String roleId,
+                                @Param("operationKey") String operationKey,
+                                @Param("scopeKey") String scopeKey);
+
+    /**
+     * 使用RoleId + operationKey + scopeKey
+     * @param roleId
+     * @param operationKey
+     * @param scopeKey
+     */
+    RoleScopeEntity getByRoleIdAndOpeKey(@Param("roleId") String roleId,
+                              @Param("operationKey") String operationKey,
+                              @Param("scopeKey") String scopeKey);
 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/redis/RoleAccessSettingRedis.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/redis/RoleAccessSettingRedis.java
@ -4,9 +4,11 @@ import com.epmet.commons.tools.redis.RedisKeys;
 import com.epmet.commons.tools.redis.RedisUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
+import org.springframework.util.CollectionUtils;

 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;

@Component
 public class RoleAccessSettingRedis {
@ -14,21 +16,37 @@ public class RoleAccessSettingRedis {
    @Autowired
    private RedisUtils redisUtils;

-    public void set(Map<String, Object> settings, String roleId) {
-        String roleAccessSettingKey = RedisKeys.getRoleAccessSettingKey(roleId);
-        redisUtils.hMSet(roleAccessSettingKey, settings);
+    public void set(Map<String, String> settings, String roleId, String operationKey) {
+        // 转化Map
+        HashMap<String, Object> newSettings = new HashMap<>();
+        Set<Map.Entry<String, String>> entries = settings.entrySet();
+        entries.forEach(entry -> {
+            newSettings.put(entry.getKey(), entry.getValue());
+        });
+
+        String roleAccessSettingKey = RedisKeys.getRoleAccessSettingKey(roleId, operationKey);
+        redisUtils.hMSet(roleAccessSettingKey, newSettings);
    }

-    public Map<String, String> get(String roleId) {
-        String roleAccessSettingKey = RedisKeys.getRoleAccessSettingKey(roleId);
+    public Map<String, String> get(String roleId, String operationKey) {
+        String roleAccessSettingKey = RedisKeys.getRoleAccessSettingKey(roleId, operationKey);
        Map<String, Object> s = redisUtils.hGetAll(roleAccessSettingKey);
-        Map<String, String> settings = new HashMap<>();
-        s.forEach((s1, o) -> {
-            if (o != null) {
-                settings.put(s1, String.valueOf(o));
-            }
-        });
-        return settings;
+        // 转化Map
+        if (!CollectionUtils.isEmpty(s)) {
+            Map<String, String> settings = new HashMap<>();
+            s.forEach((s1, o) -> {
+                if (o != null) {
+                    settings.put(s1, String.valueOf(o));
+                }
+            });
+            return settings;
+        }
+
+        return null;
+    }
+
+    public void delete(String roleId, String operationKey) {
+        redisUtils.delete(RedisKeys.getRoleAccessSettingKey(roleId, operationKey));
    }

 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/redis/RoleOpeScopeRedis.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/redis/RoleOpeScopeRedis.java
@ -63,4 +63,12 @@ public class RoleOpeScopeRedis {
        return JSON.parseObject(stringValue, new TypeReference<List<RoleOpeScopeResultDTO>>(){});
    }

+    /**
+     * 删除缓存
+     * @param roleId
+     */
+    public void delRoleAllOpeScopes(String roleId) {
+        redisUtils.delete(RedisKeys.getRoleAllOpeScopesKey(roleId));
+    }
+
 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/AccessConfigService.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/AccessConfigService.java
@ -0,0 +1,17 @@
+package com.epmet.service;
+
+import com.epmet.dto.result.AccessConfigOpesResultDTO;
+import com.epmet.dto.result.AccessConfigOptionsResultDTO;
+
+import java.util.List;
+import java.util.Set;
+
+public interface AccessConfigService {
+    List<AccessConfigOpesResultDTO> listOpesByRole(String roleId);
+
+    void saveRoleOpes(String roleId, List<AccessConfigOpesResultDTO> opes);
+
+    AccessConfigOptionsResultDTO listScopeItemsForAccessConfig(String roleId, String operationKey);
+
+    void saveSettings(String roleId, String operationKey, Set<String> scopeKeys, Set<String> settingKeys);
+}
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/AccessService.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/AccessService.java
@ -34,7 +34,7 @@ public interface AccessService {
     * @param roleId
     * @return
     */
-    Map<String, String> listAccessSettings(String roleId);
+    Map<String, String> listAccessSettings(String roleId, String operationKey);

