From 9136037865dc9fd6c30c37ab50678e4e1988e5e6 Mon Sep 17 00:00:00 2001
From: zhansihu <zhansihu@axzo.cn>
Date: Wed, 25 Oct 2023 17:51:18 +0800
Subject: [PATCH 01/12] =?UTF-8?q?fix(permission-point):=20=E5=85=BC?=
 =?UTF-8?q?=E5=AE=B9=E5=89=8D=E7=AB=AF=E8=BF=94=E5=9B=9E=E7=A9=BA=E5=88=97?=
 =?UTF-8?q?=E8=A1=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../tyr/server/service/impl/PermissionPointServiceImpl.java     | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
index 41ea2971..b81d52b9 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
@@ -319,6 +319,8 @@ public class PermissionPointServiceImpl implements PermissionPointService {
         vo.setParentName(parent.getFeatureName());
         vo.setParentFeatureType(parent.getFeatureType());
         vo.setParentFeatureTypeDes(FeatureType.apply(parent.getFeatureType()).getDesc());
+        vo.setFitOuNodeTypeList(Collections.emptyList());
+        vo.setFitOuNodeTypeList(Collections.emptyList());
 
         return vo;
     }

From 636f706bf9227e9fefa63c76cd2a2eeb2add2602 Mon Sep 17 00:00:00 2001
From: zhansihu <zhansihu@axzo.cn>
Date: Thu, 26 Oct 2023 15:22:10 +0800
Subject: [PATCH 02/12] =?UTF-8?q?refactor(permission-check):=20=E5=85=BC?=
 =?UTF-8?q?=E5=AE=B9=E6=A3=80=E6=9F=A5=E6=9D=83=E9=99=90=E4=B8=BA=E8=8F=9C?=
 =?UTF-8?q?=E5=8D=95=E6=88=96=E9=A1=B5=E9=9D=A2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../service/PermissionPointService.java       |  6 ++----
 .../impl/PermissionPointServiceImpl.java      | 20 +++++++++++++++++--
 .../service/impl/TyrSaasAuthServiceImpl.java  |  2 +-
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/PermissionPointService.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/PermissionPointService.java
index 5bac675d..e138cf87 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/PermissionPointService.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/PermissionPointService.java
@@ -9,8 +9,6 @@ import cn.axzo.tyr.client.model.permission.PermissionPointVO;
 import cn.axzo.tyr.server.repository.entity.SaasFeature;
 
 import java.util.List;
-import java.util.Map;
-import java.util.Set;
 
 /**
  * 权限点服务
@@ -55,6 +53,6 @@ public interface PermissionPointService {
      */
     List<PermissionPointTreeNode> listTreeNodesFlatChild(PermissionPointTreeQueryReq request);
 
-    /** 根据code查询权限点, terminal可为空- 直查 **/
-    List<SaasFeature> listNodeByCode(String featureCode, String terminal);
+    /** 根据code查询权限点, terminal可为空 **/
+    List<SaasFeature> listNodeWithChildrenByCode(String featureCode, String terminal);
 }
diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
index b81d52b9..0782622c 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
@@ -9,6 +9,7 @@ import java.util.function.Function;
 import java.util.stream.Collectors;
 
 import cn.axzo.tyr.client.model.enums.FeatureDataType;
+import cn.hutool.core.lang.Opt;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -562,9 +563,24 @@ public class PermissionPointServiceImpl implements PermissionPointService {
     }
 
     @Override
-    public List<SaasFeature> listNodeByCode(String featureCode, String terminal) {
-        return saasFeatureDao.list(new LambdaQueryWrapper<SaasFeature>()
+    public List<SaasFeature> listNodeWithChildrenByCode(String featureCode, String terminal) {
+        List<SaasFeature> currentFeatrureList = saasFeatureDao.list(new LambdaQueryWrapper<SaasFeature>()
                 .eq(SaasFeature::getFeatureCode, featureCode)
                 .eq(StrUtil.isNotBlank(terminal), SaasFeature::getTerminal, terminal));
+        //button过滤减少查询
+        Set<Long> idsWithoutButton = currentFeatrureList.stream()
+                .filter(f -> !BUTTON.sameCode(f.getFeatureType()))
+                .map(SaasFeature::getId)
+                .collect(Collectors.toSet());
+        if (CollectionUtil.isEmpty(idsWithoutButton)) {
+            return currentFeatrureList;
+        }
+        String querySql = StrUtil.join(" OR ", idsWithoutButton.stream().map(id -> "FIND_IN_SET('" + id + "', path)"));
+
+        List<SaasFeature> children = saasFeatureDao.list(new LambdaQueryWrapper<SaasFeature>()
+                .eq(StrUtil.isNotBlank(terminal), SaasFeature::getTerminal, terminal)
+                .apply(querySql));
+        currentFeatrureList.addAll(children);
+        return currentFeatrureList;
     }
 }
diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
index 97c98dec..466c05eb 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
@@ -533,7 +533,7 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
         result.setWorkspaceId(req.getWorkspaceId());
 
