1.增加DataFilter相关工具

2.实现了功能级RBAC
5 years ago · 8320ac3028
32 changed files with 728 additions and 122 deletions
--- a/epmet-admin/epmet-admin-server/src/main/java/com/epmet/service/impl/NewsServiceImpl.java
+++ b/epmet-admin/epmet-admin-server/src/main/java/com/epmet/service/impl/NewsServiceImpl.java
@ -31,7 +31,7 @@ public class NewsServiceImpl extends BaseServiceImpl<NewsDao, NewsEntity> implem
     * mybatis数据权限演示
     */
    @Override
-    @DataFilter(prefix = "AND", isPendingCreator = false)
+    //@DataFilter(prefix = "AND", isPendingCreator = false)
    public PageData<NewsDTO> page(Map<String, Object> params) {
        paramsToLike(params, "title");

--- a/epmet-auth/src/test/java/com/epmet/TokenGenTest.java
+++ b/epmet-auth/src/test/java/com/epmet/TokenGenTest.java
@ -0,0 +1,63 @@
+package com.epmet;
+
+import com.epmet.common.token.constant.LoginConstant;
+import com.epmet.commons.tools.security.dto.GovTokenDto;
+import com.epmet.commons.tools.utils.CpUserDetailRedis;
+import com.epmet.jwt.JwtTokenProperties;
+import com.epmet.jwt.JwtTokenUtils;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import java.util.HashMap;
+import java.util.Map;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest
+public class TokenGenTest {
+
+    @Autowired
+    private JwtTokenProperties jwtTokenProperties;
+
+    @Autowired
+    private JwtTokenUtils jwtTokenUtils;
+
+    @Autowired
+    private CpUserDetailRedis cpUserDetailRedis;
+
+    @Test
+    public void genToken() {
+        String staffId = "wxz";
+        String tokenStr = generateGovWxmpToken(staffId);
+        int expire = jwtTokenProperties.getExpire();
+        GovTokenDto govTokenDto = new GovTokenDto();
+        govTokenDto.setApp(LoginConstant.APP_GOV);
+        govTokenDto.setClient(LoginConstant.CLIENT_WXMP);
+        govTokenDto.setUserId(staffId);
+        govTokenDto.setOpenId("");
+        govTokenDto.setSessionKey("");
+        govTokenDto.setUnionId("");
+        govTokenDto.setToken(tokenStr);
+        govTokenDto.setUpdateTime(System.currentTimeMillis());
+        govTokenDto.setExpireTime(jwtTokenUtils.getExpiration(tokenStr).getTime());
+        govTokenDto.setAgencyId("1");
+        govTokenDto.setCustomerId("f76def116c9c2dc0269cc17867af122c");
+        cpUserDetailRedis.set(govTokenDto, expire);
+    }
+
+    /**
+     * @Description 生成token
+     * @Date 2020/4/18 23:04
+     **/
+    private String generateGovWxmpToken(String staffId) {
+        Map<String, Object> map = new HashMap<>();
+        map.put("app", LoginConstant.APP_GOV);
+        map.put("client", LoginConstant.CLIENT_WXMP);
+        map.put("userId", staffId);
+        String token = jwtTokenUtils.createToken(map);
+        return token;
+    }
+
+}
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/annotation/DataFilter.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/annotation/DataFilter.java
@ -25,24 +25,4 @@ public @interface DataFilter {
     */
    String tableAlias() default "";

-    /**
-     * 查询条件前缀，可选值有：[where、and]
-     */
-    String prefix() default "";
-
-    /**
-     * 用户ID
-     */
-    String userId() default "creator";
-
-    /**
-     * 部门ID
-     */
-    String deptId() default "dept_id";
-
-    /**
-     * 是否拼接用户ID
-     */
-    boolean isPendingCreator() default true;
-
 }
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/aspect/DataFilterAspect.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/aspect/DataFilterAspect.java
@ -8,25 +8,28 @@

 package com.epmet.commons.mybatis.aspect;

-import cn.hutool.core.collection.CollUtil;
-import com.epmet.commons.mybatis.annotation.DataFilter;
+import com.epmet.commons.mybatis.dto.form.StaffPermissionFormDTO;
 import com.epmet.commons.mybatis.entity.DataScope;
-import com.epmet.commons.tools.constant.Constant;
-import com.epmet.commons.tools.enums.SuperAdminEnum;
+import com.epmet.commons.mybatis.feign.GovAccessFeignClient;
+import com.epmet.commons.tools.aspect.AccessOpeAspect;
+import com.epmet.commons.tools.exception.EpmetErrorCode;
 import com.epmet.commons.tools.exception.ErrorCode;
 import com.epmet.commons.tools.exception.RenException;
-import com.epmet.commons.tools.security.user.SecurityUser;
-import com.epmet.commons.tools.security.user.UserDetail;
+import com.epmet.commons.tools.security.user.LoginUserUtil;
+import com.epmet.commons.tools.utils.Result;
 import org.apache.commons.lang3.StringUtils;
 import org.aspectj.lang.JoinPoint;
 import org.aspectj.lang.annotation.Aspect;
 import org.aspectj.lang.annotation.Before;
-import org.aspectj.lang.annotation.Pointcut;
-import org.aspectj.lang.reflect.MethodSignature;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
+import org.springframework.util.CollectionUtils;

+import java.util.Arrays;
 import java.util.List;
-import java.util.Map;
+import java.util.Set;

 /**
 * 数据过滤，切面处理类
@ -37,69 +40,124 @@ import java.util.Map;
@Aspect
@Component
 public class DataFilterAspect {
-    @Pointcut("@annotation(com.epmet.commons.mybatis.annotation.DataFilter)")
-    public void dataFilterCut() {

-    }
+    private static final Logger log = LoggerFactory.getLogger(DataFilterAspect.class);
+
+    @Autowired
+    private LoginUserUtil loginUserUtil;
+
+    @Autowired
+    private GovAccessFeignClient govAccessFeignClient;

