概述
通过 ViewRequestForwardSPA.jsp 查看目标流程时,系统在 RequestAuthenticationService.verifyRequest() 中进行权限校验。共有 14 条校验路径,按优先级依次检查,命中任意一条即授予查看权限。
核心入口
- JSP入口:
workflow/request/ViewRequestForwardSPA.jsp - SPA路由:
/spa/workflow/static4form/index.html?_rdm={timestamp}#/main/workflow/req?{params} - JSP路由:
/workflow/request/ViewRequest.jsp?haveVerifyForward=true&{params} - 权限校验类:
com.api.workflow.service.RequestAuthenticationService - 校验方法:
verifyRequest()
路由差异
| 路由 | 权限校验方式 | authStr参数 | desrequestid参数 |
|---|---|---|---|
SPA (LoadParamCmd) | RequestAuthenticationService.verify() | 有效 | 不需要 |
JSP (ViewRequest.jsp) | Session机制 (resrequestid{N}) | 不用于校验 | URL参数被忽略,仅读Session |
全部校验路径(按简单到复杂排列)
1. 共享权限(无条件检查,0个参数)
// RequestAuthenticationService
if (getRequestWfShareRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315 - 条件: 用户对目标流程有共享权限
- 校验逻辑:
WFShareAuthorization.getWorkflowShareJurisdiction(requestid, user) - 前置条件: 管理员或其他操作人已将流程共享给当前用户
- 参数: 0个额外参数
2. 操作者权限(无条件检查,0个参数)
// RequestAuthenticationService
if (getRequestUserRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315 - 条件: 用户是目标流程的当前操作人
- 校验逻辑: 查询
workflow_currentoperator表 - 前置条件: 用户在流程的当前操作人列表中
- 参数: 0个额外参数
3. 创建者权限(SPA层额外检查,0个参数)
// LoadParamCmd
if (creater == userid && creatertype == usertype) { canview = true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315 - 条件: 用户是流程创建人
- 校验逻辑: 比对
workflow_requestbase.creater字段 - 前置条件: 用户创建了该流程
- 参数: 0个额外参数
4. 监控权限(1个参数)
// RequestAuthenticationService
if (ismonitor == 1 && getRequestMonitorRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315&ismonitor=1 - 条件: 用户是目标流程的监控人
- 校验逻辑:
WFUrgerManager.getMonitorViewRight(requestid, userid) - 前置条件: 流程配置了监控人,且当前用户在监控人列表中
- 参数: 1个(
ismonitor=1)
5. 督办权限(1个参数)
// RequestAuthenticationService
if (urger == 1 && getRequestUrgerRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315&urger=1 - 条件: 用户是目标流程的督办人
- 校验逻辑:
SuperviseManagerBiz.hasWorkflowViewRight(user, requestid) - 前置条件: 流程配置了督办人,且当前用户在督办人列表中
- 参数: 1个(
urger=1)
6. 干预权限(1个参数)
// RequestAuthenticationService
if ("1".equals(isintervenor) && getRequestInterventorRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315&isintervenor=1 - 条件: 用户是目标流程的干预人
- 校验逻辑:
SysWFLMonitor.getWFInterventorRightBymonitor(userid, requestid) - 前置条件: 流程配置了干预人,且当前用户在干预人列表中
- 参数: 1个(
isintervenor=1)
7. 相关交流权限(1个参数)
// RequestAuthenticationService
if (fromCommunication > 0 && getRequestCommunicationRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315&fromCommunication=12345 - 条件: 流程有相关交流记录
- 校验逻辑:
WorkflowCommunicationBiz.hasWfResourceRight(requestId, fromCommunication) - 前置条件: 流程存在相关交流,且交流ID匹配
- 参数: 1个(
fromCommunication={交流ID})
8. 主子流程权限(1个参数)
// RequestAuthenticationService
if ((isrequest.equals("2") || isrequest.equals("3") || isrequest.equals("4"))
&& getRequestSubMainRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315&isrequest=2 - 条件: 目标流程是当前流程的主流程/子流程/平行流程
- 校验逻辑: 查询
workflow_subwfrequest表 - isrequest值:
2=主流程,3=子流程,4=平行流程 - 前置条件: 流程之间存在主子关系
- 参数: 1个(
