- 后端：重构 oauth2 模块，方便后续 User 接入。

admin-web/src/models/login.js

@@ -20,12 +20,14 @@ export default {
         type: 'changeLoginStatus',
         payload: response,
       });
+
       yield put(routerRedux.replace('/'));
 
       // Login successfully
       if (response.code === 0) {
+
         // 保存 token 到 localStorage，发送请求的时候，会自动取 token 放到 header
-        setLoginToken(response.data.accessToken, response.data.refreshToken);
+        setLoginToken(response.data.token.accessToken, response.data.token.refreshToken);
         // 此处直接设置为 admin、和 user 角色，因为暂时不做服务控制前段 角色
         setAuthority(['admin', 'user']);
 

common/common-framework/src/main/java/cn/iocoder/common/framework/constant/CommonStatusEnum.java

@@ -46,6 +46,7 @@ public enum CommonStatusEnum implements IntArrayValuable {
         return this;
     }
 
+    @Deprecated
     public static boolean isValid(Integer status) {
         if (status == null) {
             return false;

common/common-framework/src/main/java/cn/iocoder/common/framework/constant/MallConstants.java

@@ -19,10 +19,12 @@ public interface MallConstants {
     /**
      * 用户类型 - 用户
      */
+    @Deprecated
     Integer USER_TYPE_USER = 1;
     /**
      * 用户类型 - 管理员
      */
+    @Deprecated
     Integer USER_TYPE_ADMIN = 2;
 
     // HTTP Request Attr

common/common-framework/src/main/java/cn/iocoder/common/framework/constant/UserTypeEnum.java

+package cn.iocoder.common.framework.constant;
+
+import cn.iocoder.common.framework.core.IntArrayValuable;
+
+import java.util.Arrays;
+
+/**
+ * 全局用户类型枚举
+ */
+public enum UserTypeEnum implements IntArrayValuable {
+
+    USER(1, "用户"),
+    ADMIN(2, "管理员");
+
+    public static final int[] ARRAYS = Arrays.stream(values()).mapToInt(UserTypeEnum::getValue).toArray();
+
+    /**
+     * 类型
+     */
+    private Integer value;
+    /**
+     * 类型名
+     */
+    private String name;
+
+    UserTypeEnum(Integer value, String name) {
+        this.value = value;
+        this.name = name;
+    }
+
+    public Integer getValue() {
+        return value;
+    }
+
+    public UserTypeEnum setValue(Integer value) {
+        this.value = value;
+        return this;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public UserTypeEnum setName(String name) {
+        this.name = name;
+        return this;
+    }
+
+    @Override
+    public int[] array() {
+        return ARRAYS;
+    }
+
+}

common/common-framework/src/main/java/cn/iocoder/common/framework/mybatis/QueryWrapperX.java

@@ -19,4 +19,11 @@ public class QueryWrapperX<T> extends QueryWrapper<T> {
         return this;
     }
 
+    public QueryWrapperX<T> eqIfPresent(String column, Object val) {
+        if (val != null) {
+            return (QueryWrapperX<T>) super.eq(column, val);
+        }
+        return this;
+    }
+
 }

common/common-framework/src/main/java/cn/iocoder/common/framework/util/CollectionUtil.java

 package cn.iocoder.common.framework.util;
 
+import org.springframework.util.CollectionUtils;
+
 import java.util.*;
 import java.util.function.Function;
 import java.util.stream.Collectors;
@@ -30,4 +32,8 @@ public class CollectionUtil {
         return from.stream().collect(Collectors.toMap(keyFunc, item -> item));
     }
 
+    public static boolean containsAny(Collection<?> source, Collection<?> candidates) {
+        return CollectionUtils.containsAny(source, candidates);
+    }
+
 }

system/system-application/src/main/java/cn/iocoder/mall/admin/application/controller/admins/AdminController.java

@@ -17,6 +17,7 @@ import cn.iocoder.mall.admin.application.convert.ResourceConvert;
 import cn.iocoder.mall.admin.application.vo.admin.AdminMenuTreeNodeVO;
 import cn.iocoder.mall.admin.application.vo.admin.AdminRoleVO;
 import cn.iocoder.mall.admin.application.vo.admin.AdminVO;
+import cn.iocoder.mall.admin.sdk.annotation.RequiresPermissions;
 import cn.iocoder.mall.admin.sdk.context.AdminSecurityContextHolder;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
@@ -86,6 +87,7 @@ public class AdminController {
     // =========== 管理员管理 API ===========
 
     @GetMapping("/page")
+    @RequiresPermissions("system.admin.page")
     @ApiOperation(value = "管理员分页")
     public CommonResult<PageResult<AdminVO>> page(AdminPageDTO adminPageDTO) {
         PageResult<AdminBO> page = adminService.getAdminPage(adminPageDTO);
@@ -128,9 +130,10 @@ public class AdminController {
     @ApiOperation(value = "指定管理员拥有的角色列表")
     @ApiImplicitParam(name = "id", value = "管理员编号", required = true, example = "1")
     public CommonResult<List<AdminRoleVO>> roleList(@RequestParam("id") Integer id) {
-        // 获得所有角色数组
-        List<RoleBO> allRoleList = adminService.getRoleList(id);
-        Set<Integer> adminRoleIdSet = CollectionUtil.convertSet(allRoleList, RoleBO::getId);
+        // 获得所有角色列表
+        List<RoleBO> allRoleList = roleService.getRoleList();
+        // 获得管理员的角色数组
+        Set<Integer> adminRoleIdSet = CollectionUtil.convertSet(adminService.getRoleList(id), RoleBO::getId);
         // 转换出返回结果
         List<AdminRoleVO> result = AdminConvert.INSTANCE.convert(allRoleList);
         // 设置每个角色是否赋予给改管理员

system/system-application/src/main/java/cn/iocoder/mall/admin/application/controller/admins/DataDictController.java

@@ -8,6 +8,7 @@ import cn.iocoder.mall.admin.api.dto.datadict.DataDictUpdateDTO;
 import cn.iocoder.mall.admin.application.convert.DataDictConvert;
 import cn.iocoder.mall.admin.application.vo.datadict.DataDictEnumVO;
 import cn.iocoder.mall.admin.application.vo.datadict.DataDictVO;
+import cn.iocoder.mall.admin.sdk.annotation.RequiresPermissions;
 import cn.iocoder.mall.admin.sdk.context.AdminSecurityContextHolder;
 import com.google.common.collect.ImmutableListMultimap;
 import com.google.common.collect.Multimaps;
@@ -31,12 +32,14 @@ public class DataDictController {
 
     @GetMapping("/list")
     @ApiOperation(value = "数据字典全列表")
+    @RequiresPermissions("system.dataDict.list")
     public CommonResult<List<DataDictVO>> list() {
         CommonResult<List<DataDictBO>> result = dataDictService.selectDataDictList();
         return DataDictConvert.INSTANCE.convert(result);
     }
 
     @GetMapping("/tree")
+    @RequiresPermissions({}) // 因为是通用的接口，所以无需权限标识
     @ApiOperation(value = "数据字典树结构", notes = "该接口返回的信息更为精简。一般用于前端缓存数据字典到本地。")
     public CommonResult<List<DataDictEnumVO>> tree() {
         // 查询数据字典全列表
@@ -57,6 +60,7 @@ public class DataDictController {
     }
 
     @PostMapping("/add")
+    @RequiresPermissions("system.dataDict.add")
     @ApiOperation(value = "创建数据字典")
     @ApiImplicitParams({
             @ApiImplicitParam(name = "enumValue", value = "大类枚举值", required = true, example = "gender"),
@@ -80,6 +84,7 @@ public class DataDictController {
     }
 
     @PostMapping("/update")
+    @RequiresPermissions("system.dataDict.update")
     @ApiOperation(value = "更新数据字典")
     @ApiImplicitParams({
             @ApiImplicitParam(name = "id", value = "编号", required = true, example = "100"),
@@ -101,6 +106,7 @@ public class DataDictController {
     }
 
     @PostMapping("/delete")
+    @RequiresPermissions("system.dataDict.delete")
     @ApiOperation(value = "删除数据字典")
     @ApiImplicitParam(name = "id", value = "编号", required = true, example = "100")
     public CommonResult<Boolean> delete(@RequestParam("id") Integer id) {

system/system-application/src/main/java/cn/iocoder/mall/admin/application/controller/admins/PassportController.java

 package cn.iocoder.mall.admin.application.controller.admins;
 
 import cn.iocoder.common.framework.vo.CommonResult;
+import cn.iocoder.mall.admin.api.AdminService;
 import cn.iocoder.mall.admin.api.OAuth2Service;
-import cn.iocoder.mall.admin.api.bo.oauth2.OAuth2AccessTokenBO;
-import cn.iocoder.mall.admin.application.convert.PassportConvert;
-import cn.iocoder.mall.admin.application.vo.PassportLoginVO;
+import cn.iocoder.mall.admin.api.bo.admin.AdminAuthenticationBO;
+import cn.iocoder.mall.admin.api.dto.admin.AdminAuthenticationDTO;
 import io.swagger.annotations.Api;
-import io.swagger.annotations.ApiImplicitParam;
-import io.swagger.annotations.ApiImplicitParams;
 import io.swagger.annotations.ApiOperation;
 import org.apache.dubbo.config.annotation.Reference;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
+import static cn.iocoder.common.framework.vo.CommonResult.success;
+
 @RestController
 @RequestMapping("admins/passport")
 @Api("Admin Passport 模块")
@@ -23,16 +22,13 @@ public class PassportController {
     @Reference(validation = "true", version = "${dubbo.provider.OAuth2Service.version}")
     private OAuth2Service oauth2Service;
 
+    @Reference(validation = "true", version = "${dubbo.provider.AdminService.version}")
+    private AdminService adminService;
+
     @PostMapping("/login")
     @ApiOperation(value = "手机号 + 密码登陆")
-    @ApiImplicitParams({
-            @ApiImplicitParam(name = "username", value = "账号", required = true, example = "15601691300"),
-            @ApiImplicitParam(name = "password", value = "密码", required = true, example = "future")
-    })
-    public CommonResult<PassportLoginVO> login(@RequestParam("username") String username,
-                                               @RequestParam("password") String password) {
-        CommonResult<OAuth2AccessTokenBO> result = oauth2Service.getAccessToken(username, password);
-        return PassportConvert.INSTANCE.convert(result);
+    public CommonResult<AdminAuthenticationBO> login(AdminAuthenticationDTO adminAuthenticationDTO) {
+        return success(adminService.authentication(adminAuthenticationDTO));
     }
 