-    @Before("dataFilterCut()")
+    @Before("@annotation(com.epmet.commons.mybatis.annotation.DataFilter)")
    public void dataFilter(JoinPoint point) {
-        Object params = point.getArgs()[0];
-        if(params != null && params instanceof Map){
-            UserDetail user = SecurityUser.getUser();
-
-            //如果不是超级管理员，则进行数据过滤
-            if(user.getSuperAdmin() == SuperAdminEnum.NO.value()){
-                Map map = (Map)params;
-                String sqlFilter = getSqlFilter(user, point);
-                map.put(Constant.SQL_FILTER, new DataScope(sqlFilter));
-            }
+        // 反射的方式
+        //MethodSignature signature = (MethodSignature) point.getSignature();
+        //Class[] parameterTypes = signature.getParameterTypes();
+        //for (Class parameterType : parameterTypes) {
+        //    if (parameterType == DataScope.class) {
+        //
+        //    }
+        //}
+
+        String reqiurePermission = AccessOpeAspect.requirePermissionTl.get();
+        // 没有配置所需权限，不做操作，打印提示日志
+        if (StringUtils.isBlank(reqiurePermission)) {
+            log.warn("Api编码需要指定所需权限，请在Api上使用@RequirePermission注解完成所需权限配置");
+            return;
+        }

-            return ;
+        // 校验操作权限
+        validateOpePermission(reqiurePermission);
+
+        Object[] methodArgs = point.getArgs();
+        for (Object methodArg : methodArgs) {
+            if (methodArg instanceof DataScope) {
+                ((DataScope) methodArg).setSqlFilter(getSqlFilterSegment());
+                return;
+            }
        }

-        throw new RenException(ErrorCode.DATA_SCOPE_PARAMS_ERROR);
+        //throw new RenException(ErrorCode.DATA_SCOPE_PARAMS_ERROR);
    }

    /**
-     * 获取数据过滤的SQL
+     * 校验操作权限
     */
-    private String getSqlFilter(UserDetail user, JoinPoint point){
-        MethodSignature signature = (MethodSignature) point.getSignature();
-        DataFilter dataFilter = signature.getMethod().getAnnotation(DataFilter.class);
-        //获取表的别名
-        String tableAlias = dataFilter.tableAlias();
-        if(StringUtils.isNotBlank(tableAlias)){
-            tableAlias +=  ".";
+    private void validateOpePermission(String requirePermission) {
+        StaffPermissionFormDTO staffPermissionFormDTO = new StaffPermissionFormDTO();
+        staffPermissionFormDTO.setApp(loginUserUtil.getLoginUserApp());
+        staffPermissionFormDTO.setClient(loginUserUtil.getLoginUserClient());
+        staffPermissionFormDTO.setStaffId(loginUserUtil.getLoginUserId());
+        Result<Set<String>> permissions = govAccessFeignClient.getStaffCurrPermissions(staffPermissionFormDTO);
+        if (permissions.getCode() != 0) {
+            // 查询不到权限，记录日志，抛出8000异常
+            log.error("调用Access查询权限失败:{}", permissions.getMsg());
+            throw new RenException(EpmetErrorCode.SERVER_ERROR.getCode());
        }

-        StringBuilder sqlFilter = new StringBuilder();
-
-        //查询条件前缀
-        String prefix = dataFilter.prefix();
-        if(StringUtils.isNotBlank(prefix)){
-            sqlFilter.append(" ").append(prefix);
+        if (!CollectionUtils.isEmpty(permissions.getData()) && StringUtils.isNotBlank(requirePermission)
+                && permissions.getData().contains(requirePermission)) {
+            // 权限允许，正常结束
+            return;
        }
+        // 权限不足抛出异常
+        throw new RenException(EpmetErrorCode.REQUIRE_PERMISSION.getCode());
+    }

-        sqlFilter.append(" (");
-
-        //部门ID列表
-        List<Long> deptIdList = user.getDeptIdList();
-        if(CollUtil.isNotEmpty(deptIdList)){
-            sqlFilter.append(tableAlias).append(dataFilter.deptId());
-
-            sqlFilter.append(" in(").append(StringUtils.join(deptIdList, ",")).append(")");
-        }
+    /**
+     * 生成过滤sql片段
+     * @return
+     */
+    private String getSqlFilterSegment() {
+        // 根据角色列表查询操作范围列表

-        //查询本人数据
-        if (dataFilter.isPendingCreator()) {
-            if(CollUtil.isNotEmpty(deptIdList)){
-                sqlFilter.append(" or ");
-            }
-            sqlFilter.append(tableAlias).append(dataFilter.userId()).append("=").append(user.getId());
-        }
-        sqlFilter.append(")");
+        // 拼接sql语句