         //code查询权限点信息
-        List<SaasFeature> features = permissionPointService.listNodeByCode(req.getFeatureCode(), req.getTerminal());
+        List<SaasFeature> features = permissionPointService.listNodeWithChildrenByCode(req.getFeatureCode(), req.getTerminal());
         //权限匹配 - 工作台是否有指定权限
         List<SaasFeature> matchedFeature = matchWorkspaceFeature(req.getWorkspaceId(), req.getWorkspaceJoinType(), features);
         if (CollectionUtil.isEmpty(matchedFeature)) {

From 3647cc89b0cb77f0627812987a7fa97bff56e5ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=87=91=E6=B5=B7=E6=B4=8B?= <jinhaiyang@axzo.cn>
Date: Tue, 24 Oct 2023 19:49:04 +0800
Subject: [PATCH 03/12] fix getUsersFromRole newArrayList

---
 .../cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
index 466c05eb..ea22ef0d 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
@@ -590,7 +590,7 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
 
         //查询角色及权限
         List<SaasRoleVO> rolePermissions = roleService.getByIds(roleList.stream().map(SaasRole::getId).collect(Collectors.toList()),
-                null, Lists.newArrayList(workspaceId), Collections.singletonList(ouId), true);
+                null, Lists.newArrayList(workspaceId), Lists.newArrayList(ouId), true);
 
         //计算角色实际的权限 - 匹配请求的权限  --> 实际拥有权限的角色
         Set<Long> featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet());

From 71a32c4e7421eadab6df05f6f3b88b6aaa524a1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=87=91=E6=B5=B7=E6=B4=8B?= <jinhaiyang@axzo.cn>
Date: Thu, 26 Oct 2023 16:29:52 +0800
Subject: [PATCH 04/12] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E6=97=A5=E5=BF=97?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/test/resources/rest-client.env.json   |  3 ++
 .../src/test/resources/role-user.http         | 33 +++++++++++++++++++
 .../service/impl/TyrSaasAuthServiceImpl.java  |  8 +++--
 3 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/integration-test/src/test/resources/rest-client.env.json b/integration-test/src/test/resources/rest-client.env.json
index 252aa85a..5c43f470 100644
--- a/integration-test/src/test/resources/rest-client.env.json
+++ b/integration-test/src/test/resources/rest-client.env.json
@@ -4,5 +4,8 @@
   },
   "dev": {
     "host": "https://dev-app.axzo.cn/msg-center/webApi/message/"
+  },
+  "test": {
+    "host": "https://test-api.axzo.cn/"
   }
 }
\ No newline at end of file
diff --git a/integration-test/src/test/resources/role-user.http b/integration-test/src/test/resources/role-user.http
index 6effae63..0440c15a 100644
--- a/integration-test/src/test/resources/role-user.http
+++ b/integration-test/src/test/resources/role-user.http
@@ -33,4 +33,37 @@ Content-Type: application/json
 > reponse-check.js
 
 
+###
+POST {{host}}/tyr/api/v2/auth/batchListIdentityFromPermission
+Accept: application/json
+Content-Type: application/json
+
+{
+  "featureCode": "CMS_WEB_PROJ_0528",
+  "ouId": 5836,
+  "workspaceId":326,
+  "workspaceJoinType": 1
+}
+
+> reponse-check.js
+
+###
+POST {{host}}/tyr/api/v2/auth/listIdentityFromPermission
+Accept: application/json
+Content-Type: application/json
+
+{
+  "featureCode": "CMP_APP_PROJ_0056",
+  "ouId": 5812,
+  "workspaceId":311,
+  "workspaceJoinType": 1
+}
+
+> reponse-check.js
+
+
+
+
+
+
 
diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
index ea22ef0d..cb5dd543 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
@@ -587,19 +587,23 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
 