     // TODO 功能 logout

system/system-application/src/main/java/cn/iocoder/mall/admin/application/controller/admins/RoleController.java

@@ -17,7 +17,6 @@ import cn.iocoder.mall.admin.application.vo.role.RoleResourceTreeNodeVO;
 import cn.iocoder.mall.admin.sdk.context.AdminSecurityContextHolder;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
-import io.swagger.annotations.ApiImplicitParams;
 import io.swagger.annotations.ApiOperation;
 import org.apache.dubbo.config.annotation.Reference;
 import org.springframework.web.bind.annotation.*;
@@ -101,10 +100,6 @@ public class RoleController {
 
     @PostMapping("/assign_resource")
     @ApiOperation(value = "分配角色资源")
-    @ApiImplicitParams({
-            @ApiImplicitParam(name = "id", value = "角色编号", required = true, example = "1"),
-            @ApiImplicitParam(name = "resourceIds", value = "资源数组", required = true, example = "1,2,3"),
-    })
     public CommonResult<Boolean> assignResource(RoleAssignResourceDTO roleAssignResourceDTO) {
         return success(roleService.assignRoleResource(AdminSecurityContextHolder.getContext().getAdminId(), roleAssignResourceDTO));
     }

system/system-application/src/main/java/cn/iocoder/mall/admin/application/vo/role/RoleResourceTreeNodeVO.java

@@ -26,6 +26,7 @@ public class RoleResourceTreeNodeVO {
     private String displayName;
     @ApiModelProperty(value = "子节点数组")
     private List<RoleResourceTreeNodeVO> children;
+
     @ApiModelProperty(value = "是否授权", required = true, example = "true")
     private Boolean assigned;
 

system/system-sdk/src/main/java/cn/iocoder/mall/admin/sdk/annotation/RequiresPermissions.java

+package cn.iocoder.mall.admin.sdk.annotation;
+
+import java.lang.annotation.*;
+
+/**
+ * 参考 Shiro @RequiresPermissions 设计 http://shiro.apache.org/static/1.3.2/apidocs/org/apache/shiro/authz/annotation/RequiresPermissions.html
+ *
+ * 通过将该注解添加到 Controller 的方法上，进行授权鉴定
+ */
+@Documented
+@Target({ElementType.METHOD}) // 暂时不支持 ElementType.TYPE ，因为没有场景
+@Retention(RetentionPolicy.RUNTIME)
+public @interface RequiresPermissions {
+
+    /**
+     * 当有多个标识时，必须全部拥有权限，才可以操作
+     *
+     * @return 权限标识数组
+     */
+    String[] value();
+
+}

system/system-sdk/src/main/java/cn/iocoder/mall/admin/sdk/constant/LogicalEnum.java

+package cn.iocoder.mall.admin.sdk.constant;
+
+/**
+ * 逻辑类型枚举
+ */
+public enum LogicalEnum {
+
+    /**
+     * 并且
+     */
+    AND,
+    /**
+     * 或者
+     */
+    OR,
+
+}

system/system-sdk/src/main/java/cn/iocoder/mall/admin/sdk/context/AdminSecurityContext.java

 package cn.iocoder.mall.admin.sdk.context;
 
+import lombok.Data;
+import lombok.experimental.Accessors;
+
 import java.util.Set;
 
 /**
  * Security 上下文
  */
+@Data
+@Accessors(chain = true)
 public class AdminSecurityContext {
 
-    private final Integer adminId;
-    private final Set<Integer> roleIds;
-
-    public AdminSecurityContext(Integer adminId, Set<Integer> roleIds) {
-        this.adminId = adminId;
-        this.roleIds = roleIds;
-    }
-
-    public Integer getAdminId() {
-        return adminId;
-    }
-
-    public Set<Integer> getRoleIds() {
-        return roleIds;
-    }
+    private Integer adminId;
+    private Set<Integer> roleIds;
 
-}
+}
\ No newline at end of file

system/system-sdk/src/main/java/cn/iocoder/mall/admin/sdk/context/AdminSecurityContextHolder.java

@@ -17,7 +17,7 @@ public class AdminSecurityContextHolder {
         AdminSecurityContext ctx = SECURITY_CONTEXT.get();
         // 为空时，设置一个空的进去
         if (ctx == null) {
-            ctx = new AdminSecurityContext(null, null);
+            ctx = new AdminSecurityContext();
             SECURITY_CONTEXT.set(ctx);
         }
         return ctx;

system/system-sdk/src/main/java/cn/iocoder/mall/admin/sdk/interceptor/AdminSecurityInterceptor.java

 package cn.iocoder.mall.admin.sdk.interceptor;
 
-import cn.iocoder.common.framework.constant.MallConstants;
+import cn.iocoder.common.framework.constant.UserTypeEnum;
 import cn.iocoder.common.framework.exception.ServiceException;
 import cn.iocoder.common.framework.util.HttpUtil;
 import cn.iocoder.common.framework.util.MallUtil;
-import cn.iocoder.common.framework.vo.CommonResult;
+import cn.iocoder.common.framework.util.StringUtil;
+import cn.iocoder.mall.admin.api.AdminService;
 import cn.iocoder.mall.admin.api.OAuth2Service;
+import cn.iocoder.mall.admin.api.bo.admin.AdminAuthorizationBO;
 import cn.iocoder.mall.admin.api.bo.oauth2.OAuth2AuthenticationBO;
 import cn.iocoder.mall.admin.api.constant.AdminErrorCodeEnum;
+import cn.iocoder.mall.admin.api.dto.oauth2.OAuth2GetTokenDTO;
+import cn.iocoder.mall.admin.sdk.annotation.RequiresPermissions;
 import cn.iocoder.mall.admin.sdk.context.AdminSecurityContext;
 import cn.iocoder.mall.admin.sdk.context.AdminSecurityContextHolder;
 import org.apache.dubbo.config.annotation.Reference;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
+import org.springframework.util.Assert;
+import org.springframework.web.method.HandlerMethod;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.util.Arrays;
 import java.util.Set;
 
 /**
- * 安全拦截器
+ * Admin 安全拦截器
  */
 @Component
 public class AdminSecurityInterceptor extends HandlerInterceptorAdapter {
 
     @Reference(validation = "true", version = "${dubbo.consumer.OAuth2Service.version:1.0.0}")
     private OAuth2Service oauth2Service;
+    @Reference(validation = "true", version = "${dubbo.consumer.AdminService.version:1.0.0}")
+    private AdminService adminService;
 
     /**
      * 忽略的 URL 集合，即无需经过认证
+     *
+     * 对于 Admin 的系统，默认所有接口都需要进行认证
      */
-    @Value("${admins.security.ignore_url:#{null}}")
+    @Value("${admins.security.ignore_urls:#{null}}")
     private Set<String> ignoreUrls;
 
     public AdminSecurityInterceptor setIgnoreUrls(Set<String> ignoreUrls) {
@@ -42,39 +53,46 @@ public class AdminSecurityInterceptor extends HandlerInterceptorAdapter {
     @Override
     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
         // 设置当前访问的用户类型。注意，即使未登陆，我们也认为是管理员
-        MallUtil.setUserType(request, MallConstants.USER_TYPE_ADMIN);
-        // 校验访问令牌是否正确。若正确，返回授权信息
+        MallUtil.setUserType(request, UserTypeEnum.ADMIN.getValue());
+
+        // 根据 accessToken 获得认证信息，判断是谁
         String accessToken = HttpUtil.obtainAuthorization(request);
         OAuth2AuthenticationBO authentication = null;
-        if (accessToken != null) {
-            CommonResult<OAuth2AuthenticationBO> result = oauth2Service.checkToken(accessToken);
-            // TODO sin 先临时跳过 认证
-//            CommonResult<OAuth2AuthenticationBO> result = CommonResult.success(new OAuth2AuthenticationBO()
-//                    .setAdminId(1)
-//                    .setRoleIds(Sets.newHashSet(1, 2, 3, 4)));
-            if (result.isError()) { // TODO 芋艿，如果访问的地址无需登录，这里也不用抛异常
-                throw new ServiceException(result.getCode(), result.getMessage());
+        ServiceException serviceException = null;
+        if (StringUtil.hasText(accessToken)) {
+            try {
+                authentication = oauth2Service.getAuthentication(new OAuth2GetTokenDTO().setAccessToken(accessToken)
+                        .setUserType(UserTypeEnum.ADMIN.getValue()));
+            } catch (ServiceException e) {
+                serviceException = e;
             }
-            authentication = result.getData();
-            // 添加到 AdminSecurityContext
-            AdminSecurityContext context = new AdminSecurityContext(authentication.getAdminId(), authentication.getRoleIds());
-            AdminSecurityContextHolder.setContext(context);
-            // 同时也记录管理员编号到 AdminAccessLogInterceptor 中。因为：
-            // AdminAccessLogInterceptor 需要在 AdminSecurityInterceptor 之前执行，这样记录的访问日志才健全
-            // AdminSecurityInterceptor 执行后，会移除 AdminSecurityContext 信息，这就导致 AdminAccessLogInterceptor 无法获得管理员编号
-            // 因此，这里需要进行记录
-            if (authentication.getAdminId() != null) {
-                MallUtil.setUserId(request, authentication.getAdminId());
+        }
+
+        // 进行鉴权
+        String url = request.getRequestURI();
+        boolean needAuthentication = ignoreUrls == null || !ignoreUrls.contains(url);
+        AdminAuthorizationBO authorization = null;
+        if (needAuthentication) {
+            if (serviceException != null) { // 认证失败，抛出上面认证失败的 ServiceException 异常
+                throw serviceException;
             }
-        } else {
-            String url = request.getRequestURI();
-            if (ignoreUrls != null && !ignoreUrls.contains(url)) { // TODO 临时写死。非登陆接口，必须已经认证身份，不允许匿名访问
-                throw new ServiceException(AdminErrorCodeEnum.OAUTH_NOT_LOGIN.getCode(), AdminErrorCodeEnum.OAUTH_NOT_LOGIN.getMessage());
+            if (authentication == null) { // 无认证信息，抛出未登陆 ServiceException 异常
+                throw new ServiceException(AdminErrorCodeEnum.OAUTH2_NOT_LOGIN.getCode(), AdminErrorCodeEnum.OAUTH2_NOT_LOGIN.getMessage());
+            }
+            authorization = checkPermission(handler, authentication);
+        }
+
+        // 鉴权完成，初始化 AdminSecurityContext 上下文
+        AdminSecurityContext context = new AdminSecurityContext();
+        AdminSecurityContextHolder.setContext(context);
+        if (authentication != null) {
+            context.setAdminId(authentication.getUserId());
+            MallUtil.setUserId(request, authentication.getUserId()); // 记录到 request 中，避免 AdminSecurityContext 后续清理掉后，其它地方需要用到 userId
+            if (authorization != null) {
+                context.setRoleIds(authorization.getRoleIds());
             }
         }
-        // 校验是否需要已授权
-        // TODO sin 暂时不校验
-        // checkPermission(request, authentication);
+
         // 返回成功
         return super.preHandle(request, response, handler);
     }
@@ -85,14 +103,18 @@ public class AdminSecurityInterceptor extends HandlerInterceptorAdapter {
         AdminSecurityContextHolder.clear();
     }
 