-        return sqlFilter.toString();
+        // TODO
+        return "dept_id in (1,2,3)";
    }
+
+    ///**
+    // * 获取数据过滤的SQL
+    // */
+    //@Deprecated
+    //private String getSqlFilter(UserDetail user, JoinPoint point){
+    //    MethodSignature signature = (MethodSignature) point.getSignature();
+    //    DataFilter dataFilter = signature.getMethod().getAnnotation(DataFilter.class);
+    //    //获取表的别名
+    //    String tableAlias = dataFilter.tableAlias();
+    //    if(StringUtils.isNotBlank(tableAlias)){
+    //        tableAlias +=  ".";
+    //    }
+    //
+    //    StringBuilder sqlFilter = new StringBuilder();
+    //
+    //    //查询条件前缀
+    //    String prefix = dataFilter.prefix();
+    //    if(StringUtils.isNotBlank(prefix)){
+    //        sqlFilter.append(" ").append(prefix);
+    //    }
+    //
+    //    sqlFilter.append(" (");
+    //
+    //    //部门ID列表
+    //    List<Long> deptIdList = user.getDeptIdList();
+    //    if(CollUtil.isNotEmpty(deptIdList)){
+    //        sqlFilter.append(tableAlias).append(dataFilter.deptId());
+    //
+    //        sqlFilter.append(" in(").append(StringUtils.join(deptIdList, ",")).append(")");
+    //    }
+    //
+    //    //查询本人数据
+    //    if (dataFilter.isPendingCreator()) {
+    //        if(CollUtil.isNotEmpty(deptIdList)){
+    //            sqlFilter.append(" or ");
+    //        }
+    //        sqlFilter.append(tableAlias).append(dataFilter.userId()).append("=").append(user.getId());
+    //    }
+    //    sqlFilter.append(")");
+    //
+    //    return sqlFilter.toString();
+    //}
 }
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/aspect/DataFilterAspectBak.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/aspect/DataFilterAspectBak.java
@ -0,0 +1,106 @@
+///**
+// * Copyright (c) 2018 人人开源 All rights reserved.
+// *
+// * https://www.renren.io
+// *
+// * 版权所有，侵权必究！
+// */
+//
+//package com.epmet.commons.mybatis.aspect;
+//
+//import cn.hutool.core.collection.CollUtil;
+//import com.epmet.commons.mybatis.annotation.DataFilter;
+//import com.epmet.commons.mybatis.entity.DataScope;
+//import com.epmet.commons.tools.constant.Constant;
+//import com.epmet.commons.tools.enums.SuperAdminEnum;
+//import com.epmet.commons.tools.exception.ErrorCode;
+//import com.epmet.commons.tools.exception.RenException;
+//import com.epmet.commons.tools.security.user.SecurityUser;
+//import com.epmet.commons.tools.security.user.UserDetail;
+//import org.apache.commons.lang3.StringUtils;
+//import org.aspectj.lang.JoinPoint;
+//import org.aspectj.lang.annotation.Aspect;
+//import org.aspectj.lang.annotation.Before;
+//import org.aspectj.lang.annotation.Pointcut;
+//import org.aspectj.lang.reflect.MethodSignature;
+//import org.springframework.stereotype.Component;
+//
+//import java.util.Arrays;
+//import java.util.List;
+//import java.util.Map;
+//
+///**
+// * 数据过滤，切面处理类
+// *
+// * @author Mark sunlightcs@gmail.com
+// * @since 1.0.0
+// */
+//@Aspect
+//@Component
+//public class DataFilterAspectBak {
+//    @Pointcut("@annotation(com.epmet.commons.mybatis.annotation.DataFilter)")
+//    public void dataFilterCut() {
+//
+//    }
+//
+//    @Before("dataFilterCut()")
+//    public void dataFilter(JoinPoint point) {
+//        Object params = point.getArgs()[0];
+//        if(params != null && params instanceof Map){
+//            UserDetail user = SecurityUser.getUser();
+//
+//            //如果不是超级管理员，则进行数据过滤
+//            if(user.getSuperAdmin() == SuperAdminEnum.NO.value()){
+//                Map map = (Map)params;
+//                String sqlFilter = getSqlFilter(user, point);
+//                map.put(Constant.SQL_FILTER, new DataScope(sqlFilter));
+//            }
+//
+//            return ;
+//        }
+//
+//        throw new RenException(ErrorCode.DATA_SCOPE_PARAMS_ERROR);
+//    }
+//
+//    /**
+//     * 获取数据过滤的SQL
+//     */
+//    private String getSqlFilter(UserDetail user, JoinPoint point){
+//        MethodSignature signature = (MethodSignature) point.getSignature();
+//        DataFilter dataFilter = signature.getMethod().getAnnotation(DataFilter.class);
+//        //获取表的别名
+//        String tableAlias = dataFilter.tableAlias();
+//        if(StringUtils.isNotBlank(tableAlias)){
+//            tableAlias +=  ".";
+//        }
+//
+//        StringBuilder sqlFilter = new StringBuilder();
+//
+//        //查询条件前缀
+//        String prefix = dataFilter.prefix();
+//        if(StringUtils.isNotBlank(prefix)){
+//            sqlFilter.append(" ").append(prefix);
+//        }
+//
+//        sqlFilter.append(" (");
+//
+//        //部门ID列表
+//        List<Long> deptIdList = user.getDeptIdList();
+//        if(CollUtil.isNotEmpty(deptIdList)){
+//            sqlFilter.append(tableAlias).append(dataFilter.deptId());
+//
+//            sqlFilter.append(" in(").append(StringUtils.join(deptIdList, ",")).append(")");
+//        }
+//
+//        //查询本人数据
+//        if (dataFilter.isPendingCreator()) {
+//            if(CollUtil.isNotEmpty(deptIdList)){
+//                sqlFilter.append(" or ");
+//            }
+//            sqlFilter.append(tableAlias).append(dataFilter.userId()).append("=").append(user.getId());
+//        }
+//        sqlFilter.append(")");
+//
+//        return sqlFilter.toString();
+//    }
+//}
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/dto/form/StaffPermissionFormDTO.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/dto/form/StaffPermissionFormDTO.java
@ -0,0 +1,26 @@
+package com.epmet.commons.mybatis.dto.form;
+
+import lombok.Data;
+
+import javax.validation.constraints.NotBlank;
+import java.util.Set;
+
+@Data
+public class StaffPermissionFormDTO {
+
+    /**
+     * 工作人员 id
+     */
+    private String staffId;
+
+    /**
+     * 登录头信息app
+     */
+    private String app;
+
+    /**
+     * 登录头信息client
+     */
+    private String client;
+
+}
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/entity/DataScope.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/entity/DataScope.java
@ -1,8 +1,8 @@
 /**
 * Copyright (c) 2018 人人开源 All rights reserved.
- *
+ * <p>
 * https://www.renren.io
- *
+ * <p>
 * 版权所有，侵权必究！
 */

@ -15,8 +15,13 @@ package com.epmet.commons.mybatis.entity;
 * @since 1.0.0
 */
 public class DataScope {
+
    private String sqlFilter;