         //查询OU-工作台下的角色
         List<SaasRole> roleList = roleService.listForOUWorkspace(ouId, workspaceId, req.getWorkspaceJoinType());
+        log.info("====查询OU-工作台下的角色:{}===",roleList);
 
         //查询角色及权限
         List<SaasRoleVO> rolePermissions = roleService.getByIds(roleList.stream().map(SaasRole::getId).collect(Collectors.toList()),
                 null, Lists.newArrayList(workspaceId), Lists.newArrayList(ouId), true);
-
+        log.info("====查询角色及权限:{}===",rolePermissions);
         //计算角色实际的权限 - 匹配请求的权限  --> 实际拥有权限的角色
         Set<Long> featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet());
         List<SaasRoleVO> matchedRoleList = rolePermissions.stream()
                 .filter(rp -> rp.getMatchFeature(workspaceId, ouId).stream()
                         .anyMatch(f -> featureIds.contains(f.getPermissionPointId())))
                 .collect(Collectors.toList());
+
+        log.info("====计算角色实际的权限 - 匹配请求的权限  --> 实际拥有权限的角色:{}===",featureIds);
         //查询角色下用户
         List<Long> matchedRoleIds = matchedRoleList.stream().map(SaasRoleVO::getId).collect(Collectors.toList());
+        log.info("====查询角色下用户:{}===",matchedRoleIds);
         //追加工作台超管
         Set<Long> superAdmins = roleList
                 .stream()
@@ -608,7 +612,7 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
                 .collect(Collectors.toSet());
         matchedRoleIds.addAll(superAdmins);
         List<SaasRoleUserRelation> relationList = roleUserService.listByRoleIds(matchedRoleIds);
-
+        log.info("====追加工作台超管:{}===",superAdmins);
         //构建用户-去重(identityId-identityType)
         List<ListIdentityFromPermissionResp.UserVO> users = new ArrayList<>();
         Set<String> filterSet = new HashSet<>();

From 2bbf879f22b8eaa73ed60226d6428d35e41e2aae Mon Sep 17 00:00:00 2001
From: zhansihu <zhansihu@axzo.cn>
Date: Thu, 26 Oct 2023 15:31:46 +0800
Subject: [PATCH 05/12] fix(permission-check): stream collect

---
 .../tyr/server/service/impl/PermissionPointServiceImpl.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
index 0782622c..2c51ff33 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
@@ -575,7 +575,7 @@ public class PermissionPointServiceImpl implements PermissionPointService {
         if (CollectionUtil.isEmpty(idsWithoutButton)) {
             return currentFeatrureList;
         }
-        String querySql = StrUtil.join(" OR ", idsWithoutButton.stream().map(id -> "FIND_IN_SET('" + id + "', path)"));
+        String querySql = StrUtil.join(" OR ", idsWithoutButton.stream().map(id -> "FIND_IN_SET('" + id + "', path)").collect(Collectors.toList()));
 
         List<SaasFeature> children = saasFeatureDao.list(new LambdaQueryWrapper<SaasFeature>()
                 .eq(StrUtil.isNotBlank(terminal), SaasFeature::getTerminal, terminal)

From bde1848a0f8fef5d59f4e4c5b08e6b676bff5bab Mon Sep 17 00:00:00 2001
From: zhansihu <zhansihu@axzo.cn>
Date: Thu, 26 Oct 2023 16:32:57 +0800
Subject: [PATCH 06/12] =?UTF-8?q?fix(permission-check):=20path=E5=8C=B9?=
 =?UTF-8?q?=E9=85=8D=E6=96=B9=E5=BC=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../service/impl/PermissionPointServiceImpl.java   | 14 ++++++++------
 .../tyr/server/permission/PermissionPointTest.java |  9 +++++++++
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
index 2c51ff33..c891cabb 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/PermissionPointServiceImpl.java
@@ -568,18 +568,20 @@ public class PermissionPointServiceImpl implements PermissionPointService {
                 .eq(SaasFeature::getFeatureCode, featureCode)
                 .eq(StrUtil.isNotBlank(terminal), SaasFeature::getTerminal, terminal));
         //button过滤减少查询
-        Set<Long> idsWithoutButton = currentFeatrureList.stream()
+        Set<String> pathsWithoutButton = currentFeatrureList.stream()
                 .filter(f -> !BUTTON.sameCode(f.getFeatureType()))
-                .map(SaasFeature::getId)
+                .map(SaasFeature::getPath)
                 .collect(Collectors.toSet());
-        if (CollectionUtil.isEmpty(idsWithoutButton)) {
+        if (CollectionUtil.isEmpty(pathsWithoutButton)) {
             return currentFeatrureList;
         }
-        String querySql = StrUtil.join(" OR ", idsWithoutButton.stream().map(id -> "FIND_IN_SET('" + id + "', path)").collect(Collectors.toList()));
 