-    private void checkPermission(HttpServletRequest request, OAuth2AuthenticationBO authentication) {
-        Integer adminId = authentication != null ? authentication.getAdminId() : null;
-        Set<Integer> roleIds = authentication != null ? authentication.getRoleIds() : null;
-        String url = request.getRequestURI();
-        CommonResult<Boolean> result = oauth2Service.checkPermission(adminId, roleIds, url);
-        if (result.isError()) {
-            throw new ServiceException(result.getCode(), result.getMessage());
-        }
+    private AdminAuthorizationBO checkPermission(Object handler, OAuth2AuthenticationBO authentication) {
+        // 获得 @RequiresPermissions 注解
+        Assert.isTrue(handler instanceof HandlerMethod, "handler 必须是 HandlerMethod 类型");
+        HandlerMethod handlerMethod = (HandlerMethod) handler;
+        RequiresPermissions requiresPermissions = handlerMethod.getMethodAnnotation(RequiresPermissions.class);
+        // 执行校验
+        return adminService.checkPermissions(authentication.getUserId(),
+                requiresPermissions != null ? Arrays.asList(requiresPermissions.value()) : null);
+    }
+
+    private void checkPermission() {
+
     }
 
 }

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/AdminService.java

 package cn.iocoder.mall.admin.api;
 
 import cn.iocoder.common.framework.vo.PageResult;
-import cn.iocoder.mall.admin.api.bo.role.RoleBO;
+import cn.iocoder.mall.admin.api.bo.admin.AdminAuthenticationBO;
+import cn.iocoder.mall.admin.api.bo.admin.AdminAuthorizationBO;
 import cn.iocoder.mall.admin.api.bo.admin.AdminBO;
+import cn.iocoder.mall.admin.api.bo.role.RoleBO;
 import cn.iocoder.mall.admin.api.dto.admin.*;
 
 import java.util.Collection;
@@ -14,6 +16,16 @@ import java.util.Map;
  */
 public interface AdminService {
 
+    /**
+     * 用户认证。认证成功后，返回认证信息
+     *
+     * 实际上，就是用户名 + 密码登陆
+     *
+     * @param adminAuthenticationDTO 用户认证信息
+     * @return 认证信息
+     */
+    AdminAuthenticationBO authentication(AdminAuthenticationDTO adminAuthenticationDTO);
+
     PageResult<AdminBO> getAdminPage(AdminPageDTO adminPageDTO);
 
     AdminBO addAdmin(Integer adminId, AdminAddDTO adminAddDTO);
@@ -49,4 +61,13 @@ public interface AdminService {
      */
     Boolean assignAdminRole(Integer adminId, AdminAssignRoleDTO adminAssignRoleDTO);
 
+    /**
+     * 判断管理员是否有指定权限
+     *
+     * @param adminId 管理员
+     * @param permissions 权限数组
+     * @return 管理员授权信息
+     */
+    AdminAuthorizationBO checkPermissions(Integer adminId, List<String> permissions);
+
 }

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/OAuth2Service.java

 package cn.iocoder.mall.admin.api;
 
-import cn.iocoder.common.framework.vo.CommonResult;
 import cn.iocoder.mall.admin.api.bo.oauth2.OAuth2AccessTokenBO;
 import cn.iocoder.mall.admin.api.bo.oauth2.OAuth2AuthenticationBO;
+import cn.iocoder.mall.admin.api.dto.oauth2.OAuth2CreateTokenDTO;
+import cn.iocoder.mall.admin.api.dto.oauth2.OAuth2GetTokenDTO;
 
-import java.util.Set;
-
+/**
+ * Oauth2 服务接口
+ */
 public interface OAuth2Service {
 
-    CommonResult<OAuth2AccessTokenBO> getAccessToken(String username, String password);
-
     /**
-     * 校验访问令牌，获取身份信息( 不包括 accessToken 等等 )
+     * 根据身份信息，创建 accessToken 信息
      *
-     * @param accessToken 访问令牌
-     * @return 授权信息
+     * @param oauth2CreateTokenDTO 身份信息 DTO
+     * @return accessToken 信息
      */
-    CommonResult<OAuth2AuthenticationBO> checkToken(String accessToken);
+    OAuth2AccessTokenBO createToken(OAuth2CreateTokenDTO oauth2CreateTokenDTO);
+
+    // TODO @see 刷新 token
 
     /**
-     * 校验权限（鉴权）
+     * 通过 accessToken 获得身份信息
      *
-     * @param adminId 管理员编号
-     * @param roleIds 管理员拥有的角色编号的集合
-     * @param url 指定 URL
-     * @return 是否有权限
+     * @param oauth2GetTokenDTO accessToken 信息
+     * @return 身份信息
      */
-    CommonResult<Boolean> checkPermission(Integer adminId, Set<Integer> roleIds, String url);
-
-    // TODO @see 刷新 token
+    OAuth2AuthenticationBO getAuthentication(OAuth2GetTokenDTO oauth2GetTokenDTO);
 
 }

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/bo/admin/AdminAuthenticationBO.java

+package cn.iocoder.mall.admin.api.bo.admin;
+
+import cn.iocoder.mall.admin.api.bo.oauth2.OAuth2AccessTokenBO;
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+@ApiModel("管理员认证 BO")
+@Data
+@Accessors(chain = true)
+public class AdminAuthenticationBO {
+
+    @ApiModelProperty(value = "管理员编号", required = true, example = "1")
+    private Integer id;
+
+    @ApiModelProperty(value = "昵称", required = true, example = "小王")
+    private String nickname;
+
+    private OAuth2AccessTokenBO token;
+
+}

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/bo/admin/AdminAuthorizationBO.java

+package cn.iocoder.mall.admin.api.bo.admin;
+
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+import java.util.Set;
+
+@ApiModel("管理员授权 BO")
+@Data
+@Accessors(chain = true)
+public class AdminAuthorizationBO {
+
+    @ApiModelProperty(value = "管理员编号", required = true, example = "1")
+    private Integer id;
+
+    @ApiModelProperty(value = "角色编号数组", required = true, example = "1")
+    private Set<Integer> roleIds;
+
+}

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/bo/oauth2/OAuth2AccessTokenBO.java

 package cn.iocoder.mall.admin.api.bo.oauth2;
 
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
 import lombok.Data;
 import lombok.experimental.Accessors;
 
 import java.io.Serializable;
 
-/**
- * OAUTH2 AccessToken BO
- */
+@ApiModel("OAuth2 Token 信息 BO")
 @Data
 @Accessors(chain = true)
 public class OAuth2AccessTokenBO implements Serializable {
 
-    /**
-     * 访问令牌
-     */
+    @ApiModelProperty(value = "accessToken", required = true, example = "001e8f49b20e47f7b3a2de774497cd50")
     private String accessToken;
-    /**
-     * 刷新令牌
-     */
+
+    @ApiModelProperty(value = "refreshToken", required = true, example = "001e8f49b20e47f7b3a2de774497cd50")
     private String refreshToken;
-    /**
-     * 过期时间，单位：秒。
-     */
+
+    @ApiModelProperty(value = "过期时间，单位：秒", required = true, example = "1024")
     private Integer expiresIn;
 
 }

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/bo/oauth2/OAuth2AuthenticationBO.java

 package cn.iocoder.mall.admin.api.bo.oauth2;
 
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
 import lombok.Data;
 import lombok.experimental.Accessors;
 
-import java.io.Serializable;
-import java.util.Set;
-
-/**
- * OAUTH2 认证 BO
- */
+@ApiModel("OAUTH2 认证 BO")
 @Data
 @Accessors(chain = true)
-public class OAuth2AuthenticationBO implements Serializable {
+public class OAuth2AuthenticationBO {
+
+    @ApiModelProperty(value = "用户编号", required = true, example = "1")
+    private Integer userId;
 
-    /**
-     * 管理员编号
-     */
-    private Integer adminId;
-    /**
-     * 角色编号数组
-     */
-    private Set<Integer> roleIds;
+    @ApiModelProperty(value = "用户类型", required = true, example = "1", notes = "参考 UserTypeEnum 枚举")
+    private Integer userType;
 
 }

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/bo/oauth2/OAuth2AuthenticationOldBO.java

+package cn.iocoder.mall.admin.api.bo.oauth2;
+
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+import java.io.Serializable;
+import java.util.Set;
+
+/**
+ * OAUTH2 认证 BO
+ */
+@Data
+@Accessors(chain = true)
+public class OAuth2AuthenticationOldBO implements Serializable {
+
+    /**
+     * 管理员编号
+     */
+    private Integer adminId;
+    /**
+     * 角色编号数组
+     */
+    private Set<Integer> roleIds;
+
+
+
+}

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/constant/AdminErrorCodeEnum.java

@@ -12,11 +12,11 @@ public enum AdminErrorCodeEnum {
 //    OAUTH2_INVALID_GRANT_BAD_CREDENTIALS(1001001001, "密码不正确"), // 暂时没用到
 //    OAUTH2_INVALID_GRANT_USERNAME_NOT_FOUND(1001001002, "账号不存在"), // 暂时没用到
 //    OAUTH2_INVALID_GRANT(1001001010, ""), // 预留
-    OAUTH_INVALID_TOKEN_NOT_FOUND(1002001011, "访问令牌不存在"),
-    OAUTH_INVALID_TOKEN_EXPIRED(1002001012, "访问令牌已过期"),
-    OAUTH_INVALID_TOKEN_INVALID(1002001013, "访问令牌已失效"),
-    OAUTH_INVALID_PERMISSION(1002001014, "没有该操作权限"), // TODO 芋艿，临时放在 OAUTH2 模块，理论来说，OAUTH2 只做认证，不做鉴权。
-    OAUTH_NOT_LOGIN(1002001015, "账号未登陆"),
+    OAUTH2_INVALID_TOKEN_NOT_FOUND(1002001011, "访问令牌不存在"),
+    OAUTH2_INVALID_TOKEN_EXPIRED(1002001012, "访问令牌已过期"),
+    OAUTH2_INVALID_TOKEN_INVALID(1002001013, "访问令牌已失效"),
+    OAUTH2_NOT_LOGIN(1002001015, "账号未登陆"),
+    OAUTH2_INVALID_TOKEN_ERROR_USER_TYPE(1002001016, "访问令牌用户类型不正确"),
 