+    public static DataScope getDefault() {
+        return new DataScope("");
+    }
+
    public DataScope(String sqlFilter) {
        this.sqlFilter = sqlFilter;
    }
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/GovAccessFeignClient.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/GovAccessFeignClient.java
@ -0,0 +1,26 @@
+package com.epmet.commons.mybatis.feign;
+
+import com.epmet.commons.mybatis.dto.form.StaffPermissionFormDTO;
+import com.epmet.commons.mybatis.feign.fallback.GovAccessFeignClientFallback;
+import com.epmet.commons.tools.constant.ServiceConstant;
+import com.epmet.commons.tools.utils.Result;
+import org.springframework.cloud.openfeign.FeignClient;
+import org.springframework.web.bind.annotation.PostMapping;
+
+import java.util.Set;
+
+/**
+ * @Description
+ * @Author sun
+ */
+@FeignClient(name = ServiceConstant.GOV_ACCESS_SERVER, fallback = GovAccessFeignClientFallback.class)
+public interface GovAccessFeignClient {
+
+    /**
+     * 查询用户当前权限列表(DataFilterAspect中用到)
+     * @return
+     */
+    @PostMapping("/gov/access/access/getcurrpermissions")
+    Result<Set<String>> getStaffCurrPermissions(StaffPermissionFormDTO dto);
+
+}
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/fallback/GovAccessFeignClientFallback.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/feign/fallback/GovAccessFeignClientFallback.java
@ -0,0 +1,25 @@
+package com.epmet.commons.mybatis.feign.fallback;
+
+import com.epmet.commons.mybatis.dto.form.StaffPermissionFormDTO;
+import com.epmet.commons.mybatis.feign.GovAccessFeignClient;
+import com.epmet.commons.tools.constant.ServiceConstant;
+import com.epmet.commons.tools.utils.ModuleUtils;
+import com.epmet.commons.tools.utils.Result;
+import org.springframework.stereotype.Component;
+
+import java.util.Set;
+
+/**
+ * 调用政府端权限
+ * @Author wxz
+ * @Description
+ * @Date 2020/4/24 11:17
+ **/
+@Component
+public class GovAccessFeignClientFallback implements GovAccessFeignClient {
+
+    @Override
+    public Result<Set<String>> getStaffCurrPermissions(StaffPermissionFormDTO dto) {
+        return ModuleUtils.feignConError(ServiceConstant.GOV_ACCESS_SERVER, "getStaffCurrPermissions", dto);
+    }
+}
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/handler/FieldMetaObjectHandler.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/handler/FieldMetaObjectHandler.java
@ -22,6 +22,7 @@ import com.epmet.commons.tools.security.user.SecurityUser;
 import com.epmet.commons.tools.security.user.UserDetail;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.ibatis.reflection.MetaObject;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;

 import java.util.Date;
@ -40,11 +41,14 @@ public class FieldMetaObjectHandler implements MetaObjectHandler {
    private final static String UPDATER = "updater";
    private final static String DEPT_ID = "deptId";

+    @Autowired
+    private LoginUserUtil loginUserUtil;
+
    @Override
    public void insertFill(MetaObject metaObject) {
        Date date = new Date();
        if (metaObject.getOriginalObject() instanceof BaseEpmetEntity) {
-            String loginUserId = LoginUserUtil.getLoginUserId();
+            String loginUserId = loginUserUtil.getLoginUserId();
            // epmet项目新增的
            loginUserId = StringUtils.isBlank(loginUserId) ? Constant.APP_USER_FLAG : loginUserId;
            //Long deptId = user == null ? null : user.getDeptId();
@ -107,7 +111,7 @@ public class FieldMetaObjectHandler implements MetaObjectHandler {
            //更新时间
            setFieldValByName(UPDATE_DATE, new Date(), metaObject);
        } else if (fillEsuaEntity) {
-            String loginUserId = LoginUserUtil.getLoginUserId();
+            String loginUserId = loginUserUtil.getLoginUserId();
            String userId = StringUtils.isBlank(loginUserId) ? Constant.APP_USER_FLAG : loginUserId;
            setFieldValByName(FieldConstant.UPDATED_BY_HUMP, userId, metaObject);
            setFieldValByName(FieldConstant.UPDATED_TIME_HUMP, new Date(), metaObject);
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/interceptor/DataFilterInterceptor.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/interceptor/DataFilterInterceptor.java
@ -8,6 +8,7 @@

 package com.epmet.commons.mybatis.interceptor;