    /**
     * 查询角色所有operation及其范围(缓存)
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/impl/AccessConfigServiceImpl.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/impl/AccessConfigServiceImpl.java
@ -0,0 +1,182 @@
+package com.epmet.service.impl;
+
+import com.epmet.commons.tools.constant.AccessSettingConstant;
+import com.epmet.commons.tools.exception.EpmetErrorCode;
+import com.epmet.commons.tools.exception.RenException;
+import com.epmet.dao.*;
+import com.epmet.dto.result.*;
+import com.epmet.entity.AccessSettingEntity;
+import com.epmet.entity.RoleOperationEntity;
+import com.epmet.entity.RoleScopeEntity;
+import com.epmet.redis.RoleAccessSettingRedis;
+import com.epmet.redis.RoleOpeScopeRedis;
+import com.epmet.service.AccessConfigService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+import org.springframework.util.CollectionUtils;
+
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+@Service
+public class AccessConfigServiceImpl implements AccessConfigService {
+
+    protected static final Logger logger = LoggerFactory.getLogger(AccessConfigServiceImpl.class);
+
+    @Autowired
+    private RoleOpeScopeRedis roleOpeScopeRedis;
+
+    @Autowired
+    private RoleOperationDao roleOperationDao;
+
+    @Autowired
+    private RoleScopeDao roleScopeDao;
+
+    @Autowired
+    private AccessSettingDao accessSettingDao;
+
+    @Autowired
+    private RoleAccessSettingRedis roleAccessSettingRedis;
+
+    @Override
+    public List<AccessConfigOpesResultDTO> listOpesByRole(String roleId) {
+        return roleOperationDao.listOpesForAccessConfig(roleId);
+    }
+
+    @Override
+    @Transactional(rollbackFor = Exception.class)
+    public void saveRoleOpes(String roleId, List<AccessConfigOpesResultDTO> opes) {
+        List<RoleOperationResultDTO> operationsDB = roleOperationDao.listOperationsByRoleId(roleId);
+        Set<String> opeKeysDB = operationsDB.stream().map(opeDB -> opeDB.getOperationKey()).collect(Collectors.toSet());
+        Set<String> opeKeysForm = opes.stream().map(opeForm -> opeForm.getOperationKey()).collect(Collectors.toSet());
+
+        for (String s : opeKeysDB) {
+            if (!opeKeysForm.contains(s)) {
+                // 说明这个已经被取消
+                roleOperationDao.deleteRoleOpe(roleId, s);
+            }
+        }
+
+        for (String s : opeKeysForm) {
+            if (!opeKeysDB.contains(s)) {
+                // 说明这个是新勾选的
+                if (roleOperationDao.getRoleOpe(roleId, s) != null) {
+                    if (roleOperationDao.enableRoleOpe(roleId, s) == 0) {
+                        logger.error("权限配置:启用权限失败，roleId:{}", roleId);
+                        throw new RenException(EpmetErrorCode.SERVER_ERROR.getCode());
+                    }
+                    continue;
+                }
+
+                RoleOperationEntity newRoleOpe = new RoleOperationEntity();
+                newRoleOpe.setRoleId(roleId);
+                newRoleOpe.setOperationKey(s);
+                roleOperationDao.insert(newRoleOpe);
+            }
+        }
+
+        // 失效Redis缓存
+        roleOpeScopeRedis.delRoleAllOpeScopes(roleId);
+    }
+
+    @Override
+    public AccessConfigOptionsResultDTO listScopeItemsForAccessConfig(String roleId, String operationKey) {
+        List<AccessConfigScopeResultDTO> scopeOptions = roleScopeDao.listScopeOptionsForAccessConfig(roleId, operationKey);
+        List<AccessConfigSettingResultDTO > settingOptions = accessSettingDao.listSettingOptionsForAccessConfig(roleId, operationKey);
+        AccessConfigOptionsResultDTO options = new AccessConfigOptionsResultDTO();
+        options.setScopeOptions(scopeOptions);
+        options.setSettingOptions(settingOptions);
+        return options;
+    }
+
+    @Override
+    @Transactional
+    public void saveSettings(String roleId, String operationKey, Set<String> scopeKeys, Set<String> settingKeys) {
+        saveScopeSettings(roleId, operationKey, scopeKeys);
+        saveAccessSettingSettings(roleId, operationKey, settingKeys);
+    }
+
+    /**
+     * 保存设置
+     * 可以优化为：遍历时候直接删除或者新增，而不用新建settingKeys2Delete, settingKeys2Add变量
+     * @param roleId
+     * @param operationKey
+     */