     OAUTH_INVALID_TOKEN(1002001020, ""), // 预留
 
@@ -29,6 +29,7 @@ public enum AdminErrorCodeEnum {
     ADMIN_DELETE_ONLY_DISABLE(1002002004, "只有关闭的账号才可以删除"),
     ADMIN_ADMIN_STATUS_CAN_NOT_UPDATE(1002002005, "管理员的账号状态不允许变更"),
     ADMIN_ASSIGN_ROLE_NOT_EXISTS(1002002006, "分配员工角色时，有角色不存在"),
+    ADMIN_INVALID_PERMISSION(1002002007, "没有该操作权限"),
 
     // ========== 资源模块 1002003000 ==========
     RESOURCE_NAME_DUPLICATE(1002003000, "已经存在该名字的资源"),

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/constant/ResourceTypeEnum.java

+package cn.iocoder.mall.admin.api.constant;
+
+import cn.iocoder.common.framework.core.IntArrayValuable;
+
+import java.util.Arrays;
+
+/**
+ * 资源类型枚举
+ */
+public enum ResourceTypeEnum implements IntArrayValuable {
+
+    MENU(1, "菜单"),
+    BUTTON(2, "按钮");
+
+    public static final int[] ARRAYS = Arrays.stream(values()).mapToInt(ResourceTypeEnum::getValue).toArray();
+
+    /**
+     * 资源类型
+     */
+    private Integer value;
+    /**
+     * 资源类型名
+     */
+    private String name;
+
+    ResourceTypeEnum(Integer value, String name) {
+        this.value = value;
+        this.name = name;
+    }
+
+    public Integer getValue() {
+        return value;
+    }
+
+    public ResourceTypeEnum setValue(Integer value) {
+        this.value = value;
+        return this;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public ResourceTypeEnum setName(String name) {
+        this.name = name;
+        return this;
+    }
+
+    @Override
+    public int[] array() {
+        return ARRAYS;
+    }
+
+}

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/dto/admin/AdminAddDTO.java

@@ -17,7 +17,7 @@ public class AdminAddDTO implements Serializable {
 
     @ApiModelProperty(value = "登陆账号", required = true, example = "15601691300")
     @NotEmpty(message = "登陆账号不能为空")
-    @Length(min = 6, max = 16, message = "账号长度为 6-16 位")
+    @Length(min = 5, max = 16, message = "账号长度为 5-16 位")
     @Pattern(regexp = "^[A-Za-z0-9]+$", message = "账号格式为数字以及字母")
     private String username;
 

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/dto/admin/AdminAuthenticationDTO.java

+package cn.iocoder.mall.admin.api.dto.admin;
+
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+import lombok.Data;
+import lombok.experimental.Accessors;
+import org.hibernate.validator.constraints.Length;
+
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.Pattern;
+
+@ApiModel("管理员认证 DTO")
+@Data
+@Accessors(chain = true)
+public class AdminAuthenticationDTO {
+
+    @ApiModelProperty(value = "登陆账号", required = true, example = "15601691300")
+    @NotEmpty(message = "登陆账号不能为空")
+    @Length(min = 5, max = 16, message = "账号长度为 5-16 位")
+    @Pattern(regexp = "^[A-Za-z0-9]+$", message = "账号格式为数字以及字母")
+    private String username;
+
+    @ApiModelProperty(value = "密码", required = true, example = "buzhidao")
+    @NotEmpty(message = "密码不能为空")
+    @Length(min = 6, max = 16, message = "密码长度为 6-16 位")
+    private String password;
+
+}

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/dto/admin/AdminUpdateDTO.java

@@ -22,7 +22,7 @@ public class AdminUpdateDTO implements Serializable {
 
     @ApiModelProperty(value = "登陆账号", required = true, example = "15601691300")
     @NotEmpty(message = "登陆账号不能为空")
-    @Length(min = 6, max = 16, message = "账号长度为 6-16 位")
+    @Length(min = 5, max = 16, message = "账号长度为 5-16 位")
     @Pattern(regexp = "^[A-Za-z0-9]+$", message = "账号格式为数字以及字母")
     private String username;
 

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/dto/oauth2/OAuth2CreateTokenDTO.java

+package cn.iocoder.mall.admin.api.dto.oauth2;
+
+import cn.iocoder.common.framework.validator.InEnum;
+import cn.iocoder.mall.admin.api.constant.ResourceTypeEnum;
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+import javax.validation.constraints.NotNull;
+
+@ApiModel("OAuth2 创建 Token DTO")
+@Data
+@Accessors(chain = true)
+public class OAuth2CreateTokenDTO {
+
+    @ApiModelProperty(value = "用户编号", required = true, example = "1")
+    @NotNull(message = "用户编号不能为空")
+    private Integer userId;
+
+    @ApiModelProperty(value = "用户类型", required = true, example = "1", notes = "参见 ResourceTypeEnum 枚举")
+    @NotNull(message = "用户类型不能为空")
+    @InEnum(value = ResourceTypeEnum.class, message = "用户类型必须是 {value}")
+    private Integer userType;
+
+}

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/dto/oauth2/OAuth2GetTokenDTO.java

+package cn.iocoder.mall.admin.api.dto.oauth2;
+
+import cn.iocoder.common.framework.validator.InEnum;
+import cn.iocoder.mall.admin.api.constant.ResourceTypeEnum;
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+
+@ApiModel("OAuth2 身份验证 DTO")
+@Data
+@Accessors(chain = true)
+public class OAuth2GetTokenDTO {
+
+    @ApiModelProperty(value = "accessToken", required = true, example = "001e8f49b20e47f7b3a2de774497cd50")
+    @NotEmpty(message = "accessToken 不能为空")
+    private String accessToken;
+
+    @ApiModelProperty(value = "用户类型", required = true, example = "1", notes = "参见 ResourceTypeEnum 枚举")
+    @NotNull(message = "用户类型不能为空")
+    @InEnum(value = ResourceTypeEnum.class, message = "用户类型必须是 {value}")
+    private Integer userType;
+
+}

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/dto/resource/ResourceAddDTO.java

 package cn.iocoder.mall.admin.api.dto.resource;
 
+import cn.iocoder.common.framework.validator.InEnum;
+import cn.iocoder.mall.admin.api.constant.ResourceTypeEnum;
 import io.swagger.annotations.ApiModel;
 import io.swagger.annotations.ApiModelProperty;
 import lombok.Data;
@@ -17,6 +19,7 @@ public class ResourceAddDTO implements Serializable {
 
     @ApiModelProperty(value = "资源类型。1 代表【菜单】；2 代表【按钮】", required = true, example = "1")
     @NotNull(message = "类型不能为空")
+    @InEnum(value = ResourceTypeEnum.class, message = "资源类型必须是 {value}")
     private Integer type;
 
     @ApiModelProperty(value = "排序", required = true, example = "1")

system/system-service-api/src/main/java/cn/iocoder/mall/admin/api/dto/resource/ResourceUpdateDTO.java

 package cn.iocoder.mall.admin.api.dto.resource;
 
+import cn.iocoder.common.framework.validator.InEnum;
+import cn.iocoder.mall.admin.api.constant.ResourceTypeEnum;
 import io.swagger.annotations.ApiModel;
 import io.swagger.annotations.ApiModelProperty;
 import lombok.Data;
@@ -21,6 +23,7 @@ public class ResourceUpdateDTO implements Serializable {
 
     @ApiModelProperty(value = "资源类型。1 代表【菜单】；2 代表【按钮】", required = true, example = "1")
     @NotNull(message = "类型不能为空")
+    @InEnum(value = ResourceTypeEnum.class, message = "资源类型必须是 {value}")
     private Integer type;
 
     @ApiModelProperty(value = "排序", required = true, example = "1")

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/convert/AdminConvert.java

 package cn.iocoder.mall.admin.convert;
 
 import cn.iocoder.common.framework.vo.PageResult;
+import cn.iocoder.mall.admin.api.bo.admin.AdminAuthenticationBO;
 import cn.iocoder.mall.admin.api.bo.admin.AdminBO;
 import cn.iocoder.mall.admin.api.dto.admin.AdminAddDTO;
 import cn.iocoder.mall.admin.api.dto.admin.AdminUpdateDTO;
@@ -21,6 +22,9 @@ public interface AdminConvert {
     @Mappings({})
     AdminBO convert(AdminDO adminDO);
 
+    @Mappings({})
+    AdminAuthenticationBO convert2(AdminDO admin);
+
     @Mappings({})
     AdminDO convert(AdminAddDTO adminAddDTO);
 

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/convert/OAuth2Convert.java

@@ -2,6 +2,7 @@ package cn.iocoder.mall.admin.convert;
 
 import cn.iocoder.mall.admin.api.bo.oauth2.OAuth2AccessTokenBO;
 import cn.iocoder.mall.admin.api.bo.oauth2.OAuth2AuthenticationBO;
+import cn.iocoder.mall.admin.api.bo.oauth2.OAuth2AuthenticationOldBO;
 import cn.iocoder.mall.admin.dataobject.AdminRoleDO;
 import cn.iocoder.mall.admin.dataobject.OAuth2AccessTokenDO;
 import org.mapstruct.Mapper;
@@ -27,11 +28,14 @@ public interface OAuth2Convert {
                 .setExpiresIn(Math.max((int) ((oauth2AccessTokenDO.getExpiresTime().getTime() - System.currentTimeMillis()) / 1000), 0));
     }
 
+    @Mappings({})
+    OAuth2AuthenticationOldBO convertToAuthenticationOld(OAuth2AccessTokenDO oauth2AccessTokenDO);
+
     @Mappings({})
     OAuth2AuthenticationBO convertToAuthentication(OAuth2AccessTokenDO oauth2AccessTokenDO);
 
-    default OAuth2AuthenticationBO convertToAuthentication(OAuth2AccessTokenDO oauth2AccessTokenDO, List<AdminRoleDO> adminRoleDOs) {
-        return convertToAuthentication(oauth2AccessTokenDO)
+    default OAuth2AuthenticationOldBO convertToAuthenticationOld(OAuth2AccessTokenDO oauth2AccessTokenDO, List<AdminRoleDO> adminRoleDOs) {
+        return convertToAuthenticationOld(oauth2AccessTokenDO)
                 .setRoleIds(adminRoleDOs.stream().map(AdminRoleDO::getRoleId).collect(Collectors.toSet()));
     }
 