+import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import com.baomidou.mybatisplus.core.toolkit.PluginUtils;
 import com.baomidou.mybatisplus.core.toolkit.StringUtils;
 import com.baomidou.mybatisplus.extension.handlers.AbstractSqlParserHandler;
@ -55,12 +56,17 @@ public class DataFilterInterceptor extends AbstractSqlParserHandler implements I
        // 判断参数里是否有DataScope对象
        DataScope scope = null;
        if (paramObj instanceof DataScope) {
+            // 直接传入DataScope，不分页？
            scope = (DataScope) paramObj;
        } else if (paramObj instanceof Map) {
+            // 入参是一个Map
            for (Object arg : ((Map) paramObj).values()) {
                if (arg instanceof DataScope) {
                    scope = (DataScope) arg;
                    break;
+                } else if (arg instanceof QueryWrapper) {
+                    // 通过Mybatis-plus封装的通用方法进行查询
+                    break;
                }
            }
        }
--- a/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/interceptor/DataFilterInterceptorBak.java
+++ b/epmet-commons/epmet-commons-mybatis/src/main/java/com/epmet/commons/mybatis/interceptor/DataFilterInterceptorBak.java
@ -0,0 +1,100 @@
+///**
+// * Copyright (c) 2018 人人开源 All rights reserved.
+// * <p>
+// * https://www.renren.io
+// * <p>
+// * 版权所有，侵权必究！
+// */
+//
+//package com.epmet.commons.mybatis.interceptor;
+//
+//import com.baomidou.mybatisplus.core.toolkit.PluginUtils;
+//import com.baomidou.mybatisplus.extension.handlers.AbstractSqlParserHandler;
+//import com.epmet.commons.mybatis.entity.DataScope;
+//import org.apache.ibatis.executor.statement.StatementHandler;
+//import org.apache.ibatis.mapping.BoundSql;
+//import org.apache.ibatis.mapping.MappedStatement;
+//import org.apache.ibatis.mapping.SqlCommandType;
+//import org.apache.ibatis.plugin.*;
+//import org.apache.ibatis.reflection.MetaObject;
+//import org.apache.ibatis.reflection.SystemMetaObject;
+//
+//import java.sql.Connection;
+//import java.util.Map;
+//import java.util.Properties;
+//
+///**
+// * 数据过滤
+// *
+// * @author Mark sunlightcs@gmail.com
+// * @since 1.0.0
+// */
+//@Intercepts({@Signature(type = StatementHandler.class, method = "prepare", args = {Connection.class, Integer.class})})
+//public class DataFilterInterceptorBak extends AbstractSqlParserHandler implements Interceptor {
+//
+//    @Override
+//    public Object intercept(Invocation invocation) throws Throwable {
+//        StatementHandler statementHandler = (StatementHandler) PluginUtils.realTarget(invocation.getTarget());
+//        MetaObject metaObject = SystemMetaObject.forObject(statementHandler);
+//
+//        // SQL解析
+//        this.sqlParser(metaObject);
+//
+//        // 先判断是不是SELECT操作
+//        MappedStatement mappedStatement = (MappedStatement) metaObject.getValue("delegate.mappedStatement");
+//        if (!SqlCommandType.SELECT.equals(mappedStatement.getSqlCommandType())) {
+//            return invocation.proceed();
+//        }
+//
+//        // 针对定义了rowBounds，做为mapper接口方法的参数
+//        BoundSql boundSql = (BoundSql) metaObject.getValue("delegate.boundSql");
+//        String originalSql = boundSql.getSql();
+//        Object paramObj = boundSql.getParameterObject();
+//
+//        // 判断参数里是否有DataScope对象
+//        DataScope scope = null;
+//        if (paramObj instanceof DataScope) {
+//            scope = (DataScope) paramObj;
+//        } else if (paramObj instanceof Map) {
+//            for (Object arg : ((Map) paramObj).values()) {
+//                if (arg instanceof DataScope) {
+//                    scope = (DataScope) arg;
+//                    break;
+//                }
+//            }
+//        }
+//
+//        // 不用数据过滤
+//        if (scope == null) {
+//            return invocation.proceed();
+//        }
+//
+//        // 拼接新SQL
+//        String orderBy = "ORDER BY";
+//        String groupBy = "GROUP BY";
+//        if (originalSql.indexOf(groupBy) > -1) {
+//            originalSql = originalSql.replace(groupBy, scope.getSqlFilter() + groupBy);
+//        } else if (originalSql.indexOf(orderBy) > -1) {
+//            originalSql = originalSql.replace(orderBy, scope.getSqlFilter() + orderBy);
+//        } else {
+//            originalSql = originalSql + scope.getSqlFilter();
+//        }
+//
+//        // 重写SQL
+//        metaObject.setValue("delegate.boundSql.sql", originalSql);
+//        return invocation.proceed();
+//    }
+//
+//    @Override
+//    public Object plugin(Object target) {
+//        if (target instanceof StatementHandler) {
+//            return Plugin.wrap(target, this);
+//        }
+//        return target;
+//    }
+//
+//    @Override
+//    public void setProperties(Properties properties) {
+//
+//    }
+//}
--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/annotation/RequirePermission.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/annotation/RequirePermission.java
@ -0,0 +1,36 @@
+/**
+ * Copyright 2018 人人开源 http://www.renren.io
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.epmet.commons.tools.annotation;
+
+import java.lang.annotation.*;
+
+/**
+ * 权限注解
+ * @Author wxz
+ * @Description
+ * @Date 2020/4/23 16:17
+ **/
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface RequirePermission {
+
+    String key() default "";
+
+    String desc() default "";
+
+}
--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/aspect/AccessOpeAspect.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/aspect/AccessOpeAspect.java
@ -0,0 +1,46 @@
+/**
+ * Copyright (c) 2018 人人开源 All rights reserved.
+ *
+ * https://www.renren.io
+ *
+ * 版权所有，侵权必究！
+ */
+
+package com.epmet.commons.tools.aspect;
+
+import com.epmet.commons.tools.annotation.RequirePermission;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.aspectj.lang.reflect.MethodSignature;
+import org.springframework.stereotype.Component;
+
+/**
+ * 每次请求，过滤Api中配置的权限key出来
+ * @Author wxz
+ * @Description
+ * @Date 2020/4/23 16:16
+ **/
+@Aspect
+@Component
+public class AccessOpeAspect {
+
+    /**
+     * 存储所需操作权限的 ThreadLocal
+     */
+    public static final ThreadLocal<String> requirePermissionTl = new ThreadLocal<>();
+
+    @Before("@annotation(com.epmet.commons.tools.annotation.RequirePermission)")
+    public void before(JoinPoint point) throws Throwable {
+        // 取RequirePermission注解
+        MethodSignature methodSignature = (MethodSignature) point.getSignature();
+        RequirePermission requirePermissionAnno = methodSignature.getMethod().getAnnotation(RequirePermission.class);
+        String key = requirePermissionAnno.key();
+        String desc = requirePermissionAnno.desc();
+        System.out.println(key);
+        System.out.println(desc);
+
+        // 放入ThreadLocal，供DataFilterAspect中使用
+        requirePermissionTl.set(key);
+    }
+}
--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/exception/EpmetErrorCode.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/exception/EpmetErrorCode.java
@ -27,7 +27,8 @@ public enum EpmetErrorCode {
 	MESSAGE_SMS_SEND_ERROR(8105, "短信发送失败"),

    CANNOT_AUDIT_WARM(8201, "请完善居民信息"),
-	NOT_DEL_AGENCY(8202, "该机关存在下级机关，不允许删除");
+	NOT_DEL_AGENCY(8202, "该机关存在下级机关，不允许删除"),
+	REQUIRE_PERMISSION(8203, "没有足够的操作权限");


 	private int code;
--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/exception/RenExceptionHandler.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/exception/RenExceptionHandler.java
@ -44,6 +44,8 @@ public class RenExceptionHandler {
 	private ModuleConfig moduleConfig;
 	@Autowired
 	private LogProducer logProducer;
+	@Autowired
+	private LoginUserUtil loginUserUtil;

 	/**
 	 * 处理自定义异常
@ -120,7 +122,7 @@ public class RenExceptionHandler {

 		//登录用户ID

-		log.setCreator(LoginUserUtil.getLoginUserId());
+		log.setCreator(loginUserUtil.getLoginUserId());
 		//异常信息
 		log.setErrorInfo(ExceptionUtils.getErrorStackTrace(ex));

--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/security/dto/GovTokenDto.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/security/dto/GovTokenDto.java
@ -67,6 +67,6 @@ public class GovTokenDto extends BaseTokenDto implements Serializable {
    /**
     * 功能权限列表，实际上是gov_staff => staff_role => role_operation查询到的operationKey
     */
-    private List<String> permissions;
+    private Set<String> permissions;
 }

--- a/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/security/user/LoginUserUtil.java
+++ b/epmet-commons/epmet-commons-tools/src/main/java/com/epmet/commons/tools/security/user/LoginUserUtil.java
@ -1,33 +1,82 @@
 package com.epmet.commons.tools.security.user;

-import com.epmet.commons.tools.constant.Constant;
+import com.epmet.commons.tools.constant.AppClientConstant;
 import com.epmet.commons.tools.utils.HttpContextUtils;
 import org.apache.commons.lang3.StringUtils;
-import org.springframework.web.context.request.RequestAttributes;
-import org.springframework.web.context.request.RequestContextHolder;
-import org.springframework.web.context.request.ServletRequestAttributes;
+import org.springframework.stereotype.Component;

 import javax.servlet.http.HttpServletRequest;
+import java.util.List;