+    private void saveAccessSettingSettings(String roleId, String operationKey, Set<String> newSettingKeys) {
+        Set<String> settingKeysDB = accessSettingDao.listAccessSettingsByRoleId(roleId, operationKey)
+                .stream()
+                .map(setting -> setting.getSettingKey())
+                .collect(Collectors.toSet());
+
+        Set<String> settingKeys2Delete = settingKeysDB.stream().filter(settingKeyDB -> !newSettingKeys.contains(settingKeyDB)).collect(Collectors.toSet());
+        Set<String> settingKeys2Add = newSettingKeys.stream().filter(newSetting -> !settingKeysDB.contains(newSetting)).collect(Collectors.toSet());
+
+        // 删除
+        if (!CollectionUtils.isEmpty(settingKeys2Delete)) {
+            accessSettingDao.delete(roleId, operationKey, settingKeys2Delete);
+        }
+
+        // 新增
+        if (!CollectionUtils.isEmpty(settingKeys2Add)) {
+            settingKeys2Add.forEach(settingKey -> {
+                if (accessSettingDao.get(roleId, operationKey, settingKey) != null) {
+                    // 数据库中已有
+                    accessSettingDao.enable(roleId, operationKey, settingKey);
+                } else {
+                    AccessSettingEntity newSetting = new AccessSettingEntity();
+                    newSetting.setRoleId(roleId);
+                    newSetting.setOperationKey(operationKey);
+                    newSetting.setSettingKey(settingKey);
+                    newSetting.setSettingValue(AccessSettingConstant.ON);
+                    accessSettingDao.insert(newSetting);
+                }
+            });
+        }
+
+        // 清空redis缓存
+        roleAccessSettingRedis.delete(roleId, operationKey);
+    }
+
+    /**
+     * 保存Scope设置
+     * @param roleId
+     * @param operationKey
+     * @param scopeKeys
+     */
+    private void saveScopeSettings(String roleId, String operationKey, Set<String> scopeKeys) {
+        List<RoleScopeEntity> scopesDB = roleScopeDao.listScopeEntities(roleId, operationKey);
+        // 数据库中已有的scopeKey列表
+        Set<String> scopeKeysDB = scopesDB.stream().map(scope -> scope.getScopeKey()).collect(Collectors.toSet());
+
+        Set<String> scopeKeys2Add = scopeKeys.stream().filter(scopeKey -> !scopeKeysDB.contains(scopeKey)).collect(Collectors.toSet());
+        Set<String> scopeKeys2Remove = scopeKeysDB.stream().filter(scopeKeyDB -> !scopeKeys.contains(scopeKeyDB)).collect(Collectors.toSet());
+
+        // 添加/重新启用
+        if (!CollectionUtils.isEmpty(scopeKeys2Add)) {
+            scopeKeys2Add.forEach(scopeKey -> {
+                RoleScopeEntity rsDB = roleScopeDao.getByRoleIdAndOpeKey(roleId, operationKey, scopeKey);
+                if (rsDB != null) {
+                    roleScopeDao.enableByRoleIdAndOpeKey(roleId, operationKey, scopeKey);
+                } else {
+                    RoleScopeEntity rs2Add = new RoleScopeEntity();
+                    rs2Add.setRoleId(roleId);
+                    rs2Add.setOperationKey(operationKey);
+                    rs2Add.setScopeKey(scopeKey);
+                    roleScopeDao.insert(rs2Add);
+                }
+            });
+        }
+
+        // 删除
+        if (!CollectionUtils.isEmpty(scopeKeys2Remove)) {
+            roleScopeDao.deleteByRoleIdAndOpeKey(roleId, operationKey, scopeKeys2Remove);
+        }
+
+        // 清空redis缓存
+        roleOpeScopeRedis.delRoleAllOpeScopes(roleId);
+    }
+}
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/impl/AccessServiceImpl.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/impl/AccessServiceImpl.java
@ -3,7 +3,9 @@ package com.epmet.service.impl;
 import com.epmet.commons.tools.exception.ExceptionUtils;
 import com.epmet.commons.tools.security.dto.GovTokenDto;
 import com.epmet.commons.tools.utils.CpUserDetailRedis;
+import com.epmet.dao.AccessSettingDao;
 import com.epmet.dao.OperationScopeDao;
+import com.epmet.dto.result.AccessSettingResultDTO;
 import com.epmet.dto.result.RoleOpeScopeResultDTO;
 import com.epmet.redis.RoleAccessSettingRedis;
 import com.epmet.redis.RoleOpeScopeRedis;
@ -12,6 +14,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
+import org.springframework.util.CollectionUtils;