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/dao/AdminRoleMapper.java

@@ -12,16 +12,27 @@ import java.util.List;
 @Repository
 public interface AdminRoleMapper extends BaseMapper<AdminRoleDO> {
 
-    List<AdminRoleDO> selectByAdminId(@Param("adminId") Integer adminId);
+    default List<AdminRoleDO> selectByAdminId( Integer adminId) {
+        return selectList(new QueryWrapper<AdminRoleDO>().eq("admin_id", adminId));
+    }
 
     default List<AdminRoleDO> selectListByAdminIds(Collection<Integer> adminIds) {
         return selectList(new QueryWrapper<AdminRoleDO>().in("admin_id", adminIds));
     }
 
-    int updateToDeletedByAdminId(@Param("adminId") Integer adminId);
+    default int deleteByAdminId(Integer adminId) {
+        return delete(new QueryWrapper<AdminRoleDO>().eq("admin_id", adminId));
+    }
 
-    int updateToDeletedByRoleId(@Param("roleId") Integer roleId);
+    default int deleteByRoleId(Integer roleId) {
+        return delete(new QueryWrapper<AdminRoleDO>().eq("role_id", roleId));
+    }
 
-    void insertList(@Param("adminRoleDOs") List<AdminRoleDO> adminRoleDOs);
+    /**
+     * 批量插入。因为 MyBaits Plus 的批量插入是基于 Service 实现，所以只好写 XML
+     *
+     * @param adminRoleDOs 数组
+     */
+    int insertList(@Param("adminRoleDOs") List<AdminRoleDO> adminRoleDOs);
 
 }

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/dao/OAuth2AccessTokenMapper.java

 package cn.iocoder.mall.admin.dao;
 
 import cn.iocoder.mall.admin.dataobject.OAuth2AccessTokenDO;
+import com.baomidou.mybatisplus.core.mapper.BaseMapper;
 import org.apache.ibatis.annotations.Param;
 import org.springframework.stereotype.Repository;
 
 @Repository
-public interface OAuth2AccessTokenMapper {
-
-    void insert(OAuth2AccessTokenDO entity);
-
-    OAuth2AccessTokenDO selectByTokenId(@Param("id") String id);
+public interface OAuth2AccessTokenMapper extends BaseMapper<OAuth2AccessTokenDO> {
 
     int updateToInvalidByAdminId(@Param("adminId") Integer adminId);
 
-}
+}
\ No newline at end of file

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/dao/OAuth2RefreshTokenMapper.java

 package cn.iocoder.mall.admin.dao;
 
 import cn.iocoder.mall.admin.dataobject.OAuth2RefreshTokenDO;
+import com.baomidou.mybatisplus.core.mapper.BaseMapper;
 import org.apache.ibatis.annotations.Param;
 import org.springframework.stereotype.Repository;
 
 @Repository
-public interface OAuth2RefreshTokenMapper {
-
-    void insert(OAuth2RefreshTokenDO entity);
+public interface OAuth2RefreshTokenMapper extends BaseMapper<OAuth2RefreshTokenDO> {
 
     int updateToInvalidByAdminId(@Param("adminId") Integer adminId);
 
-}
+}
\ No newline at end of file

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/dao/ResourceMapper.java

 package cn.iocoder.mall.admin.dao;
 
+import cn.iocoder.common.framework.mybatis.QueryWrapperX;
 import cn.iocoder.mall.admin.dataobject.ResourceDO;
+import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import com.baomidou.mybatisplus.core.mapper.BaseMapper;
 import org.apache.ibatis.annotations.Param;
 import org.springframework.stereotype.Repository;
@@ -11,16 +13,24 @@ import java.util.Set;
 @Repository
 public interface ResourceMapper extends BaseMapper<ResourceDO> {
 
-    ResourceDO selectByTypeAndHandler(@Param("type") Integer type,
-                                      @Param("handler") String handler);
-
+    @Deprecated
     List<ResourceDO> selectListByTypeAndRoleIds(@Param("type") Integer type,
                                                 @Param("roleIds") Set<Integer> roleIds);
 
-    List<ResourceDO> selectListByType(@Param("type") Integer type);
+    default List<ResourceDO> selectListByPermission(String permission) {
+        return selectList(new QueryWrapperX<ResourceDO>().like("permissions", permission));
+    }
+
+    default List<ResourceDO> selectListByType(Integer type) {
+        return selectList(new QueryWrapperX<ResourceDO>().eqIfPresent("type", type));
+    }
 
-    List<ResourceDO> selectListByIds(@Param("ids") Set<Integer> ids);
+    default List<ResourceDO> selectListByIds(Set<Integer> ids) {
+        return selectList(new QueryWrapper<ResourceDO>().in("id", ids));
+    }
 
-    int selectCountByPid(@Param("pid") Integer pid);
+    default int selectCountByPid(Integer pid) {
+        return selectCount(new QueryWrapper<ResourceDO>().eq("pid", pid));
+    }
 
 }

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/dao/RoleMapper.java

@@ -9,16 +9,11 @@ import com.baomidou.mybatisplus.core.metadata.IPage;
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
 import org.springframework.stereotype.Repository;
 
-import java.util.Collection;
 import java.util.List;
 
 @Repository
 public interface RoleMapper extends BaseMapper<RoleDO> {
 
-    default List<RoleDO> selectListByIds(Collection<Integer> ids) {
-        return selectList(new QueryWrapper<RoleDO>().in("id", ids));
-    }
-
     default List<RoleDO> selectList() {
         return selectList(new QueryWrapper<>());
     }

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/dao/RoleResourceMapper.java

 package cn.iocoder.mall.admin.dao;
 
 import cn.iocoder.mall.admin.dataobject.RoleResourceDO;
+import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
+import com.baomidou.mybatisplus.core.mapper.BaseMapper;
 import org.apache.ibatis.annotations.Param;
 import org.springframework.stereotype.Repository;
 
+import java.util.Collection;
 import java.util.List;
 
 @Repository
-public interface RoleResourceMapper {
+public interface RoleResourceMapper extends BaseMapper<RoleResourceDO> {
 
-    int insertList(@Param("roleResources") List<RoleResourceDO> resourceDOs);
+    /**
+     * 批量插入。因为 MyBaits Plus 的批量插入是基于 Service 实现，所以只好写 XML
+     *
+     * @param roleResources 数组
+     */
+    int insertList(@Param("roleResources") List<RoleResourceDO> roleResources);
 
-    List<RoleResourceDO> selectByResourceHandler(@Param("resourceHandler") String resourceHandler);
+    default  List<RoleResourceDO> selectListByResourceId(Integer resourceId) {
+        return selectList(new QueryWrapper<RoleResourceDO>().eq("resource_id", resourceId));
+    }
 
-    List<RoleResourceDO> selectByResourceId(@Param("resourceId") Integer resourceId);
+    default  List<RoleResourceDO> selectListByResourceId(Collection<Integer> resourceIds) {
+        return selectList(new QueryWrapper<RoleResourceDO>().in("resource_id", resourceIds));
+    }
 
-    int updateToDeletedByResourceId(@Param("resourceId") Integer resourceId);
+    default int deleteByResourceId(Integer resourceId) {
+        return delete(new QueryWrapper<RoleResourceDO>().eq("resource_id", resourceId));
+    }
 
-    int updateToDeletedByRoleId(@Param("roleId") Integer roleId);
+    default int deleteByRoleId(Integer roleId) {
+        return delete(new QueryWrapper<RoleResourceDO>().eq("role_id", roleId));
+    }
 
-}
+}
\ No newline at end of file

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/dataobject/OAuth2AccessTokenDO.java

 package cn.iocoder.mall.admin.dataobject;
 
+import cn.iocoder.common.framework.dataobject.BaseDO;
+import com.baomidou.mybatisplus.annotation.IdType;
+import com.baomidou.mybatisplus.annotation.TableId;
+import com.baomidou.mybatisplus.annotation.TableName;
 import lombok.Data;
 import lombok.experimental.Accessors;
 
@@ -8,22 +12,28 @@ import java.util.Date;
 /**
  * OAUTH2 AccessToken
  */
+@TableName("oauth2_access_token")
 @Data
 @Accessors(chain = true)
-public class OAuth2AccessTokenDO {
+public class OAuth2AccessTokenDO extends BaseDO {
 
     /**
      * 访问令牌
      */
+    @TableId(type = IdType.INPUT)
     private String id;
     /**
      * 刷新令牌
      */
     private String refreshToken;
     /**
-     * 管理员比那好
+     * 用户编号
      */
-    private Integer adminId;
+    private Integer userId;
+    /**
+     * 用户类型
+     */
+    private Integer userType;
     /**
      * 过期时间
      */
@@ -32,63 +42,5 @@ public class OAuth2AccessTokenDO {
      * 是否有效
      */
     private Boolean valid;
-    /**
-     * 创建时间
-     */
-    private Date createTime;
-
-    public String getId() {
-        return id;
-    }
-
-    public OAuth2AccessTokenDO setId(String id) {
-        this.id = id;
-        return this;
-    }
-
-    public String getRefreshToken() {
-        return refreshToken;
-    }
-
-    public OAuth2AccessTokenDO setRefreshToken(String refreshToken) {
-        this.refreshToken = refreshToken;
-        return this;
-    }
-
-    public Integer getAdminId() {
-        return adminId;
-    }
-
-    public OAuth2AccessTokenDO setAdminId(Integer adminId) {
-        this.adminId = adminId;
-        return this;
-    }
-
-    public Date getExpiresTime() {
-        return expiresTime;
-    }
-
-    public OAuth2AccessTokenDO setExpiresTime(Date expiresTime) {
-        this.expiresTime = expiresTime;
-        return this;
-    }
-
-    public Boolean getValid() {
-        return valid;
-    }
-
-    public OAuth2AccessTokenDO setValid(Boolean valid) {
-        this.valid = valid;
-        return this;
-    }
-
-    public Date getCreateTime() {
-        return createTime;
-    }
-
-    public OAuth2AccessTokenDO setCreateTime(Date createTime) {
-        this.createTime = createTime;
-        return this;
-    }
 
 }

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/dataobject/OAuth2RefreshTokenDO.java

 package cn.iocoder.mall.admin.dataobject;
 
+import cn.iocoder.common.framework.dataobject.BaseDO;
+import com.baomidou.mybatisplus.annotation.IdType;
+import com.baomidou.mybatisplus.annotation.TableId;
+import com.baomidou.mybatisplus.annotation.TableName;
 import lombok.Data;
 import lombok.experimental.Accessors;
 
@@ -10,18 +14,24 @@ import java.util.Date;
  *
  * idx_uid
  */
+@TableName("oauth2_refresh_token")
 @Data
 @Accessors(chain = true)
-public class OAuth2RefreshTokenDO {
+public class OAuth2RefreshTokenDO extends BaseDO {
 
