# feat:接口基于角色鉴权

src/main/java/space/anyi/serve/config/SecurityConfig.java

@@ -6,6 +6,7 @@ import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -18,6 +19,7 @@ import space.anyi.serve.handler.security.JwtAccessDeniedHandler;
 import space.anyi.serve.handler.security.JwtAuthenticationEntryPoint;
 
 @EnableWebSecurity
+@EnableMethodSecurity(prePostEnabled = true)
 @Configuration
 public class SecurityConfig {
 

src/main/java/space/anyi/serve/controller/UserController.java

@@ -7,6 +7,7 @@ import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 import org.springframework.beans.BeanUtils;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import space.anyi.serve.entity.PageVo;
 import space.anyi.serve.entity.Response;
@@ -42,6 +43,7 @@ public class UserController {
      * @param pageSize
      * @return
      */
+    @PreAuthorize("hasRole('ROLE_admin')")
     @GetMapping
     public Response<PageVo<List<UserVo>>> queryByPage(
             @NotNull @RequestParam(defaultValue = "") String account,
@@ -65,6 +67,7 @@ public class UserController {
      * @param id 主键
      * @return 单条数据
      */
+    @PreAuthorize("hasAnyRole('ROLE_admin', 'ROLE_user')")
     @GetMapping("{id}")
     public Response<UserVo> queryById(@NotBlank(message = "用户ID不能为空") @PathVariable String id) {
         User user = this.userService.queryById(Long.valueOf(id));
@@ -77,6 +80,7 @@ public class UserController {
      * @param userDto 实体
      * @return 新增结果
      */
+    @PreAuthorize("hasRole('ROLE_admin')")
     @PostMapping
     public Response<Boolean> add(@Valid@RequestBody UserDto userDto) {
         User user = new User();
@@ -90,6 +94,7 @@ public class UserController {
      * @param userDto 实体
      * @return 编辑结果
      */
+    @PreAuthorize("hasRole('ROLE_admin')")
     @PutMapping
     public Response<Boolean> edit(@Valid@RequestBody UserDto userDto) {
         User user = new User();
@@ -104,6 +109,7 @@ public class UserController {
      * @param ids 主键
      * @return 删除是否成功
      */
+    @PreAuthorize("hasRole('ROLE_admin')")
     @DeleteMapping
     public Response<Boolean> deleteById(@NotEmpty(message = "ID列表不能为空") @RequestParam List<String> ids) {
         List<Long> list = ids.stream().map(Long::valueOf).toList();
@@ -115,6 +121,7 @@ public class UserController {
      * @param dto
      * @return
      */
+    @PreAuthorize("hasRole('ROLE_admin')")
     @PutMapping("/updateStatus")
     public Response updateUserStatus(@Valid@RequestBody UpdateUserStatusDto dto){
         User user = new User();
@@ -128,6 +135,7 @@ public class UserController {
      * @param dto
      * @return
      */
+    @PreAuthorize("hasAnyRole('ROLE_admin', 'ROLE_user')")
     @PutMapping("/updateAvatar")
     public Response updateUserAvatar(@Valid@RequestBody UpdateUserAvatarDto dto){
         User user = new User();
@@ -141,6 +149,7 @@ public class UserController {
      * @param dto
      * @return
      */
+    @PreAuthorize("hasAnyRole('ROLE_admin', 'ROLE_user')")
     @PutMapping("/updatePassword")
     public Response updatePassword(@Valid @RequestBody UpdateUserPasswordDto dto){
         User user = new User();