 import java.util.*;

@ -26,6 +29,9 @@ public class AccessServiceImpl implements AccessService {
    @Autowired
    private OperationScopeDao operationScopeDao;

+    @Autowired
+    private AccessSettingDao accessSettingDao;
+
    @Autowired
    private RoleOpeScopeRedis roleOpeScopeRedis;

@ -90,18 +96,21 @@ public class AccessServiceImpl implements AccessService {
     * @return
     */
    @Override
-    public Map<String, String> listAccessSettings(String roleId) {
-        Map<String, String> settings = roleAccessSettingRedis.get(roleId);
-        //if (CollectionUtils.isEmpty(settings)) {
-        //    // 数据库查出来，放入redis一份。此处为权限过滤器用到，存在缓存穿透，所以不采用这种方式。
-        //    // 改用为：变动setting的时候手动更新缓存的方式
-        //    List<RoleAccessSettingResultDTO> settingsDB = roleAccessSettingDao.listRoleAccessSettingsByRoleId(roleId);
-        //    if (!CollectionUtils.isEmpty(settingsDB)) {
-        //        roleAccessSettingRedis.set(settingsDB, roleId);
-        //    }
-        //}
+    public Map<String, String> listAccessSettings(String roleId, String operationKey) {
+        Map<String, String> settings = roleAccessSettingRedis.get(roleId, operationKey);
        if (settings == null) {
            settings = new HashMap<>();
+            // 数据库查出来，放入redis一份。此处为权限过滤器用到
+            List<AccessSettingResultDTO> accessSettingDtos = accessSettingDao.listAccessSettingsByRoleId(roleId, operationKey);
+            if (!CollectionUtils.isEmpty(accessSettingDtos)) {
+                for (AccessSettingResultDTO setting : accessSettingDtos) {
+                    settings.put(setting.getSettingKey(), setting.getSettingValue());
+                }
+            } else {
+                // 占位，否则空map存不到redis中
+                settings.put("-", "-");
+            }
+            roleAccessSettingRedis.set(settings, roleId, operationKey);
        }
        return settings;
    }
@ -109,7 +118,6 @@ public class AccessServiceImpl implements AccessService {
    @Override
    public List<RoleOpeScopeResultDTO> listAllRoleOperationScopesByRoleId(String roleId) {
        List<RoleOpeScopeResultDTO> roleAllOpeScopes = roleOpeScopeRedis.getRoleAllOpeScopes(roleId);
-        // 防止缓存穿透
        if (roleAllOpeScopes == null) {
            roleAllOpeScopes = operationScopeDao.listAllRoleOperationScopesByRoleId(roleId);
            roleOpeScopeRedis.setRoleAllOpeScopes(roleId, roleAllOpeScopes);
--- a/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/AccessSettingDao.xml
+++ b/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/AccessSettingDao.xml
@ -28,7 +28,53 @@
        WHERE
            s.ROLE_ID = #{roleId}
            AND s.DEL_FLAG = 0
+            AND s.OPERATION_KEY = #{operationKey}
+            AND s.DEL_FLAG = 0
+    </select>
+
+    <!--权限配置：列出配置项-->
+    <select id="listSettingOptionsForAccessConfig"
+            resultType="com.epmet.dto.result.AccessConfigSettingResultDTO">
+        SELECT opt.SETTING_KEY,
+               opt.SETTING_NAME,
+               s.ROLE_ID,
+               CASE
+                   WHEN s.ROLE_ID IS NULL THEN FALSE
+                   ELSE TRUE END AS assigned,
+               s.OPERATION_KEY
+        FROM access_setting_options opt
+                 LEFT JOIN access_setting s ON (s.DEL_FLAG = 0 AND opt.SETTING_KEY = s.SETTING_KEY AND s.ROLE_ID = #{roleId}
+            AND s.OPERATION_KEY = #{operationKey})
+        WHERE opt.DEL_FLAG = 0
+        ORDER BY opt.SETTING_KEY ASC
    </select>