 /**
 * 登录用户相关工具
 */
+@Component
 public class LoginUserUtil {

+    //@Autowired
+    //private
+
    /**
     * 查询登录用户的id
     * @return
     */
-    public static String getLoginUserId() {
+    public String getLoginUserId() {
        HttpServletRequest request = HttpContextUtils.getHttpServletRequest();
        if (request == null) {
            return null;
        }

-        String userId = request.getHeader(Constant.USER_KEY);
+        String userId = request.getHeader(AppClientConstant.USER_ID);
        if (StringUtils.isBlank(userId)) {
            return null;
        }
        return userId;
    }
+
+    /**
+     * 登录用户的App头信息
+     * @return
+     */
+    public String getLoginUserApp() {
+        HttpServletRequest request = HttpContextUtils.getHttpServletRequest();
+        if (request == null) {
+            return null;
+        }
+
+        String app = request.getHeader(AppClientConstant.APP);
+        if (StringUtils.isBlank(app)) {
+            return null;
+        }
+        return app;
+    }
+
+    /**
+     * 获取登录用户client头信息
+     * @return
+     */
+    public String getLoginUserClient() {
+        HttpServletRequest request = HttpContextUtils.getHttpServletRequest();
+        if (request == null) {
+            return null;
+        }
+
+        String client = request.getHeader(AppClientConstant.CLIENT);
+        if (StringUtils.isBlank(client)) {
+            return null;
+        }
+        return client;
+    }
+
+    /**
+     * 获取用户的部门ID列表
+     * @return
+     */
+    public List<String> getLoginUserDepartments() {
+        String loginUserId = getLoginUserId();
+        String loginUserApp = getLoginUserApp();
+        String loginUserClient = getLoginUserClient();
+        // todo
+        return null;
+    }
 }
--- a/epmet-gateway/pom.xml
+++ b/epmet-gateway/pom.xml
@ -157,12 +157,12 @@
                <gateway.routes.resi-partymember-server.uri>lb://resi-partymember-server</gateway.routes.resi-partymember-server.uri>

                <!--18.政府端-权限-服务-->
-            <!--<gateway.routes.gov-access-server.uri>http://127.0.0.1:8099</gateway.routes.gov-access-server.uri>-->
-                <gateway.routes.gov-access-server.uri>lb://gov-access-server</gateway.routes.gov-access-server.uri>
+            <gateway.routes.gov-access-server.uri>http://127.0.0.1:8099</gateway.routes.gov-access-server.uri>
+                <!--<gateway.routes.gov-access-server.uri>lb://gov-access-server</gateway.routes.gov-access-server.uri>-->

                <!--19.政府端-我的-服务-->
-            <!--<gateway.routes.gov-mine-server.uri>http://127.0.0.1:8098</gateway.routes.gov-mine-server.uri>-->
-                <gateway.routes.gov-mine-server.uri>lb://gov-mine-server</gateway.routes.gov-mine-server.uri>
+            <gateway.routes.gov-mine-server.uri>http://127.0.0.1:8098</gateway.routes.gov-mine-server.uri>
+                <!--<gateway.routes.gov-mine-server.uri>lb://gov-mine-server</gateway.routes.gov-mine-server.uri>-->
            </properties>
        </profile>
        <profile>
--- a/epmet-gateway/src/main/java/com/epmet/filter/FeignRequestFilter.java
+++ b/epmet-gateway/src/main/java/com/epmet/filter/FeignRequestFilter.java
@ -1,5 +1,6 @@
 package com.epmet.filter;

+import com.epmet.commons.tools.constant.AppClientConstant;
 import com.epmet.commons.tools.constant.Constant;
 import com.epmet.commons.tools.security.dto.BaseTokenDto;
 import com.epmet.commons.tools.utils.CpUserDetailRedis;
@ -54,7 +55,7 @@ public class FeignRequestFilter implements GlobalFilter, UserTokenFilter {

        if (baseTokenDto != null) {
            ServerHttpRequest build = exchange.getRequest().mutate()
-                    .header(Constant.USER_KEY, new String[]{baseTokenDto.getUserId()}).build();
+                    .header(AppClientConstant.USER_ID, new String[]{baseTokenDto.getUserId()}).build();
            return chain.filter(exchange.mutate().request(build).build());
        }

--- a/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/StaffPermCacheFormDTO.java
+++ b/epmet-module/gov-access/gov-access-client/src/main/java/com/epmet/dto/form/StaffPermCacheFormDTO.java
@ -3,7 +3,7 @@ package com.epmet.dto.form;
 import lombok.Data;

 import javax.validation.constraints.NotBlank;
-import java.util.List;
+import java.util.Set;

@Data
 public class StaffPermCacheFormDTO {
@ -13,27 +13,32 @@ public class StaffPermCacheFormDTO {
     */
    public interface UpdatePermissionCache {}

+    /**
+     * 查询当前权限列表
+     */
+    public interface GetStaffCurrPermissions {}
+
    /**
     * 工作人员 id
     */
-    @NotBlank(message = "工作人员ID不能为空", groups = {UpdatePermissionCache.class})
+    @NotBlank(message = "工作人员ID不能为空", groups = {UpdatePermissionCache.class, GetStaffCurrPermissions.class})
    private String staffId;

    /**
     * 登录头信息app
     */
-    @NotBlank(message = "登录头信息app不能为空", groups = {UpdatePermissionCache.class})
+    @NotBlank(message = "登录头信息app不能为空", groups = {UpdatePermissionCache.class, GetStaffCurrPermissions.class})
    private String app;

    /**
     * 登录头信息client
     */
-    @NotBlank(message = "登录头信息client不能为空", groups = {UpdatePermissionCache.class})
+    @NotBlank(message = "登录头信息client不能为空", groups = {UpdatePermissionCache.class, GetStaffCurrPermissions.class})
    private String client;

    /**
     * 权限列表
     */
-    private List<String> permissions;
+    private Set<String> permissions;

 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/controller/AccessController.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/controller/AccessController.java
@ -10,7 +10,7 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;

-import java.util.List;
+import java.util.Set;