isrequest=2/3/4)
9. 建模关联授权(4个参数)
// RequestAuthenticationService
if (formmodeflag.equals("formmode_authorize") && getModeRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315&formmode_authorize=formmode_authorize&authorizemodeId=5501&authorizefieldid=403885&authorizeformmodebillId=202514 - 条件: 建模数据字段值包含目标流程requestid
- 校验逻辑:
ModeRightInfo.isFormModeAuthorize() 校验步骤:
- 检查用户对建模模块是否有查看权限
- 查询
ModeFieldAuthorize表确认字段配置了关联授权 - 查询建模数据表中该字段的值是否包含目标requestid
- 前置条件: 建模模块已配置关联授权,且数据字段值正确
参数: 4个
formmode_authorize=formmode_authorize(标识位)authorizemodeId={建模模块ID}authorizefieldid={关联授权字段ID}authorizeformmodebillId={建模数据ID}
10. 相关流程权限(2-3个参数)
// RequestAuthenticationService
if ((isrequest.equals("1") || "1".equals(isfromTd)) && getrelateRequestRight(info, requestid)) { return true; }- URL(方式A):
ViewRequestForwardSPA.jsp?requestid=1908315&isrequest=1&desrequestid=1908325 - URL(方式B):
ViewRequestForwardSPA.jsp?requestid=1908315&isrequest=1&desrequestid=1908325&fieldid=373385 - 条件: A/B流程有共同操作人 + 表单字段值匹配
- 校验逻辑:
getrelateRequestRight() 校验步骤:
- 防篡改校验:A/B流程操作人取交集,必须有共同操作人
- 字段值校验:查询A流程表单字段值是否包含B流程requestid
- 或签字意见校验:查询A流程
workflow_requestlog.signworkflowids是否包含B流程requestid
- 前置条件: 两个流程有共同操作人,且表单数据关联正确
参数: 2-3个
isrequest=1(标识位)desrequestid={源流程requestid}或authStr+authSignatureStrfieldid={表单字段ID}(可选,指定具体字段)
11. 计划会议权限(2个参数)
// RequestAuthenticationService
if ((("workplan".equals(fromModul) || "meeting".equals(fromModul)) && modulResourceId > 0)
&& getPlanMeetingRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315&fromModul=workplan&modulResourceId=12345 - 条件: 流程关联了日程/会议,且用户有共享权限
- 校验逻辑:
WorkPlanShareUtil.chkWFInWP()或MeetingShareUtil.chkWFInMT() - 前置条件: 流程被关联到某个日程或会议,且用户对该日程/会议有共享权限
参数: 2个
fromModul=workplan或fromModul=meetingmodulResourceId={日程/会议ID}
12. 流程分享权限(3个参数)
// RequestAuthenticationService
if (isfromchatshare == 1 && getRequestShareRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315&isfromchatshare=1&sharer=2094&sharegroupid=xxx - 条件: 通过IM分享的流程链接
- 校验逻辑:
ChatResourceShareManager.authority() - 前置条件: 流程通过IM分享给当前用户
参数: 3个
isfromchatshare=1sharer={分享人ID}sharegroupid={分享组ID}
13. 协作权限(2个参数)
// RequestAuthenticationService
if (iscowork == 1 && getRequestCoworkRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315&iscowork=1&coworkid=12345 - 条件: 流程关联了协作区
- 校验逻辑:
CoworkCommonUtils.getWfRightByCowork() - 前置条件: 流程关联到协作区,且用户在协作区成员中
参数: 2个
iscowork=1coworkid={协作区ID}
14. 报表权限(2个参数)
// RequestAuthenticationService
if (("1".equals(isfromreport) || "2".equals(isfromreport) || "1".equals(isfromflowreport))
&& getReportRequestRight(info, requestid)) { return true; }- URL:
ViewRequestForwardSPA.jsp?requestid=1908315&isfromreport=1&reportid=xxx - 条件: 从报表入口查看,且有报表权限
- 校验逻辑:
ReportAuthorization.checkReportPrivilegesByRequest() - 前置条件: 用户有对应报表的查看权限
参数: 2个
isfromreport=1(或2、isfromflowreport=1)reportid={报表ID}
最短路径总结
| 排名 | 方式 | URL参数个数 | 前置条件 |
|---|---|---|---|
| 1 | 共享权限 | 0 | 用户已被共享该流程 |
| 2 | 操作者权限 | 0 | 用户是流程操作人 |
| 3 | 创建者权限 | 0 | 用户是流程创建人 |