-        List<SaasFeature> children = saasFeatureDao.list(new LambdaQueryWrapper<SaasFeature>()
+        Wrapper<SaasFeature> wrapper = new LambdaQueryWrapper<SaasFeature>()
                 .eq(StrUtil.isNotBlank(terminal), SaasFeature::getTerminal, terminal)
-                .apply(querySql));
+                .and(w -> {
+                    pathsWithoutButton.forEach(p -> w.or().likeRight(SaasFeature::getPath, p));
+                });
+        List<SaasFeature> children = saasFeatureDao.list(wrapper);
         currentFeatrureList.addAll(children);
         return currentFeatrureList;
     }
diff --git a/tyr-server/src/test/java/cn/axzo/tyr/server/permission/PermissionPointTest.java b/tyr-server/src/test/java/cn/axzo/tyr/server/permission/PermissionPointTest.java
index b6b4e1af..ca39f750 100644
--- a/tyr-server/src/test/java/cn/axzo/tyr/server/permission/PermissionPointTest.java
+++ b/tyr-server/src/test/java/cn/axzo/tyr/server/permission/PermissionPointTest.java
@@ -11,6 +11,7 @@ import cn.axzo.tyr.client.model.permission.PermissionPointVO;
 import cn.axzo.tyr.server.controller.permission.PermissionPointController;
 import cn.axzo.tyr.server.repository.entity.SaasFeature;
 import cn.axzo.tyr.server.repository.dao.SaasFeatureDao;
+import cn.axzo.tyr.server.service.PermissionPointService;
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.serializer.SerializerFeature;
 import org.junit.jupiter.api.Test;
@@ -33,6 +34,8 @@ public class PermissionPointTest {
     private PermissionPointController controller;
     @Autowired
     private SaasFeatureDao saasFeatureDao;
+    @Autowired
+    private PermissionPointService permissionPointService;
 
     @Test
     public void testList() {
@@ -133,4 +136,10 @@ public class PermissionPointTest {
         System.out.println(JSON.toJSONString(result));
     }
 
+    @Test
+    public void test() {
+        List<SaasFeature> saasFeatures = permissionPointService.listNodeWithChildrenByCode("CMS_WEB_PROJ_0546", "NT_CMS_WEB_PROJ");
+        System.out.println(JSON.toJSONString(saasFeatures));
+    }
+
 }

From 4b27dcf42bc64e28fabf02b14740f5a0b500811f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=87=91=E6=B5=B7=E6=B4=8B?= <jinhaiyang@axzo.cn>
Date: Thu, 26 Oct 2023 16:41:57 +0800
Subject: [PATCH 07/12] =?UTF-8?q?listByRoleIds=20=E5=A2=9E=E5=8A=A0workspa?=
 =?UTF-8?q?ce=20id?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../java/cn/axzo/tyr/server/service/SaasRoleUserService.java   | 2 +-
 .../java/cn/axzo/tyr/server/service/impl/RoleUserService.java  | 3 ++-
 .../axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java   | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/SaasRoleUserService.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/SaasRoleUserService.java
index 8d7a9a87..2b0c4771 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/SaasRoleUserService.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/SaasRoleUserService.java
@@ -63,7 +63,7 @@ public interface SaasRoleUserService {
      */
     List<SuperAminInfoResp> batchSuperAdminList(List<SuperAdminParam> param);
 
-    List<SaasRoleUserRelation> listByRoleIds(List<Long> roleIds);
+    List<SaasRoleUserRelation> listByRoleIds(List<Long> roleIds, Long workspaceId);
 
     /**
      * 删除单位参与的工作台的所有的人员与角色。 目前主要是用于移除参与单位的地方
diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java
index 563fc907..ea95ca6c 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java
@@ -227,11 +227,12 @@ public class RoleUserService implements SaasRoleUserService {
 	}
 