     /**
      * 刷新令牌
      */
+    @TableId(type = IdType.INPUT)
     private String id;
     /**
      * 用户编号
      */
-    private Integer adminId;
+    private Integer userId;
+    /**
+     * 用户类型
+     */
+    private Integer userType;
     /**
      * 是否有效
      */
@@ -30,9 +40,5 @@ public class OAuth2RefreshTokenDO {
      * 过期时间
      */
     private Date expiresTime;
-    /**
-     * 创建时间
-     */
-    private Date createTime;
 
 }

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/dataobject/RoleResourceDO.java

 package cn.iocoder.mall.admin.dataobject;
 
 import cn.iocoder.common.framework.dataobject.DeletableDO;
+import com.baomidou.mybatisplus.annotation.TableName;
 import lombok.Data;
 import lombok.experimental.Accessors;
 
 /**
  * {@link RoleDO} 和 {@link ResourceDO} 的关联表
  */
+@TableName("role_resource")
 @Data
 @Accessors(chain = true)
 public class RoleResourceDO extends DeletableDO {

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/service/AdminServiceImpl.java

@@ -2,16 +2,20 @@ package cn.iocoder.mall.admin.service;
 
 import cn.iocoder.common.framework.constant.CommonStatusEnum;
 import cn.iocoder.common.framework.constant.DeletedStatusEnum;
+import cn.iocoder.common.framework.constant.UserTypeEnum;
 import cn.iocoder.common.framework.util.CollectionUtil;
 import cn.iocoder.common.framework.util.ServiceExceptionUtil;
-import cn.iocoder.common.framework.vo.CommonResult;
 import cn.iocoder.common.framework.vo.PageResult;
 import cn.iocoder.mall.admin.api.AdminService;
-import cn.iocoder.mall.admin.api.bo.role.RoleBO;
+import cn.iocoder.mall.admin.api.bo.admin.AdminAuthenticationBO;
+import cn.iocoder.mall.admin.api.bo.admin.AdminAuthorizationBO;
 import cn.iocoder.mall.admin.api.bo.admin.AdminBO;
+import cn.iocoder.mall.admin.api.bo.oauth2.OAuth2AccessTokenBO;
+import cn.iocoder.mall.admin.api.bo.role.RoleBO;
 import cn.iocoder.mall.admin.api.constant.AdminConstants;
 import cn.iocoder.mall.admin.api.constant.AdminErrorCodeEnum;
 import cn.iocoder.mall.admin.api.dto.admin.*;
+import cn.iocoder.mall.admin.api.dto.oauth2.OAuth2CreateTokenDTO;
 import cn.iocoder.mall.admin.convert.AdminConvert;
 import cn.iocoder.mall.admin.dao.AdminMapper;
 import cn.iocoder.mall.admin.dao.AdminRoleMapper;
@@ -39,32 +43,30 @@ public class AdminServiceImpl implements AdminService {
     private AdminRoleMapper adminRoleMapper;
 
     @Autowired
-    private OAuth2ServiceImpl oAuth2Service;
+    private OAuth2ServiceImpl oauth2Service;
     @Autowired
     private RoleServiceImpl roleService;
 
-    public CommonResult<AdminDO> validAdmin(String username, String password) {
-        AdminDO admin = adminMapper.selectByUsername(username);
+    @Override
+    public AdminAuthenticationBO authentication(AdminAuthenticationDTO adminAuthenticationDTO) {
+        AdminDO admin = adminMapper.selectByUsername(adminAuthenticationDTO.getUsername());
         // 账号不存在
         if (admin == null) {
-            return ServiceExceptionUtil.error(AdminErrorCodeEnum.ADMIN_USERNAME_NOT_REGISTERED.getCode());
+            throw ServiceExceptionUtil.exception(AdminErrorCodeEnum.ADMIN_USERNAME_NOT_REGISTERED.getCode());
         }
         // 密码不正确
-        if (encodePassword(password).equals(admin.getPassword())) {
-            return ServiceExceptionUtil.error(AdminErrorCodeEnum.ADMIN_PASSWORD_ERROR.getCode());
+        if (encodePassword(adminAuthenticationDTO.getPassword()).equals(admin.getPassword())) {
+            throw ServiceExceptionUtil.exception(AdminErrorCodeEnum.ADMIN_PASSWORD_ERROR.getCode());
         }
         // 账号被禁用
         if (CommonStatusEnum.DISABLE.getValue().equals(admin.getStatus())) {
-            return ServiceExceptionUtil.error(AdminErrorCodeEnum.ADMIN_IS_DISABLE.getCode());
+            throw ServiceExceptionUtil.exception(AdminErrorCodeEnum.ADMIN_IS_DISABLE.getCode());
         }
-        // 校验成功，返回管理员。并且，去掉一些非关键字段，考虑安全性。
-        admin.setPassword(null);
-        admin.setStatus(null);
-        return CommonResult.success(admin);
-    }
-
-    public List<AdminRoleDO> getAdminRoles(Integer adminId) {
-        return adminRoleMapper.selectByAdminId(adminId);
+        // 创建 accessToken
+        OAuth2AccessTokenBO accessTokenBO = oauth2Service.createToken(new OAuth2CreateTokenDTO().setUserId(admin.getId())
+            .setUserType(UserTypeEnum.ADMIN.getValue()));
+        // 转换返回
+        return AdminConvert.INSTANCE.convert2(admin).setToken(accessTokenBO);
     }
 
     @Override
@@ -130,7 +132,7 @@ public class AdminServiceImpl implements AdminService {
         adminMapper.updateById(updateAdmin);
         // 如果是关闭管理员，则标记 token 失效。否则，管理员还可以继续蹦跶
         if (CommonStatusEnum.DISABLE.getValue().equals(adminUpdateStatusDTO.getStatus())) {
-            oAuth2Service.removeToken(adminUpdateStatusDTO.getId());
+            oauth2Service.removeToken(adminUpdateStatusDTO.getId());
         }
         // TODO 插入操作日志
         // 返回成功
@@ -152,7 +154,7 @@ public class AdminServiceImpl implements AdminService {
         // 标记删除 AdminDO
         adminMapper.deleteById(updateAdminId); // 标记删除
         // 标记删除 AdminRole
-        adminRoleMapper.updateToDeletedByAdminId(updateAdminId);
+        adminRoleMapper.deleteByAdminId(updateAdminId);
         // TODO 插入操作日志
         // 返回成功
         return true;
@@ -202,7 +204,7 @@ public class AdminServiceImpl implements AdminService {
         }
         // TODO 芋艿，这里先简单实现。即方式是，删除老的分配的角色关系，然后添加新的分配的角色关系
         // 标记管理员角色源关系都为删除
-        adminRoleMapper.updateToDeletedByAdminId(adminAssignRoleDTO.getId());
+        adminRoleMapper.deleteByAdminId(adminAssignRoleDTO.getId());
         // 创建 RoleResourceDO 数组，并插入到数据库
         if (!CollectionUtil.isEmpty(adminAssignRoleDTO.getRoleIds())) {
             List<AdminRoleDO> adminRoleDOs = adminAssignRoleDTO.getRoleIds().stream().map(roleId -> {
@@ -218,6 +220,24 @@ public class AdminServiceImpl implements AdminService {
         return true;
     }
 
+    @Override
+    public AdminAuthorizationBO checkPermissions(Integer adminId, List<String> permissions) {
+        // 查询管理员拥有的角色关联数据
+        List<AdminRoleDO> adminRoleList = adminRoleMapper.selectByAdminId(adminId);
+        Set<Integer> adminRoleIds = CollectionUtil.convertSet(adminRoleList, AdminRoleDO::getRoleId);
+        // 授权校验
+        if (!CollectionUtil.isEmpty(permissions)) {
+            Map<String, List<Integer>> permissionRoleMap = roleService.getPermissionRoleMap(permissions);
+            for (Map.Entry<String, List<Integer>> entry : permissionRoleMap.entrySet()) {
+                if (!CollectionUtil.containsAny(entry.getValue(), adminRoleIds)) { // 所以有任一不满足，就验证失败，抛出异常
+                    throw ServiceExceptionUtil.exception(AdminErrorCodeEnum.ADMIN_INVALID_PERMISSION.getCode());
+                }
+            }
+        }
+        // 返回成功
+        return new AdminAuthorizationBO().setId(adminId).setRoleIds(adminRoleIds);
+    }
+
     private String encodePassword(String password) {
         return DigestUtils.md5DigestAsHex(password.getBytes());
     }

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/service/OAuth2ServiceImpl.java

 package cn.iocoder.mall.admin.service;
 
 import cn.iocoder.common.framework.util.ServiceExceptionUtil;
-import cn.iocoder.common.framework.vo.CommonResult;
 import cn.iocoder.mall.admin.api.OAuth2Service;
 import cn.iocoder.mall.admin.api.bo.oauth2.OAuth2AccessTokenBO;
 import cn.iocoder.mall.admin.api.bo.oauth2.OAuth2AuthenticationBO;
 import cn.iocoder.mall.admin.api.constant.AdminErrorCodeEnum;
-import cn.iocoder.mall.admin.api.constant.ResourceConstants;
+import cn.iocoder.mall.admin.api.dto.oauth2.OAuth2CreateTokenDTO;
+import cn.iocoder.mall.admin.api.dto.oauth2.OAuth2GetTokenDTO;
 import cn.iocoder.mall.admin.convert.OAuth2Convert;
 import cn.iocoder.mall.admin.dao.OAuth2AccessTokenMapper;
 import cn.iocoder.mall.admin.dao.OAuth2RefreshTokenMapper;
-import cn.iocoder.mall.admin.dataobject.*;
+import cn.iocoder.mall.admin.dataobject.OAuth2AccessTokenDO;
+import cn.iocoder.mall.admin.dataobject.OAuth2RefreshTokenDO;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
 import java.util.Date;
-import java.util.List;
-import java.util.Set;
 import java.util.UUID;
 
 @Service
@@ -49,36 +48,15 @@ public class OAuth2ServiceImpl implements OAuth2Service {
 