| 4 | 监控/督办/干预 | 1 | 用户已被配置为监控/督办/干预人 |
| 5 | 相关交流 | 1 | 流程有相关交流记录 |
| 6 | 主子流程 | 1 | 流程之间存在主子关系 |
| 7 | 建模关联授权 | 4 | 建模数据字段值包含目标requestid |
| 8 | 相关流程 | 2-3 | A/B流程有共同操作人 + 表单字段值匹配 |
E9签名令牌机制(authStr / authSignatureStr)
原理
E9使用签名令牌替代明文 desrequestid,防止URL参数被篡改。
- authStr: Base64编码的权限属性字符串,包含
viewChain(查看链)、mainid(入口流程ID)等 - authSignatureStr: 对authStr的签名,基于用户ID和User-Agent生成
工作流程
- 用户从流程A点击链接跳转到流程B
- 系统生成
authStr(包含viewChain=A的requestid)和签名 - 跳转到B时,
RequestAuthenticationService.verify()验证签名 - 验证通过后,检查用户对A的权限,再检查A→B的关联关系
- 全部通过则授予B的查看权限
代码位置
- 签名生成:
RequestAuthenticationService - 签名验证:
RequestAuthenticationService - 查看链机制:
RequestAuthenticationService
底层SQL查询详情
Path 1: 共享权限 → getRequestWfShareRight()
调用链: getRequestWfShareRight() → WFShareAuthorization.getWorkflowShareJurisdiction()
SQL 1 — 查询共享范围记录:
SELECT permissiontype, departmentid, deptlevel, deptlevelMax, roleid, rolelevel,
roleseclevel, roleseclevelMax, seclevel, seclevelMax, userid, subcompanyid,
sublevel, sublevelMax, jobid, joblevel, jobobj, jobobjid
FROM Workflow_SharedScope
WHERE requestid = '{requestid}'SQL 2 — 校验流程是否开启共享:
SELECT wb.isshared
FROM workflow_base wb, workflow_requestbase wr
WHERE wb.id = wr.workflowid AND wr.requestid = {requestid}判定条件: 存在任一 Workflow_SharedScope 记录匹配当前用户属性(部门/角色/安全级别/分部/岗位/指定人员),且 workflow_base.isshared = '1'。
涉及表: Workflow_SharedScope, workflow_base, workflow_requestbase
Path 2: 操作者权限 → getRequestUserRight()
调用链: getRequestUserRight() → ServiceUtil.calculateCurrentNodeSql()
SQL:
SELECT isremark, isreminded, preisremark, id, groupdetailid, nodeid, takisremark,
takid, workflowid, handleforwardid, agenttype, agentorbyagentid,
(CASE
WHEN isremark=9 THEN 0.99
WHEN isremark=8 THEN 1.2
WHEN isremark=11 THEN 0.98
WHEN (isremark=1 AND takisremark=2) THEN 0.9
WHEN (preisremark=1 AND isremark=2) THEN 1.9
WHEN (isremark=0 AND takisremark=-2 AND isInMultiTak=1) THEN 2
ELSE isremark
END) AS orderisremark
FROM workflow_currentoperator
WHERE requestid = {requestid} AND userid = {userid} AND usertype = {usertype}
ORDER BY orderisremark, id参数: requestid, userid, usertype(0=内部, 1=外部, 2=其他)
判定条件: 遍历结果集,若任一行 isremark ∈ {0,1,5,7,8,9,11}(其中 isremark=0 需 nodetype≠3),则 canview=true。
涉及表: workflow_currentoperator
Path 3: 创建者权限 → LoadParamCmd
SQL(存储过程):
{call workflow_Requestbase_SByID({requestid})}等价于:
SELECT * FROM workflow_requestbase WHERE requestid = {requestid}判定条件: creater == userid AND creatertype == usertype
涉及表: workflow_requestbase
Path 4: 监控权限 → getRequestMonitorRight()
调用链: getRequestMonitorRight() → WFUrgerManager.getMonitorViewRight() → Monitor.getMonitorInfo()
SQL 1 — 获取请求创建者和流程ID:
SELECT creater, workflowid FROM workflow_requestbase WHERE requestid = {requestid}SQL 2 — 检查是否管理员:
SELECT 1 FROM hrmresourcemanager WHERE id = {userid}SQL 3 — 获取创建者虚拟组织:
SELECT subcompanyid1, departmentid FROM HrmResourceVirtualView WHERE id = {createrId}SQL 4 — 主查询:查找监控配置(SQL Server版本):
SELECT * FROM workflow_monitor_info a
WHERE EXISTS (
SELECT 1 FROM (
SELECT 1 jktype, id FROM hrmresource WHERE id = {userid}