 	@Override
-	public List<SaasRoleUserRelation> listByRoleIds(List<Long> roleIds) {
+	public List<SaasRoleUserRelation> listByRoleIds(List<Long> roleIds, Long workspaceId) {
 		if (CollectionUtil.isEmpty(roleIds)) {
 			return new ArrayList<>();
 		}
 		return roleUserRelationDao.list(new LambdaQueryWrapper<SaasRoleUserRelation>()
+				.eq(SaasRoleUserRelation::getWorkspaceId, workspaceId)
 				.in(SaasRoleUserRelation::getRoleId, roleIds));
 	}
 
diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
index cb5dd543..8ed97f33 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
@@ -611,8 +611,9 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
                 .map(SaasRole::getId)
                 .collect(Collectors.toSet());
         matchedRoleIds.addAll(superAdmins);
-        List<SaasRoleUserRelation> relationList = roleUserService.listByRoleIds(matchedRoleIds);
         log.info("====追加工作台超管:{}===",superAdmins);
+        List<SaasRoleUserRelation> relationList = roleUserService.listByRoleIds(matchedRoleIds, workspaceId);
+        log.info("====追加工作台超管:{}===",relationList);
         //构建用户-去重(identityId-identityType)
         List<ListIdentityFromPermissionResp.UserVO> users = new ArrayList<>();
         Set<String> filterSet = new HashSet<>();

From 010d16c495459c84525c6de4878aaef89a47eab2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=87=91=E6=B5=B7=E6=B4=8B?= <jinhaiyang@axzo.cn>
Date: Thu, 26 Oct 2023 18:06:32 +0800
Subject: [PATCH 08/12] =?UTF-8?q?listByRoleIds=20=E5=A2=9E=E5=8A=A0workspa?=
 =?UTF-8?q?ce=20id?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java | 4 +++-
 .../axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java  | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java b/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java
index ac4a41f9..87ec7290 100644
--- a/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java
+++ b/tyr-api/src/main/java/cn/axzo/tyr/client/model/vo/SaasRoleVO.java
@@ -1,12 +1,12 @@
 package cn.axzo.tyr.client.model.vo;
 
-import cn.axzo.trade.datasecurity.core.annotation.control.DisableCrypt;
 import cn.axzo.tyr.client.model.permission.PermissionPointTreeNode;
 import cn.hutool.core.collection.CollectionUtil;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
 import lombok.NoArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 
 import java.util.ArrayList;
 import java.util.Collection;
@@ -21,6 +21,7 @@ import java.util.stream.Collectors;
 @AllArgsConstructor
 @NoArgsConstructor
 @Builder
+@Slf4j
 public class SaasRoleVO {
 
     private Long id;
@@ -125,6 +126,7 @@ public class SaasRoleVO {
             }
 
         }
+        log.info("+======permissionPoint: {}", permissionPoint);
         return new ArrayList<>((Collection) permissionPoint);
     }
 
diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
index 8ed97f33..5d756db2 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
@@ -600,6 +600,7 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
                         .anyMatch(f -> featureIds.contains(f.getPermissionPointId())))
                 .collect(Collectors.toList());
 
+        log.info("-======matchedRoleList: {}", matchedRoleList);
         log.info("====计算角色实际的权限 - 匹配请求的权限  --> 实际拥有权限的角色:{}===",featureIds);
         //查询角色下用户
         List<Long> matchedRoleIds = matchedRoleList.stream().map(SaasRoleVO::getId).collect(Collectors.toList());

From 13dc89cff82d0b1ff3a5f768e549dd24c7c305b2 Mon Sep 17 00:00:00 2001
From: zhansihu <zhansihu@axzo.cn>
Date: Thu, 26 Oct 2023 18:10:40 +0800
Subject: [PATCH 09/12] debug(permission-check): log