     @Override
     @Transactional
-    public CommonResult<OAuth2AccessTokenBO> getAccessToken(String username, String password) {
-        CommonResult<AdminDO> adminResult = adminService.validAdmin(username, password);
-        // 校验失败，返回错误结果
-        if (adminResult.isError()) {
-            return CommonResult.error(adminResult);
-        }
-        AdminDO admin = adminResult.getData();
+    public OAuth2AccessTokenBO createToken(OAuth2CreateTokenDTO oauth2CreateTokenDTO) {
+        Integer userId = oauth2CreateTokenDTO.getUserId();
+        Integer userType = oauth2CreateTokenDTO.getUserType();
         // 创建刷新令牌
-        OAuth2RefreshTokenDO oauth2RefreshTokenDO = createOAuth2RefreshToken(admin.getId());
+        OAuth2RefreshTokenDO oauth2RefreshTokenDO = createOAuth2RefreshToken(userId, userType);
         // 创建访问令牌
-        OAuth2AccessTokenDO oauth2AccessTokenDO = createOAuth2AccessToken(admin.getId(), oauth2RefreshTokenDO.getId());
+        OAuth2AccessTokenDO oauth2AccessTokenDO = createOAuth2AccessToken(userId, userType, oauth2RefreshTokenDO.getId());
         // 转换返回
-        return CommonResult.success(OAuth2Convert.INSTANCE.convertToAccessTokenWithExpiresIn(oauth2AccessTokenDO));
-    }
-
-    @Override
-    public CommonResult<OAuth2AuthenticationBO> checkToken(String accessToken) {
-        OAuth2AccessTokenDO accessTokenDO = oauth2AccessTokenMapper.selectByTokenId(accessToken);
-        if (accessTokenDO == null) { // 不存在
-            return ServiceExceptionUtil.error(AdminErrorCodeEnum.OAUTH_INVALID_TOKEN_NOT_FOUND.getCode());
-        }
-        if (accessTokenDO.getExpiresTime().getTime() < System.currentTimeMillis()) { // 已过期
-            return ServiceExceptionUtil.error(AdminErrorCodeEnum.OAUTH_INVALID_TOKEN_EXPIRED.getCode());
-        }
-        if (!accessTokenDO.getValid()) { // 无效
-            return ServiceExceptionUtil.error(AdminErrorCodeEnum.OAUTH_INVALID_TOKEN_INVALID.getCode());
-        }
-        // 获得管理员拥有的角色
-        List<AdminRoleDO> adminRoleDOs = adminService.getAdminRoles(accessTokenDO.getAdminId());
-        return CommonResult.success(OAuth2Convert.INSTANCE.convertToAuthentication(accessTokenDO, adminRoleDOs));
+        return OAuth2Convert.INSTANCE.convertToAccessTokenWithExpiresIn(oauth2AccessTokenDO);
     }
 
     /**
@@ -95,40 +73,37 @@ public class OAuth2ServiceImpl implements OAuth2Service {
     }
 
     @Override
-    public CommonResult<Boolean> checkPermission(Integer adminId, Set<Integer> roleIds, String url) {
-        // 如果未配置该资源，说明无需权限控制。
-        ResourceDO resource = resourceService.getResourceByTypeAndHandler(ResourceConstants.TYPE_BUTTON, url);
-        if (resource == null) {
-            return CommonResult.success(true);
+    public OAuth2AuthenticationBO getAuthentication(OAuth2GetTokenDTO oauth2GetTokenDTO) {
+        OAuth2AccessTokenDO accessTokenDO = oauth2AccessTokenMapper.selectById(oauth2GetTokenDTO.getAccessToken());
+        if (accessTokenDO == null) { // 不存在
+            throw ServiceExceptionUtil.exception(AdminErrorCodeEnum.OAUTH2_INVALID_TOKEN_NOT_FOUND.getCode());
         }
-        // 资源存在，结果无角色，说明没有权限。
-        if (roleIds == null || roleIds.isEmpty()) {
-            return ServiceExceptionUtil.error(AdminErrorCodeEnum.OAUTH_INVALID_PERMISSION.getCode());
+        if (accessTokenDO.getExpiresTime().getTime() < System.currentTimeMillis()) { // 已过期
+            throw ServiceExceptionUtil.exception(AdminErrorCodeEnum.OAUTH2_INVALID_TOKEN_EXPIRED.getCode());
         }
-        // 校验是否有资源对应的角色，即 RBAC 。
-        List<RoleResourceDO> roleResourceDOs = roleService.getRoleByResourceId(resource.getId());
-        for (RoleResourceDO roleResourceDO : roleResourceDOs) {
-            if (roleIds.contains(roleResourceDO.getRoleId())) {
-                return CommonResult.success(true);
-            }
+        if (!accessTokenDO.getValid()) { // 无效
+            throw ServiceExceptionUtil.exception(AdminErrorCodeEnum.OAUTH2_INVALID_TOKEN_INVALID.getCode());
+        }
+        if (!oauth2GetTokenDTO.getUserType().equals(accessTokenDO.getUserType())) {
+            throw ServiceExceptionUtil.exception(AdminErrorCodeEnum.OAUTH2_INVALID_TOKEN_INVALID.getCode());
         }
-        // 没有权限，返回错误
-        return ServiceExceptionUtil.error(AdminErrorCodeEnum.OAUTH_INVALID_PERMISSION.getCode());
+        // 转换返回
+        return OAuth2Convert.INSTANCE.convertToAuthentication(accessTokenDO);
     }
 
-    private OAuth2AccessTokenDO createOAuth2AccessToken(Integer adminId, String refreshToken) {
+    private OAuth2AccessTokenDO createOAuth2AccessToken(Integer userId, Integer userType, String refreshToken) {
         OAuth2AccessTokenDO accessToken = new OAuth2AccessTokenDO().setId(generateAccessToken())
                 .setRefreshToken(refreshToken)
-                .setAdminId(adminId)
+                .setUserId(userId).setUserType(userType)
                 .setExpiresTime(new Date(System.currentTimeMillis() + accessTokenExpireTimeMillis))
                 .setValid(true);
         oauth2AccessTokenMapper.insert(accessToken);
         return accessToken;
     }
 
-    private OAuth2RefreshTokenDO createOAuth2RefreshToken(Integer adminId) {
+    private OAuth2RefreshTokenDO createOAuth2RefreshToken(Integer userId, Integer userType) {
         OAuth2RefreshTokenDO refreshToken = new OAuth2RefreshTokenDO().setId(generateRefreshToken())
-                .setAdminId(adminId)
+                .setUserId(userId).setUserType(userType)
                 .setExpiresTime(new Date(System.currentTimeMillis() + refreshTokenExpireTimeMillis))
                 .setValid(true);
         oauth2RefreshTokenMapper.insert(refreshToken);

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/service/ResourceServiceImpl.java

 package cn.iocoder.mall.admin.service;
 
 import cn.iocoder.common.framework.constant.DeletedStatusEnum;
-import cn.iocoder.common.framework.constant.SysErrorCodeEnum;
 import cn.iocoder.common.framework.util.ServiceExceptionUtil;
+import cn.iocoder.common.framework.util.StringUtil;
 import cn.iocoder.mall.admin.api.ResourceService;
 import cn.iocoder.mall.admin.api.bo.resource.ResourceBO;
 import cn.iocoder.mall.admin.api.constant.AdminErrorCodeEnum;
@@ -31,8 +31,14 @@ public class ResourceServiceImpl implements ResourceService {
     @Autowired
     private RoleResourceMapper roleResourceMapper;
 
-    public ResourceDO getResourceByTypeAndHandler(Integer type, String handler) {
-        return resourceMapper.selectByTypeAndHandler(type, handler);
+    public List<ResourceDO> getResourceListByPermission(String permission) {
+        List<ResourceDO> resources = resourceMapper.selectListByPermission(permission);
+        if (resources.isEmpty()) {
+            return Collections.emptyList();
+        }
+        // 因为 ResourceDO 存储的 permissions 是字符串，使用逗号分隔，需要进一步判断
+        resources.removeIf(resourceDO -> !StringUtil.split(resourceDO.getPermissions(), ",").contains(permission));
+        return resources;
     }
 
     @Override
@@ -49,12 +55,7 @@ public class ResourceServiceImpl implements ResourceService {
     }
 
     @Override
-    @SuppressWarnings("Duplicates")
     public ResourceBO addResource(Integer adminId, ResourceAddDTO resourceAddDTO) {
-        // 补充未在 Validation 中校验的参数校验
-        if (!isValidResourceType(resourceAddDTO.getType())) {
-            throw ServiceExceptionUtil.exception(SysErrorCodeEnum.VALIDATION_REQUEST_PARAM_ERROR.getCode(), "资源类型必须是菜单或 Url"); // TODO 有点搓
-        }
         // 校验父资源存在
         checkParentResource(resourceAddDTO.getPid(), null);
         // 存储到数据库
@@ -69,7 +70,6 @@ public class ResourceServiceImpl implements ResourceService {
     }
 
     @Override
-    @SuppressWarnings("Duplicates")
     public Boolean updateResource(Integer adminId, ResourceUpdateDTO resourceUpdateDTO) {
         // 校验更新的资源是否存在
         if (resourceMapper.selectById(resourceUpdateDTO.getId()) == null) {
@@ -100,7 +100,7 @@ public class ResourceServiceImpl implements ResourceService {
         // 更新到数据库
         resourceMapper.deleteById(resourceId);
         // 删除资源关联表
-        roleResourceMapper.updateToDeletedByResourceId(resourceId);
+        roleResourceMapper.deleteByResourceId(resourceId);
         // 返回成功
         return true;
     }
@@ -112,18 +112,6 @@ public class ResourceServiceImpl implements ResourceService {
         return resourceMapper.selectListByIds(resourceIds);
     }
 
-    private boolean isValidResourceType(Integer type) {
-        return ResourceConstants.TYPE_MENU.equals(type)
-                || ResourceConstants.TYPE_BUTTON.equals(type);
-    }
-
-    private boolean checkParentExists(Integer pid) {
-        if (!ResourceConstants.PID_ROOT.equals(pid)) {
-            return resourceMapper.selectById(pid) == null;
-        }
-        return false;
-    }
-
     private void checkParentResource(Integer pid, Integer childId) {
         if (pid == null || ResourceConstants.PID_ROOT.equals(pid)) {
             return;

system/system-service-impl/src/main/java/cn/iocoder/mall/admin/service/RoleServiceImpl.java

@@ -19,6 +19,7 @@ import cn.iocoder.mall.admin.dataobject.ResourceDO;
 import cn.iocoder.mall.admin.dataobject.RoleDO;
 import cn.iocoder.mall.admin.dataobject.RoleResourceDO;
 import com.baomidou.mybatisplus.core.metadata.IPage;
+import com.google.common.collect.Maps;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -40,12 +41,8 @@ public class RoleServiceImpl implements RoleService {
     @Autowired
     private ResourceServiceImpl resourceService;
 