+    <!--删除-->
+    <delete id="delete">
+        DELETE
+        FROM access_setting
+        WHERE ROLE_ID = #{roleId}
+          AND OPERATION_KEY = #{operationKey}
+          AND SETTING_KEY IN
+          <foreach collection="settingKeys2Delete" item="settingKey" open="(" separator="," close=")">
+              #{settingKey}
+          </foreach>
+    </delete>
+
+    <select id="get" resultType="com.epmet.entity.AccessSettingEntity">
+        SELECT s.*
+        FROM access_setting s
+        WHERE s.ROLE_ID = #{roleId}
+          AND s.OPERATION_KEY = #{operationKey}
+          AND s.SETTING_KEY = #{settingKey}
+    </select>

+    <!--启用-->
+    <update id="enable">
+        UPDATE access_setting s
+        SET DEL_FLAG = 0
+        WHERE s.ROLE_ID = #{roleId}
+          AND s.OPERATION_KEY = #{operationKey}
+          AND s.SETTING_KEY = #{settingKey}
+    </update>
 </mapper>
--- a/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/OperationDao.xml
+++ b/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/OperationDao.xml
@ -21,5 +21,12 @@
        FROM operation o
    </select>

+    <select id="listAllValidOperationEntities" resultType="com.epmet.entity.OperationEntity">
+        SELECT o.*
+        FROM operation o
+        WHERE
+            o.DEL_FLAG=0
+    </select>
+

 </mapper>
--- a/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/RoleOperationDao.xml
+++ b/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/RoleOperationDao.xml
@ -31,5 +31,39 @@
            and o.DEL_FLAG = '0'
    </select>

+    <select id="listOpesForAccessConfig" resultType="com.epmet.dto.result.AccessConfigOpesResultDTO">
+        SELECT ope.OPERATION_KEY,
+               ope.OPERATION_NAME,
+               ope.BRIEF,
+               CASE
+                   WHEN ro.ROLE_ID IS NULL THEN FALSE
+                   ELSE TRUE END AS assigned
+        FROM operation ope
+                 LEFT JOIN role_operation ro ON (ope.OPERATION_KEY = ro.OPERATION_KEY AND ro.ROLE_ID = #{roleId} AND ro.DEL_FLAG = 0)
+        WHERE ope.DEL_FLAG = 0
+        ORDER BY ope.OPERATION_NAME ASC
+    </select>
+
+    <delete id="deleteRoleOpe">
+        UPDATE role_operation
+        SET DEL_FLAG = 1
+        WHERE ROLE_ID = #{roleId}
+          AND OPERATION_KEY = #{opeKey}
+    </delete>
+
+<!--    此处不加DEL_FLAG=0，在修改权限的时候用到，不管是否为0都查出来-->
+    <select id="getRoleOpe" resultType="com.epmet.entity.RoleOperationEntity">
+        SELECT *
+        FROM role_operation
+        WHERE
+          ROLE_ID = #{roleId}
+          AND OPERATION_KEY = #{opeKey}
+    </select>

+    <update id="enableRoleOpe">
+        UPDATE role_operation
+        SET DEL_FLAG = 0
+        WHERE ROLE_ID = #{roleId}
+          AND OPERATION_KEY = #{opeKey}
+    </update>
 </mapper>
--- a/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/RoleScopeDao.xml
+++ b/epmet-module/gov-access/gov-access-server/src/main/resources/mapper/RoleScopeDao.xml
@ -16,5 +16,60 @@
        <result property="updatedTime" column="UPDATED_TIME"/>
    </resultMap>