---
 .../service/impl/TyrSaasAuthServiceImpl.java     | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
index cb5dd543..884735d7 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
@@ -48,6 +48,7 @@ import cn.hutool.core.date.StopWatch;
 import cn.hutool.core.util.ArrayUtil;
 import cn.hutool.core.util.StrUtil;
 import cn.hutool.json.JSONUtil;
+import com.alibaba.fastjson.JSON;
 import com.google.common.collect.Lists;
 import lombok.Data;
 import lombok.RequiredArgsConstructor;
@@ -595,10 +596,17 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
         log.info("====查询角色及权限:{}===",rolePermissions);
         //计算角色实际的权限 - 匹配请求的权限  --> 实际拥有权限的角色
         Set<Long> featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet());
-        List<SaasRoleVO> matchedRoleList = rolePermissions.stream()
-                .filter(rp -> rp.getMatchFeature(workspaceId, ouId).stream()
-                        .anyMatch(f -> featureIds.contains(f.getPermissionPointId())))
-                .collect(Collectors.toList());
+
+        List<SaasRoleVO> matchedRoleList = new ArrayList<>();
+        for (SaasRoleVO rolePermission : rolePermissions) {
+            List<PermissionPointTreeNode> filterFeature = rolePermission.getMatchFeature(workspaceId, ouId);
+            if (filterFeature.stream().anyMatch(f -> featureIds.contains(f.getPermissionPointId()))) {
+                log.info("=====match role:{}", rolePermission.getId());
+                matchedRoleList.add(rolePermission);
+            } else {
+                log.warn("=========not match role:{}", JSON.toJSONString(rolePermission));
+            }
+        }
 
         log.info("====计算角色实际的权限 - 匹配请求的权限  --> 实际拥有权限的角色:{}===",featureIds);
         //查询角色下用户

From 65478bfd363cd628b36bc9bba93c61f963f10f36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=87=91=E6=B5=B7=E6=B4=8B?= <jinhaiyang@axzo.cn>
Date: Thu, 26 Oct 2023 18:19:26 +0800
Subject: [PATCH 10/12] add log

---
 .../axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
index 490ed11d..7c8238bc 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java
@@ -604,7 +604,8 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService {
                 log.info("=====match role:{}", rolePermission.getId());
                 matchedRoleList.add(rolePermission);
             } else {
-                log.warn("=========not match role:{}", JSON.toJSONString(rolePermission));
+                log.info("=====not_match-role-id:{}", rolePermission.getId());
+                log.warn("=========not match role: {}",JSON.toJSONString(rolePermission));
             }
         }
 

From 74545ff496ee5b1d9b21df1ded2c9fe4c3c5990e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=99=88=E7=BB=B4=E4=BC=9F?= <chenweiwei@axzo.cn>
Date: Fri, 27 Oct 2023 19:29:18 +0800
Subject: [PATCH 11/12] =?UTF-8?q?CMS=E8=A7=92=E8=89=B2=E6=B8=85=E6=B4=97jo?=
 =?UTF-8?q?b-=E5=B0=86=E5=9B=9E=E6=BA=AF=E4=B8=8D=E4=BA=86=E7=9A=84?=
 =?UTF-8?q?=E8=A7=92=E8=89=B2=E6=B4=97=E6=88=90=E5=85=B6=E4=BB=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../server/job/CMSOtherRoleJobHandler.java    | 142 ++++++++++++++++++
 .../server/repository/entity/SaasRole.java    |   7 +
 tyr-server/src/main/resources/bootstrap.yml   |   4 +-
 3 files changed, 151 insertions(+), 2 deletions(-)
 create mode 100644 tyr-server/src/main/java/cn/axzo/tyr/server/job/CMSOtherRoleJobHandler.java

diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/job/CMSOtherRoleJobHandler.java b/tyr-server/src/main/java/cn/axzo/tyr/server/job/CMSOtherRoleJobHandler.java
new file mode 100644
index 00000000..7f61d3c8
--- /dev/null
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/job/CMSOtherRoleJobHandler.java
@@ -0,0 +1,142 @@
+package cn.axzo.tyr.server.job;
+
+import cn.axzo.basics.common.constant.enums.OrganizationalUnitTypeEnum;
+import cn.axzo.pokonyan.config.mybatisplus.BaseEntity;
+import cn.axzo.tyr.server.repository.dao.*;
+import cn.axzo.tyr.server.repository.entity.SaasRole;
+import cn.axzo.tyr.server.repository.entity.SaasRoleGroup;
+import cn.axzo.tyr.server.repository.entity.SaasRoleGroupRelation;
+import cn.axzo.tyr.server.repository.entity.SaasRoleUserRelation;
+import com.xxl.job.core.biz.model.ReturnT;
+import com.xxl.job.core.handler.IJobHandler;
+import com.xxl.job.core.handler.annotation.XxlJob;
+import lombok.AllArgsConstructor;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.collections4.CollectionUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.cloud.context.config.annotation.RefreshScope;
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+/**
+ * CMS角色清洗job-将回溯不了的角色洗成其他
+ * @description
+ * @date 2021/9/13 11:31
+ */
+@Component
+@AllArgsConstructor
+@Slf4j
+@RefreshScope
+@RequiredArgsConstructor
+public class CMSOtherRoleJobHandler extends IJobHandler {
+
+	@Autowired
+	SaasRoleGroupDao roleGroupDao;
+	@Autowired
+	SaasRoleDao roleDao;
+	@Autowired
+	SaasPermissionGroupDao saasPermissionGroupDao;
+	@Autowired
+	SaasFeatureDao featureDao;
+	@Autowired
+	SaasRoleGroupRelationDao roleGroupRelationDao;
+	@Autowired
+	SaasRoleUserRelationDao roleUserRelationDao;
+	@Autowired
+	SaasPgroupRoleRelationDao pgroupRoleRelationDao;
+	@Autowired
+	SaasPgroupPermissionRelationDao pgroupPermissionRelationDao;
+	@Autowired
+	SaasPreRoleDao saasPreRoleDao;
+	@Autowired
+	SaasPreTemplateDao saasPreTemplateDao;
+	@Autowired
+	SaasPreGroupRoleRelationDao saasPreGroupRoleRelationDao;
+
+	/**
+	 * CMS角色清洗job-将回溯不了的角色洗成其他
+	 *
+	 * @param s
+	 * @return
+	 * @throws Exception
+	 */
+	@Transactional  // 在一个事务里面做，一起提交
+	@Override
+	@XxlJob("CMSOtherRoleJobHandler")
+	public ReturnT<String> execute(String s) throws Exception {
+		log.info("CMSOtherRoleJobHandler start");
+		// 查询无法回溯的角色
+		List<SaasRole> oldRole = roleDao.lambdaQuery()
+			.ne(SaasRole::getWorkspaceId, -1l)
+			.eq(SaasRole::getRoleType, "init")
+			.in(SaasRole::getFitOuTypeBit, Arrays.asList(1, 2, 4, 8, 16))
+			.eq(SaasRole::getFromPreRoleId, 0l)
+			.eq(BaseEntity::getIsDelete, 0)
+			.list();
+		if (CollectionUtils.isEmpty(oldRole)) {
+			log.info("未找到回溯不了的角色");
+		}
+		// 根据单位类型分组
+		Map<Long, List<SaasRole>> ouTypeMap = oldRole.stream().collect(Collectors.groupingBy(e -> e.getFitOuTypeBit()));
+		Set<Long> ouType = ouTypeMap.keySet();
+		ouType.forEach(e -> {
+			// 获取"其他"角色id
+			Long newRoleId = getNewRoleId(e);
+			// 更用户角色关联关系
+			roleUserRelationDao.lambdaUpdate()
+				.in(SaasRoleUserRelation::getRoleId,ouTypeMap.get(e).stream().map(BaseEntity::getId).collect(Collectors.toList()))
+				.set(SaasRoleUserRelation::getRoleId,newRoleId)
+				.update();
+		});
+		log.info("CMSOtherRoleJobHandler end");
+		return ReturnT.SUCCESS;
+	}
+
+	/**
+	 * 查询新角色"其他" id
+	 * @return
+	 */
+	private Long getNewRoleId(Long ouType) {
+		// 根据单位类型查询权限分组
+		SaasRoleGroup roleGroup = roleGroupDao.lambdaQuery().eq(SaasRoleGroup::getOuTypeCode, String.valueOf(tranceOuTypeBit(ouType))).one();
+		// 查询权限分组下的角色
+		List<SaasRoleGroupRelation> roleGroupRelation = roleGroupRelationDao.lambdaQuery()
+			.eq(SaasRoleGroupRelation::getSaasRoleGroupId, roleGroup.getId())
+			.eq(BaseEntity::getIsDelete, 0)
+			.list();
+		// 查询权限分组下的"其他"角色
+		SaasRole otherRole = roleDao.lambdaQuery()
+			.in(BaseEntity::getId, roleGroupRelation.stream().map(SaasRoleGroupRelation::getRoleId).collect(Collectors.toList()))
+			.eq(SaasRole::getName, "其他")
+			.eq(BaseEntity::getIsDelete, 0)
+			.one();
+		return otherRole.getId();
+	}
+
+	private Integer tranceOuTypeBit(Long ouTypeBit) {
+		Integer ouType;
+		if (ouTypeBit == 1) {
+			ouType = OrganizationalUnitTypeEnum.PRIMARY_CONTRACTING_UNIT.getValue();
+		} else if (ouTypeBit == 2) {
+			ouType = OrganizationalUnitTypeEnum.CONSTRUCTION_UNIT.getValue();
+		} else if (ouTypeBit == 4) {
+			ouType = OrganizationalUnitTypeEnum.SUPERVISION_UNIT.getValue();
+		} else if (ouTypeBit == 8) {
+			ouType = OrganizationalUnitTypeEnum.LABOR_SUBCONTRACTING.getValue();
+		} else if (ouTypeBit == 16) {
+			ouType = OrganizationalUnitTypeEnum.PROFESSIONAL_SUBCONTRACTING.getValue();
+		} else {
+			throw new IllegalStateException("ouTypeBit 错误: " + ouTypeBit);
+		}
+		return ouType;
+	}
+
+
+}
diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/SaasRole.java b/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/SaasRole.java
index e42a2b68..a23854aa 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/SaasRole.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/repository/entity/SaasRole.java
@@ -64,6 +64,13 @@ public class SaasRole extends BaseEntity<SaasRole> {
 	@Deprecated
 	private Long fromPreRoleId;
 