 /**
 * 权限相关Api
@ -36,8 +36,19 @@ public class AccessController {
        String staffId = staffPermCacheFormDTO.getStaffId();
        String app = staffPermCacheFormDTO.getApp();
        String client = staffPermCacheFormDTO.getClient();
-        List<String> permissions = staffPermCacheFormDTO.getPermissions();
+        Set<String> permissions = staffPermCacheFormDTO.getPermissions();
        accessService.updatePermissionCache(staffId, app, client, permissions);
        return new Result();
    }
+
+    /**
+     * 查询用户当前权限列表(DataFilterAspect中用到)
+     * @return
+     */
+    @PostMapping("getcurrpermissions")
+    public Result<Set<String>> getStaffCurrPermissions(@RequestBody StaffPermCacheFormDTO dto) {
+        ValidatorUtils.validateEntity(dto, StaffPermCacheFormDTO.GetStaffCurrPermissions.class);
+        Set<String> permissions = accessService.listStaffCurrPermissions(dto.getApp(), dto.getClient(), dto.getStaffId());
+        return new Result<Set<String>>().ok(permissions);
+    }
 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/AccessService.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/AccessService.java
@ -1,6 +1,6 @@
 package com.epmet.service;

-import java.util.List;
+import java.util.Set;

 public interface AccessService {
    /**
@ -8,5 +8,11 @@ public interface AccessService {
     * @param staffId
     * @param permissions
     */
-    void updatePermissionCache(String staffId, String app, String client, List<String> permissions);
+    void updatePermissionCache(String staffId, String app, String client, Set<String> permissions);
+
+    /**
+     * 查询用户当前权限列表
+     * @return
+     */
+    Set<String> listStaffCurrPermissions(String app, String client, String staffId);
 }
--- a/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/impl/AccessServiceImpl.java
+++ b/epmet-module/gov-access/gov-access-server/src/main/java/com/epmet/service/impl/AccessServiceImpl.java
@ -7,8 +7,10 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
+import org.springframework.util.CollectionUtils;

-import java.util.List;
+import java.util.HashSet;
+import java.util.Set;

@Service
 public class AccessServiceImpl implements AccessService {
@ -24,7 +26,7 @@ public class AccessServiceImpl implements AccessService {
     * @param permissions
     */
    @Override
-    public void updatePermissionCache(String staffId, String app, String client, List<String> permissions) {
+    public void updatePermissionCache(String staffId, String app, String client, Set<String> permissions) {
        GovTokenDto govTokenDto = cpUserDetailRedis.get(app, client, staffId, GovTokenDto.class);
        if (govTokenDto == null) {
            logger.warn("更新[{}]用户缓存:Redis中不存在该用户TokenDto缓存信息", staffId);
@ -37,4 +39,13 @@ public class AccessServiceImpl implements AccessService {
        cpUserDetailRedis.set(govTokenDto, expire);
        logger.warn("更新[{}]用户缓存成功。", staffId);
    }
+
+    @Override
+    public Set<String> listStaffCurrPermissions(String app, String client, String staffId) {
+        GovTokenDto govTokenDto = cpUserDetailRedis.get(app, client, staffId, GovTokenDto.class);
+        if (govTokenDto == null || CollectionUtils.isEmpty(govTokenDto.getPermissions())) {
+            return new HashSet<>();
+        }
+        return new HashSet<>(govTokenDto.getPermissions());
+    }
 }
--- a/epmet-module/gov-access/gov-access-server/src/main/resources/db.migration/epmet_gov_access.sql
+++ b/epmet-module/gov-access/gov-access-server/src/main/resources/db.migration/epmet_gov_access.sql
@ -61,7 +61,7 @@ CREATE TABLE `role_operation`  (
 CREATE TABLE `role_scope`  (
  `ID` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL,
  `ROLE_ID` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '角色ID',
-  `PERMISSION_KEY` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '权限key',
+  `SCOPE_KEY` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT '范围Key',
  `DEL_FLAG` tinyint(1) NULL DEFAULT NULL COMMENT '是否删除，0：未删除，1：已删除',
  `REVISION` int(10) NULL DEFAULT NULL COMMENT '乐观锁',
  `CREATED_BY` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL COMMENT '创建者id',
--- a/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/controller/AccessController.java
+++ b/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/controller/AccessController.java
@ -29,14 +29,21 @@ public class AccessController {
    @Autowired
    private AccessService accessService;

+    /**
+     * 查询用户可操作功能列表(包含缓存)
+     * @param tokenDto
+     * @param staffOperationDTO
+     * @return
+     */
    @PostMapping("getstaffoperations")
    public Result<Set<String>> getStaffOperations(@LoginUser TokenDto tokenDto, @RequestBody StaffOperationDTO staffOperationDTO) {
    //public Result<Set<String>> getStaffOperations(@RequestBody StaffOperationDTO staffOperationDTO) {
        String agencyId = staffOperationDTO.getAgencyId();
        String gridId = staffOperationDTO.getGridId();
        String staffId = tokenDto.getUserId();
-        Set<String> opeKeys = accessService.listOpeKeysByStaffId(staffId, agencyId, gridId);
+        String app = tokenDto.getApp();
+        String client = tokenDto.getClient();
+        Set<String> opeKeys = accessService.listOpeKeysByStaffId(app, client, staffId,agencyId, gridId);
        return new Result<Set<String>>().ok(opeKeys);
    }
-
 }
--- a/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/feign/GovAccessFeignClient.java
+++ b/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/feign/GovAccessFeignClient.java
@ -2,14 +2,13 @@ package com.epmet.feign;

 import com.epmet.commons.tools.constant.ServiceConstant;
 import com.epmet.commons.tools.utils.Result;
-import com.epmet.dto.result.CustomerGridByUserIdResultDTO;
+import com.epmet.dto.form.StaffPermCacheFormDTO;
 import com.epmet.dto.result.RoleOperationResultDTO;
 import com.epmet.feign.fallback.GovAccessFeignClientFallback;
-import com.epmet.feign.fallback.GovOrgFeignClientFallBack;
 import org.springframework.cloud.openfeign.FeignClient;
-import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;

 import java.util.List;

@ -20,6 +19,19 @@ import java.util.List;
@FeignClient(name = ServiceConstant.GOV_ACCESS_SERVER, fallback = GovAccessFeignClientFallback.class)
 public interface GovAccessFeignClient {