-    public List<RoleResourceDO> getRoleByResourceHandler(String resourceHandler) {
-        return roleResourceMapper.selectByResourceHandler(resourceHandler);
-    }
-
     public List<RoleResourceDO> getRoleByResourceId(Integer resourceId) {
-        return roleResourceMapper.selectByResourceId(resourceId);
+        return roleResourceMapper.selectListByResourceId(resourceId);
     }
 
     @Override
@@ -62,7 +59,7 @@ public class RoleServiceImpl implements RoleService {
 
     @Override
     public List<RoleBO> getRoleList(Collection<Integer> ids) {
-        List<RoleDO> roles = roleMapper.selectListByIds(ids);
+        List<RoleDO> roles = roleMapper.selectBatchIds(ids);
         return RoleConvert.INSTANCE.convert(roles);
     }
 
@@ -104,9 +101,9 @@ public class RoleServiceImpl implements RoleService {
         // 更新到数据库，标记删除
         roleMapper.deleteById(roleId);
         // 标记删除 RoleResource
-        roleResourceMapper.updateToDeletedByRoleId(roleId);
+        roleResourceMapper.deleteByRoleId(roleId);
         // 标记删除 AdminRole
-        adminRoleMapper.updateToDeletedByRoleId(roleId);
+        adminRoleMapper.deleteByRoleId(roleId);
         // TODO 插入操作日志
         // 返回成功
         return true;
@@ -130,7 +127,7 @@ public class RoleServiceImpl implements RoleService {
         }
         // TODO 芋艿，这里先简单实现。即方式是，删除老的分配的资源关系，然后添加新的分配的资源关系
         // 标记角色原资源关系都为删除
-        roleResourceMapper.updateToDeletedByRoleId(roleId);
+        roleResourceMapper.deleteByRoleId(roleId);
         // 创建 RoleResourceDO 数组，并插入到数据库
         if (!CollectionUtil.isEmpty(resourceIds)) {
             List<RoleResourceDO> roleResources = resourceIds.stream().map(resourceId -> {
@@ -150,7 +147,37 @@ public class RoleServiceImpl implements RoleService {
         if (CollectionUtil.isEmpty(roleIds)) {
             return Collections.emptyList();
         }
-        return roleMapper.selectListByIds(roleIds);
+        return roleMapper.selectBatchIds(roleIds);
+    }
+
+    /**
+     * 获得权限与角色的映射关系。
+     *
+     * TODO 芋艿，等以后有 redis ，优化成从缓存读取。每个 permission ，哪些角色可以访问
+     *
+     * @param permissions 权限标识数组
+     * @return 映射关系。KEY：权限标识；VALUE：角色编号数组
+     */
+    public Map<String, List<Integer>> getPermissionRoleMap(List<String> permissions) {
+        if (CollectionUtil.isEmpty(permissions)) {
+            return Collections.emptyMap();
+        }
+        Map<String, List<Integer>> result = Maps.newHashMapWithExpectedSize(permissions.size());
+        for (String permission : permissions) {
+            List<ResourceDO> resources = resourceService.getResourceListByPermission(permission);
+            if (resources.isEmpty()) { // 无需授权
+                result.put(permission, Collections.emptyList());
+            } else {
+                List<RoleResourceDO> roleResources = roleResourceMapper.selectListByResourceId(
+                        CollectionUtil.convertSet(resources, ResourceDO::getId));
+                if (roleResources.isEmpty()) {
+                    result.put(permission, Collections.emptyList());
+                } else {
+                    result.put(permission, CollectionUtil.convertList(roleResources, RoleResourceDO::getRoleId));
+                }
+            }
+        }
+        return result;
     }
 
 }

system/system-service-impl/src/main/resources/mapper/AdminRoleMapper.xml

@@ -2,37 +2,6 @@
 <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
 <mapper namespace="cn.iocoder.mall.admin.dao.AdminRoleMapper">
 
-    <!--<insert id="insert" parameterType="UserDO" useGeneratedKeys="true" keyProperty="id">-->
-        <!--INSERT INTO users (-->
-          <!--id, mobile, create_time-->
-        <!--) VALUES (-->
-          <!--#{id}, #{mobile}, #{createTime}-->
-        <!--)-->
-    <!--</insert>-->
-
-    <select id="selectByAdminId" parameterType="Integer" resultType="AdminRoleDO">
-      SELECT
-        ar.id, ar.admin_id, ar.role_id
-      FROM admin a, admin_role ar
-      WHERE a.id = #{adminId}
-      AND a.id = ar.admin_id
-      AND ar.deleted = 0
-    </select>
-
-    <update id="updateToDeletedByAdminId" parameterType="Integer">
-      UPDATE admin_role
-      SET deleted = 1
-      WHERE admin_id = #{adminId}
-      AND deleted = 0
-    </update>
-
-    <update id="updateToDeletedByRoleId" parameterType="Integer">
-      UPDATE admin_role
-      SET deleted = 1
-      WHERE role_id = #{roleId}
-      AND deleted = 0
-    </update>
-
     <insert id="insertList">
         INSERT INTO admin_role (
           admin_id, role_id, create_time, deleted
@@ -42,4 +11,4 @@
         </foreach>
     </insert>
 
-</mapper>
+</mapper>
\ No newline at end of file

system/system-service-impl/src/main/resources/mapper/OAuth2AccessTokenMapper.xml

@@ -2,23 +2,6 @@
 <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
 <mapper namespace="cn.iocoder.mall.admin.dao.OAuth2AccessTokenMapper">
 
-    <insert id="insert" parameterType="OAuth2AccessTokenDO">
-        INSERT INTO oauth2_access_token (
-          id, refresh_token, admin_id, valid, expires_time,
-          create_time
-        ) VALUES (
-          #{id}, #{refreshToken}, #{adminId}, #{valid}, #{expiresTime},
-           #{createTime}
-        )
-    </insert>
-
-    <select id="selectByTokenId" parameterType="String" resultType="OAuth2AccessTokenDO">
-        SELECT
-          id, admin_id, valid, expires_time
-        FROM oauth2_access_token
-        WHERE id = #{id}
-    </select>
-
     <update id="updateToInvalidByAdminId" parameterType="Integer">
         UPDATE oauth2_access_token
         SET valid = 0
@@ -26,4 +9,4 @@
         AND valid = 1
     </update>
 
-</mapper>
+</mapper>
\ No newline at end of file

system/system-service-impl/src/main/resources/mapper/OAuth2RefreshTokenMapper.xml

@@ -2,14 +2,6 @@
 <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
 <mapper namespace="cn.iocoder.mall.admin.dao.OAuth2RefreshTokenMapper">
 
-    <insert id="insert" parameterType="OAuth2RefreshTokenDO">
-        INSERT INTO oauth2_refresh_token (
-          id, admin_id, valid, expires_time, create_time
-        ) VALUES (
-          #{id}, #{adminId}, #{valid}, #{expiresTime}, #{createTime}
-        )
-    </insert>
-
     <update id="updateToInvalidByAdminId" parameterType="Integer">
         UPDATE oauth2_refresh_token
         SET valid = 0
@@ -17,4 +9,4 @@
         AND valid = 1
     </update>
 
-</mapper>
+</mapper>
\ No newline at end of file

system/system-service-impl/src/main/resources/mapper/ResourceMapper.xml

@@ -7,31 +7,9 @@
         create_time, pid, handler
     </sql>
 
-    <select id="selectByTypeAndHandler" resultType="ResourceDO">
-        SELECT
-          <include refid="FIELDS"/>
-        FROM resource
-        WHERE type = #{type}
-        AND handler = #{handler}
-        AND deleted = 0
-        LIMIT 1
-    </select>
-
-    <select id="selectListByType" parameterType="Integer" resultType="ResourceDO">
-        SELECT
-          <include refid="FIELDS"/>
-        FROM resource
-        <where>
-            <if test="type != null">
-               type = #{type}
-            </if>
-            AND deleted = 0
-        </where>
-    </select>
-
     <select id="selectListByTypeAndRoleIds" resultType="ResourceDO">
         SELECT
-            r.id, r.name, r.type, r.sort, r.display_name,
+            r.id, r.type, r.sort, r.display_name,
             r.create_time, r.pid, r.handler
         FROM resource r, role_resource rr
         WHERE r.deleted = 0
@@ -46,23 +24,4 @@
         AND r.id = rr.resource_id
     </select>
 
-    <select id="selectListByIds" resultType="ResourceDO">
-        SELECT
-          <include refid="FIELDS"/>
-        FROM resource
-        WHERE id IN
-            <foreach item="id" collection="ids" separator="," open="(" close=")" index="">
-                #{id}
-            </foreach>
-        AND deleted = 0
-    </select>
-
-    <select id="selectCountByPid" resultType="int">
-        SELECT
-          COUNT(1)
-        FROM resource
-        WHERE pid = #{pid}
-        AND deleted = 0
-    </select>
-
 </mapper>

system/system-service-impl/src/main/resources/mapper/RoleResourceMapper.xml

@@ -2,45 +2,6 @@
 <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
 <mapper namespace="cn.iocoder.mall.admin.dao.RoleResourceMapper">
 
-    <!--<insert id="insert" parameterType="UserDO" useGeneratedKeys="true" keyProperty="id">-->
-        <!--INSERT INTO users (-->
-          <!--id, mobile, create_time-->
-        <!--) VALUES (-->
-          <!--#{id}, #{mobile}, #{createTime}-->
-        <!--)-->
-    <!--</insert>-->
-
-    <select id="selectByResourceHandler" parameterType="String" resultType="RoleResourceDO">
-        SELECT
-          rr.id, rr.role_id, rr.resource_id
-        FROM resource r, role_resource rr
-        WHERE r.handler = #{resourceHandler}
-        AND r.id = rr.resource_id
-        AND rr.deleted = 0;
-    </select>
-
-    <select id="selectByResourceId" parameterType="Integer" resultType="RoleResourceDO">
-      SELECT
-        id, role_id, resource_id
-      FROM role_resource
-      WHERE resource_id = #{resourceId}
-      AND deleted = 0
-    </select>
-
-    <update id="updateToDeletedByResourceId" parameterType="Integer">
-      UPDATE role_resource
-      SET deleted = 1
-      WHERE resource_id = #{resourceId}
-      AND deleted = 0
-    </update>
-
-    <update id="updateToDeletedByRoleId" parameterType="Integer">
-      UPDATE role_resource
-      SET deleted = 1
-      WHERE role_id = #{roleId}
-      AND deleted = 0
-    </update>
-
     <insert id="insertList">
         INSERT INTO role_resource (
           resource_id, role_id, create_time, deleted
@@ -50,4 +11,4 @@
         </foreach>
     </insert>
 
-</mapper>
+</mapper>
\ No newline at end of file