+	/**
+	 * 适用单位类型 1:总包 2:建设单位 4:监理单位 8:劳务分包 16:专业分包 0都可以用 只会挂在最末级
+	 * (1052上线后可删除)
+	 */
+	@Deprecated
+	private Long fitOuTypeBit;
+
 	/**
 	 * 获取主键值
 	 *
diff --git a/tyr-server/src/main/resources/bootstrap.yml b/tyr-server/src/main/resources/bootstrap.yml
index 08d64163..9bf74eb2 100644
--- a/tyr-server/src/main/resources/bootstrap.yml
+++ b/tyr-server/src/main/resources/bootstrap.yml
@@ -47,7 +47,7 @@ spring:
   cloud:
     nacos:
       config:
-        server-addr: ${NACOS_HOST:dev-nacos.axzo.cn}:${NACOS_PORT:80}
+        server-addr: ${NACOS_HOST:https://dev-nacos.axzo.cn}:${NACOS_PORT:443}
         file-extension: yaml
         namespace: ${NACOS_NAMESPACE_ID:f82179f1-81a9-41a1-a489-4f9ab5660a6e}
 logging:
@@ -62,7 +62,7 @@ spring:
   cloud:
     nacos:
       config:
-        server-addr: ${NACOS_HOST:dev-nacos.axzo.cn}:${NACOS_PORT:80}
+        server-addr: ${NACOS_HOST:https://dev-nacos.axzo.cn}:${NACOS_PORT:443}
         file-extension: yaml
         namespace: ${NACOS_NAMESPACE_ID:35eada10-9574-4db8-9fea-bc6a4960b6c7}
 ---

From aaf42d769416d82f5b06c8496a70f7b7d29836b9 Mon Sep 17 00:00:00 2001
From: wangjibo <wangjibo@axzo.cn>
Date: Mon, 30 Oct 2023 16:16:51 +0800
Subject: [PATCH 12/12] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E8=A7=92=E8=89=B2?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98=E4=BF=AE=E5=A4=8D=201.=E5=8F=AA=E6=9C=89?=
 =?UTF-8?q?=E8=B6=85=E7=AE=A1=E7=9A=84=E6=83=85=E5=86=B5=E4=B8=8B=EF=BC=8C?=
 =?UTF-8?q?=E4=BC=9A=E5=AF=BC=E8=87=B4=E5=B0=86=E8=B6=85=E7=AE=A1=E8=A7=92?=
 =?UTF-8?q?=E8=89=B2=E6=9B=BF=E6=8D=A2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../java/cn/axzo/tyr/server/service/impl/RoleUserService.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java
index ea95ca6c..4048d97c 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java
@@ -77,7 +77,7 @@ public class RoleUserService implements SaasRoleUserService {
 				.build();
 
 		// 删除现有非管理员的角色
-		if (CollectionUtils.isNotEmpty(existsRoleUser)) {
+		if (CollectionUtils.isNotEmpty(notAdminRole)) {
 			roleUserRelationDao.deleteByUser(workspaceModel, notAdminRole);
 		}
 		// 清空所有角色