lablesys_backend/src/main/java/com/labelsys/backend/service/DataPermissionService.java

package com.labelsys.backend.service;

import com.labelsys.backend.context.LoginUser;
import com.labelsys.backend.enums.UserRole;
import java.util.List;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.springframework.stereotype.Service;

@Service
public class DataPermissionService {

    public boolean canAccessCreator(LoginUser currentUser, Long creatorId, UserRole creatorRole) {
        return switch (currentUser.role()) {
            case EMPLOYEE -> currentUser.userId().equals(creatorId);
            case MANAGER -> creatorRole == UserRole.EMPLOYEE || creatorRole == UserRole.MANAGER;
            case ENGINEER -> true;
        };
    }

    /**
     * Generic in-memory role-based data filter for records already loaded in memory.
     */
    public <T> List<T> filterByRole(
            LoginUser currentUser,
            List<T> allRecords,
            Function<T, UserRole> roleExtractor,
            Function<T, Long> ownerIdExtractor) {

        if (allRecords == null || allRecords.isEmpty()) {
            return List.of();
        }

        UserRole currentRole = currentUser.role();
        Long currentUserId = currentUser.userId();

        return allRecords.stream()
                .filter(record -> {
                    UserRole recordRole = roleExtractor.apply(record);
                    Long recordOwnerId = ownerIdExtractor.apply(record);

                    return switch (currentRole) {
                        case EMPLOYEE -> currentUserId.equals(recordOwnerId);
                        case MANAGER -> recordRole == UserRole.EMPLOYEE || recordRole == UserRole.MANAGER;
                        case ENGINEER -> true;
                    };
                })
                .collect(Collectors.toList());
    }

    /**
     * Returns the creator roles visible to the current user for SQL-side filtering.
     */
    public List<String> getAllowedRoles(LoginUser currentUser) {
        return switch (currentUser.role()) {
            case EMPLOYEE -> List.of();
            case MANAGER -> List.of("EMPLOYEE", "MANAGER");
            case ENGINEER -> List.of("EMPLOYEE", "MANAGER", "ENGINEER");
        };
    }

    /**
     * Whether SQL queries should additionally restrict by creator/user id.
     */
    public boolean shouldFilterByUserId(LoginUser currentUser) {
        return currentUser.role() == UserRole.EMPLOYEE;
    }
}
main主干首次提交，包含用户认证模块 2026-04-23 11:59:31 +08:00			`package com.labelsys.backend.service;`

			`import com.labelsys.backend.context.LoginUser;`
			`import com.labelsys.backend.enums.UserRole;`
			`import java.util.List;`
			`import java.util.function.Function;`
			`import java.util.stream.Collectors;`
			`import org.springframework.stereotype.Service;`

			`@Service`
			`public class DataPermissionService {`

			`public boolean canAccessCreator(LoginUser currentUser, Long creatorId, UserRole creatorRole) {`
			`return switch (currentUser.role()) {`
			`case EMPLOYEE -> currentUser.userId().equals(creatorId);`
			`case MANAGER -> creatorRole == UserRole.EMPLOYEE \|\| creatorRole == UserRole.MANAGER;`
			`case ENGINEER -> true;`
			`};`
			`}`

datapermissve优化 2026-04-23 17:38:39 +08:00			`/**`
去掉演示数据bizdata 2026-04-27 00:05:59 +08:00			`* Generic in-memory role-based data filter for records already loaded in memory.`
main主干首次提交，包含用户认证模块 2026-04-23 11:59:31 +08:00			`*/`
			`public <T> List<T> filterByRole(`
			`LoginUser currentUser,`
			`List<T> allRecords,`
			`Function<T, UserRole> roleExtractor,`
			`Function<T, Long> ownerIdExtractor) {`
去掉演示数据bizdata 2026-04-27 00:05:59 +08:00
main主干首次提交，包含用户认证模块 2026-04-23 11:59:31 +08:00			`if (allRecords == null \|\| allRecords.isEmpty()) {`
			`return List.of();`
			`}`

			`UserRole currentRole = currentUser.role();`
			`Long currentUserId = currentUser.userId();`

			`return allRecords.stream()`
			`.filter(record -> {`
			`UserRole recordRole = roleExtractor.apply(record);`
			`Long recordOwnerId = ownerIdExtractor.apply(record);`

			`return switch (currentRole) {`
去掉演示数据bizdata 2026-04-27 00:05:59 +08:00			`case EMPLOYEE -> currentUserId.equals(recordOwnerId);`
			`case MANAGER -> recordRole == UserRole.EMPLOYEE \|\| recordRole == UserRole.MANAGER;`
			`case ENGINEER -> true;`
main主干首次提交，包含用户认证模块 2026-04-23 11:59:31 +08:00			`};`
			`})`
			`.collect(Collectors.toList());`
			`}`

			`/**`
去掉演示数据bizdata 2026-04-27 00:05:59 +08:00			`* Returns the creator roles visible to the current user for SQL-side filtering.`
datapermissve优化 2026-04-23 17:38:39 +08:00			`*/`
			`public List<String> getAllowedRoles(LoginUser currentUser) {`
			`return switch (currentUser.role()) {`
去掉演示数据bizdata 2026-04-27 00:05:59 +08:00			`case EMPLOYEE -> List.of();`
datapermissve优化 2026-04-23 17:38:39 +08:00			`case MANAGER -> List.of("EMPLOYEE", "MANAGER");`
			`case ENGINEER -> List.of("EMPLOYEE", "MANAGER", "ENGINEER");`
			`};`
			`}`

			`/**`
去掉演示数据bizdata 2026-04-27 00:05:59 +08:00			`* Whether SQL queries should additionally restrict by creator/user id.`
datapermissve优化 2026-04-23 17:38:39 +08:00			`*/`
			`public boolean shouldFilterByUserId(LoginUser currentUser) {`
			`return currentUser.role() == UserRole.EMPLOYEE;`
			`}`
去掉演示数据bizdata 2026-04-27 00:05:59 +08:00			`}`