+    /**
+     * 根据角色ID查询角色权限列表
+     * @param roleId
+     * @return
+     */
    @PostMapping("/gov/access/role/operations/{roleId}")
    Result<List<RoleOperationResultDTO>> listOperationsByRoleId(@PathVariable("roleId") String roleId);
+
+    /**
+     * 刷新用户权限缓存
+     * @param staffPermCacheFormDTO
+     * @return
+     */
+    @PostMapping("/gov/access/access/updatepermissioncache")
+    Result updatePermissionCache(@RequestBody StaffPermCacheFormDTO staffPermCacheFormDTO);
 }
--- a/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/feign/fallback/GovAccessFeignClientFallback.java
+++ b/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/feign/fallback/GovAccessFeignClientFallback.java
@ -3,14 +3,11 @@ package com.epmet.feign.fallback;
 import com.epmet.commons.tools.constant.ServiceConstant;
 import com.epmet.commons.tools.utils.ModuleUtils;
 import com.epmet.commons.tools.utils.Result;
-import com.epmet.dto.StaffRoleDTO;
-import com.epmet.dto.form.StaffRoleFormDTO;
-import com.epmet.dto.result.CustomerGridByUserIdResultDTO;
-import com.epmet.dto.result.LatestCustomerResultDTO;
+import com.epmet.dto.form.StaffPermCacheFormDTO;
 import com.epmet.dto.result.RoleOperationResultDTO;
-import com.epmet.feign.EpmetUserFeignClient;
 import com.epmet.feign.GovAccessFeignClient;
 import org.springframework.stereotype.Component;
+import org.springframework.web.bind.annotation.RequestBody;

 import java.util.List;

@ -25,4 +22,14 @@ public class GovAccessFeignClientFallback implements GovAccessFeignClient {
 	public Result<List<RoleOperationResultDTO>> listOperationsByRoleId(String roleId) {
 		return ModuleUtils.feignConError(ServiceConstant.GOV_ACCESS_SERVER, "listOperationsByRoleId");
 	}
+
+	/**
+	 * 刷新用户权限缓存
+	 * @param staffPermCacheFormDTO
+	 * @return
+	 */
+	@Override
+	public Result updatePermissionCache(@RequestBody StaffPermCacheFormDTO staffPermCacheFormDTO) {
+		return ModuleUtils.feignConError(ServiceConstant.GOV_ACCESS_SERVER, "updatePermissionCache");
+	}
 }
--- a/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/service/AccessService.java
+++ b/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/service/AccessService.java
@ -12,8 +12,7 @@ import java.util.Set;
 public interface AccessService {
    /**
     * 根据staffId查询角色Key列表
-     * @param staffId
     * @return
     */
-    Set<String> listOpeKeysByStaffId(String staffId, String agencyId, String gridId);
+    Set<String> listOpeKeysByStaffId(String app, String client, String staffId, String agencyId, String gridId);
 }
--- a/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/service/impl/AccessServiceImpl.java
+++ b/epmet-module/gov-mine/gov-mine-server/src/main/java/com/epmet/service/impl/AccessServiceImpl.java
@ -1,8 +1,9 @@
 package com.epmet.service.impl;

+import com.epmet.commons.tools.utils.CpUserDetailRedis;
 import com.epmet.commons.tools.utils.Result;
 import com.epmet.dto.GovStaffRoleDTO;
-import com.epmet.dto.StaffRoleDTO;
+import com.epmet.dto.form.StaffPermCacheFormDTO;
 import com.epmet.dto.form.StaffRoleFormDTO;
 import com.epmet.dto.result.RoleOperationResultDTO;
 import com.epmet.feign.EpmetUserFeignClient;
@ -26,8 +27,11 @@ public class AccessServiceImpl implements AccessService {
    @Autowired
    private GovAccessFeignClient govAccessFeignClient;

+    @Autowired
+    private CpUserDetailRedis cpUserDetailRedis;
+
    @Override
-    public Set<String> listOpeKeysByStaffId(String staffId, String agencyId, String gridId) {
+    public Set<String> listOpeKeysByStaffId(String app, String client, String staffId, String agencyId, String gridId) {
        List<GovStaffRoleDTO> roleDTOS = new ArrayList<>();
        // 查询机关单位权限
        StaffRoleFormDTO formDTO = new StaffRoleFormDTO();
@ -56,6 +60,14 @@ public class AccessServiceImpl implements AccessService {
                }
            });
        });
+
+        // 将最新权限缓存到redis，为了尽量统一操作入口，调用gov-access接口实现
+        StaffPermCacheFormDTO staffPermCacheFormDTO = new StaffPermCacheFormDTO();
+        staffPermCacheFormDTO.setApp(app);
+        staffPermCacheFormDTO.setClient(client);
+        staffPermCacheFormDTO.setStaffId(staffId);
+        staffPermCacheFormDTO.setPermissions(opeKeys);
+        govAccessFeignClient.updatePermissionCache(staffPermCacheFormDTO);
        return opeKeys;
    }
 }
--- a/epmet-user/epmet-user-server/src/main/java/com/epmet/controller/StaffRoleController.java
+++ b/epmet-user/epmet-user-server/src/main/java/com/epmet/controller/StaffRoleController.java
@ -60,6 +60,7 @@ public class StaffRoleController {
     * @return
     */
    @PostMapping("staffsinrole")
+    //@RequirePermission(key = "org_staff_list")
    public Result<List<StaffRoleDTO>> getStaffsInRole(@RequestBody StaffRoleFormDTO staffRoleFormDTO) {
        ValidatorUtils.validateEntity(staffRoleFormDTO, StaffRoleFormDTO.GetStaffsInRole.class);
        String roleKey = staffRoleFormDTO.getRoleKey();
--- a/epmet-user/epmet-user-server/src/main/java/com/epmet/service/impl/StaffRoleServiceImpl.java
+++ b/epmet-user/epmet-user-server/src/main/java/com/epmet/service/impl/StaffRoleServiceImpl.java
@ -108,6 +108,7 @@ public class StaffRoleServiceImpl extends BaseServiceImpl<StaffRoleDao, StaffRol
     * @return
     */
    @Override
+    //@DataFilter
    public List<StaffRoleDTO> listStaffsInRole(String roleKey, String orgId) {
        return baseDao.listStaffIdsByRoleKeyAndOrgId(roleKey, orgId);
    }