+    <!--权限配置：列出scope项-->
+    <select id="listScopeOptionsForAccessConfig" resultType="com.epmet.dto.result.AccessConfigScopeResultDTO">
+        SELECT os.SCOPE_KEY,
+               os.SCOPE_NAME,
+               os.SCOPE_INDEX,
+               rs.OPERATION_KEY,
+               rs.ROLE_ID,
+               CASE
+                   WHEN rs.ROLE_ID IS NULL
+                       THEN FALSE
+                   ELSE TRUE
+                   END AS assigned
+        FROM operation_scope os
+                 LEFT JOIN role_scope rs
+                 ON (os.SCOPE_KEY = rs.SCOPE_KEY AND rs.DEL_FLAG = 0 AND rs.ROLE_ID = #{roleId} AND
+                                             OPERATION_KEY = #{operationKey})
+        WHERE os.DEL_FLAG = 0
+        ORDER BY SCOPE_KEY ASC
+    </select>

+    <!--根据角色ID和操作key删除-->
+    <delete id="deleteByRoleIdAndOpeKey">
+        DELETE
+        FROM role_scope
+        WHERE ROLE_ID = #{roleId}
+          AND OPERATION_KEY = #{operationKey}
+          AND SCOPE_KEY IN
+          <foreach collection="scopeKeys2Remove" item="scopeKey" open="(" separator="," close=")">
+              #{scopeKey}
+          </foreach>
+    </delete>
+
+    <!--启用-->
+    <update id="enableByRoleIdAndOpeKey">
+        DELETE
+        FROM role_scope
+        WHERE ROLE_ID = #{roleId}
+        AND OPERATION_KEY = #{operationKey}
+        AND SCOPE_KEY = #{scopeKey}
+    </update>
+
+    <!--根据角色ID+操作key+范围Key查询。此处不要过滤DEL_FLAG-->
+    <select id="getByRoleIdAndOpeKey" resultType="com.epmet.entity.RoleScopeEntity">
+        SELECT ro.*
+        FROM role_scope ro
+        WHERE ro.ROLE_ID = #{roleId}
+          AND ro.OPERATION_KEY = #{operationKey}
+          AND ro.SCOPE_KEY = #{scopeKey}
+    </select>
+
+    <select id="listScopeEntities" resultType="com.epmet.entity.RoleScopeEntity">
+        SELECT rs.*
+        FROM role_scope rs
+        WHERE rs.ROLE_ID = #{roleId}
+          AND rs.OPERATION_KEY = #{operationKey}
+    </select>
 </mapper>
--- a/epmet-module/gov-access/gov-access-server/src/test/java/com/epmet/test/govaccess/AccessSettingTest.java
+++ b/epmet-module/gov-access/gov-access-server/src/test/java/com/epmet/test/govaccess/AccessSettingTest.java
@ -25,13 +25,13 @@ public class AccessSettingTest {

    @Test
    public void addAccessSettings2Redis() {
-        List<AccessSettingResultDTO> settings = roleAccessSettingDao.listAccessSettingsByRoleId("1");
-        HashMap<String, Object> objectObjectHashMap = new HashMap<>();
+        List<AccessSettingResultDTO> settings = roleAccessSettingDao.listAccessSettingsByRoleId("1", "org_staff_list");
+        HashMap<String, String> objectObjectHashMap = new HashMap<>();
        settings.forEach(setting -> {
            objectObjectHashMap.put(setting.getSettingKey(), setting.getSettingValue());
        });
-        roleAccessSettingRedis.set(objectObjectHashMap, "1");
-        Map<String, String> map = roleAccessSettingRedis.get("1");
+        roleAccessSettingRedis.set(objectObjectHashMap, "1", "org_staff_list");
+        Map<String, String> map = roleAccessSettingRedis.get("1", "org_staff_list");
        System.out.println(map);
    }