UNION
SELECT 2 jktype, id FROM hrmroles WHERE id IN ({roleids})
UNION
SELECT 3 jktype, id FROM hrmresourcemanager WHERE id = {userid}
) t
WHERE a.jktype = t.jktype
AND ',' + a.jkvalue + ',' LIKE '%,' + CAST(t.id AS VARCHAR) + ',%'
)
AND EXISTS (
SELECT 1 FROM workflow_monitor_detail b
WHERE a.id = b.infoid AND workflowid IN ({allVersionWfids})
)Oracle:INSTR(','||a.jkvalue||',' , ','||t.id||',') > 0
MySQL:CONCAT(',',a.jkvalue,',') LIKE CONCAT('%,',t.id,',%')
SQL 5 — 获取监控权限明细:
SELECT * FROM workflow_monitor_detail
WHERE infoid IN ({infoids}) AND workflowid IN ({allVersionWfids})参数: userid, roleids(用户角色ID列表), allVersionWfids(流程所有版本ID)
判定条件: 用户匹配监控配置(jktype: 1=人员, 2=角色, 3=管理员),fwtype 范围校验通过(1=总部, 2=同分部, 5=同部门, 10=指定人员等),且 workflow_monitor_detail.isview = '1'。
涉及表: workflow_requestbase, hrmresourcemanager, HrmResourceVirtualView, hrmresource, hrmroles, workflow_monitor_info, workflow_monitor_detail
Path 5: 督办权限 → getRequestUrgerRight()
调用链: getRequestUrgerRight() → SuperviseManagerBiz.hasWorkflowViewRight()
SQL:
SELECT 1 FROM WORKFLOW_SUPERVISEOPERATOR WHERE userid = {userid} AND requestid = {requestid}判定条件: 查询返回至少一行。
涉及表: WORKFLOW_SUPERVISEOPERATOR
Path 6: 干预权限 → getRequestInterventorRight()
调用链: getRequestInterventorRight() → SysWFLMonitor.getWFInterventorRightBymonitor() → Monitor.getMonitorInfo()
SQL 与 Path 4 基本相同,额外查询:
SQL — 获取干预权限:
SELECT * FROM workflow_monitor_detail
WHERE infoid IN ({infoids}) AND workflowid IN ({allVersionWfids})判定条件: workflow_monitor_detail.isintervenor = '1'(与 Path 4 的 isview 不同)
涉及表: 同 Path 4,额外关注 workflow_monitor_detail.isintervenor 字段
Path 7: 相关交流权限 → getRequestCommunicationRight()
调用链: getRequestCommunicationRight() → WorkflowCommunicationBiz.hasWfResourceRight()
SQL 1 — 查询交流内容中关联的流程:
SELECT relatedwf FROM workflow_communicationcontent WHERE communicationid = {communicationId}SQL 2 — 查询交流回复中关联的流程:
SELECT relatedwf FROM workflow_communicationreply
WHERE contentid IN (
SELECT id FROM workflow_communicationcontent WHERE communicationid = {communicationId}
)判定条件: 收集所有 relatedwf 值,判断 {requestid} 是否在其中。
涉及表: workflow_communicationcontent, workflow_communicationreply
Path 8: 主子流程权限 → getRequestSubMainRight()
场景一: isrequest=2(验证主流程)
SQL 1:
SELECT sub.mainrequestid
FROM workflow_subwfrequest sub
LEFT OUTER JOIN workflow_requestbase req ON req.requestid = sub.mainrequestid
WHERE sub.subrequestid = '{requestid}'SQL 2(回退):
SELECT mainrequestid FROM workflow_requestbase WHERE requestid = '{requestid}'场景二: isrequest=3(验证子流程)
SQL 3:
SELECT sub.mainrequestid requestid
FROM workflow_subwfrequest sub
LEFT OUTER JOIN workflow_requestbase req ON req.requestid = sub.subrequestid
WHERE sub.subrequestid = '{mainRequestid}'场景三: isrequest=4(验证平行流程)
SQL 4:
SELECT sub.subwfid, sub.isSame, sub.mainrequestid, req.requestname
FROM workflow_subwfrequest sub
LEFT JOIN workflow_requestbase req ON req.requestid = sub.mainrequestid
WHERE sub.subrequestid = {requestid}SQL 5:
SELECT sub.subrequestid requestid, req.requestname