--- a/epmet-module/gov-org/gov-org-server/src/main/java/com/epmet/controller/AgencyController.java
+++ b/epmet-module/gov-org/gov-org-server/src/main/java/com/epmet/controller/AgencyController.java
@ -83,6 +83,7 @@ public class AgencyController {
     * @Description 组织名称编辑
     */
    @PostMapping("editagency")
+    //@RequirePermission(requirePermission = RequirePermissionEnum.ORG_AGENCY_UPDATE)
    public Result editAgency(@LoginUser TokenDto tokenDTO, @RequestBody EditAgencyFormDTO formDTO) {
        formDTO.setUserId(tokenDTO.getUserId());
        ValidatorUtils.validateEntity(formDTO);
--- a/epmet-user/epmet-user-server/src/main/java/com/epmet/controller/RoleController.java
+++ b/epmet-user/epmet-user-server/src/main/java/com/epmet/controller/RoleController.java
@ -45,10 +45,23 @@ import java.util.Map;
@RestController
@RequestMapping("role")
 public class RoleController {
-    
+
    @Autowired
    private RoleService roleService;

+    /**
+     * 根据客户ID查询该客户的角色列表
+     * @param customerId
+     * @return
+     */
+    @PostMapping("rolesbycustomer/{customerId}")
+    public Result listRolesByCustomer(@PathVariable("customerId") String customerId) {
+        List<RoleDTO> roleEntities = roleService.listRolesByCustomer(customerId);
+        return new Result().ok(roleEntities);
+    }
+
+
+
    @GetMapping("page")
    public Result<PageData<RoleDTO>> page(@RequestParam Map<String, Object> params){
        PageData<RoleDTO> page = roleService.page(params);
--- a/epmet-user/epmet-user-server/src/main/java/com/epmet/dao/RoleDao.java
+++ b/epmet-user/epmet-user-server/src/main/java/com/epmet/dao/RoleDao.java
@ -18,8 +18,12 @@
 package com.epmet.dao;

 import com.epmet.commons.mybatis.dao.BaseDao;
+import com.epmet.dto.RoleDTO;
 import com.epmet.entity.RoleEntity;
 import org.apache.ibatis.annotations.Mapper;
+import org.apache.ibatis.annotations.Param;
+
+import java.util.List;

 /**
 * 角色表
@ -38,4 +42,10 @@ public interface RoleDao extends BaseDao<RoleEntity> {
 	 */
 	RoleEntity selectRoleByKey(RoleEntity param);

+	/**
+	 * 通过客户ID查询客户的角色列表
+	 * @param customerId
+	 * @return
+	 */
+    List<RoleDTO> listRolesByCustomer(@Param("customerId") String customerId);
 }
--- a/epmet-user/epmet-user-server/src/main/java/com/epmet/service/RoleService.java
+++ b/epmet-user/epmet-user-server/src/main/java/com/epmet/service/RoleService.java
@ -99,4 +99,6 @@ public interface RoleService extends BaseService<RoleEntity> {
     * @return RoleDTO
     */
    RoleDTO getRoleByKey(RoleDTO role);
+
+    List<RoleDTO> listRolesByCustomer(String customerId);
 }
--- a/epmet-user/epmet-user-server/src/main/java/com/epmet/service/impl/RoleServiceImpl.java
+++ b/epmet-user/epmet-user-server/src/main/java/com/epmet/service/impl/RoleServiceImpl.java
@ -107,4 +107,11 @@ public class RoleServiceImpl extends BaseServiceImpl<RoleDao, RoleEntity> implem
        return ConvertUtils.sourceToTarget(entity, RoleDTO.class);
    }

+
+
+    @Override
+    public List<RoleDTO> listRolesByCustomer(String customerId) {
+        return baseDao.listRolesByCustomer(customerId);
+    }
+
 }
--- a/epmet-user/epmet-user-server/src/main/resources/mapper/RoleDao.xml
+++ b/epmet-user/epmet-user-server/src/main/resources/mapper/RoleDao.xml
@ -28,4 +28,10 @@
            and DEL_FLAG = 0
    </select>

+    <select id="listRolesByCustomer" resultType="com.epmet.dto.RoleDTO">
+        SELECT r.*
+        FROM gov_staff_role r
+        WHERE r.CUSTOMER_ID = #{customerId}
+    </select>
+
 </mapper>