FROM workflow_subwfrequest sub
LEFT JOIN workflow_requestbase req ON req.requestid = sub.subrequestid
WHERE sub.mainrequestid = {mainrequestid}
AND sub.subwfid = {subWfSetId}
AND sub.subrequestid <> {requestid}判定条件: 查询结果中 requestid 与目标 requestid 匹配。
涉及表: workflow_subwfrequest, workflow_requestbase
Path 9: 建模关联授权 → getModeRight()
调用链: getModeRight() → ModeRightInfo.isFormModeAuthorize()
SQL 1 — 查询建模权限规则:
SELECT righttype, orgrelation, sharetype, relatedid, rolelevel, showlevel,
joblevel, jobleveltext, hrmCompanyVirtualType, layoutid, layoutid1, layoutorder
FROM moderightinfo
WHERE modeid = {modeId}
AND ((sharetype IN (1,2,3,5,6) AND (conditionsql IS NULL OR conditionsql = ''))
OR (sharetype = '4' AND isrolelimited <> '1' AND (conditionsql IS NULL OR conditionsql = '')))
AND righttype IN (1,2,3)
AND (showlevel <= {seclevel} AND {seclevel} <= ISNULL(showlevel2, 9999))SQL 2 — 查询共享明细表(动态表名):
SELECT sourceid, MAX(sharelevel) sharelevel
FROM modeDataShare_{modeId}
WHERE sourceid = {formmodebillId}
AND (
(type=1 AND content={userid})
OR (type=2 AND content={subcompanyid} AND seclevel<={seclevel} AND {seclevel}<=ISNULL(showlevel2,9999))
OR (type=3 AND content={departmentid} AND seclevel<={seclevel} AND {seclevel}<=ISNULL(showlevel2,9999))
OR (type=4 AND content IN ({roleIds}) AND seclevel<={seclevel})
OR (type=5 AND content=1 AND seclevel<={seclevel})
OR (type=6 AND content={jobtitle} AND seclevel<={seclevel})
OR (type=7 AND content={userid})
)
GROUP BY sourceidSQL 3 — 查询字段授权配置:
SELECT a.*, b.fieldname, b.fielddbtype, b.fieldhtmltype, b.type, b.detailtable
FROM ModeFieldAuthorize a, workflow_billfield b
WHERE a.fieldid = b.id
AND b.billid = {formId}
AND a.modeid = {modeId}
AND a.formid = {formId}
AND a.fieldid = {fieldid}SQL 4 — 读取建模数据字段值(主表):
SELECT {fieldname} FROM {maintablename} WHERE id = {formmodebillId}SQL 5 — 读取建模数据字段值(明细表):
SELECT {fieldname} FROM {detailtable} WHERE mainid = {formmodebillId}判定条件:
- 用户对建模模块有查看权限(moderightinfo 或 modeDataShare_{modeId} 匹配)
ModeFieldAuthorize表中存在该字段的关联授权配置- 建模数据字段值中包含
{requestid}(格式:fieldValue.indexOf("," + requestid + ",") > -1)
涉及表: moderightinfo, modeDataShare_{modeId}(动态), ModeFieldAuthorize, workflow_billfield, {maintablename}(动态), {detailtable}(动态)
Path 10: 相关流程权限 → getrelateRequestRight()
SQL 1 — 获取主流程 workflowid:
SELECT workflowid FROM workflow_requestbase WHERE requestid = {requestid}SQL 2 — 防篡改校验(操作人交集):
SELECT userid, usertype FROM workflow_currentoperator WHERE requestid = {mainRequestid}
SELECT userid, usertype FROM workflow_currentoperator WHERE requestid = {requestid}
-- Java层取交集 retainAll(),交集为空则拒绝SQL 3 — 签字意见关联校验(isfromresource=1 或 fieldid=0 时):
-- Oracle/PostgreSQL:
SELECT 1 FROM workflow_requestlog WHERE requestid = {mainRequestid}
AND ','||signworkflowids||',' LIKE '%,{requestid},%'
-- MySQL:
SELECT 1 FROM workflow_requestlog WHERE requestid = {mainRequestid}
AND CONCAT(',',signworkflowids,',') LIKE '%,{requestid},%'
-- SQL Server:
SELECT 1 FROM workflow_requestlog WHERE requestid = {mainRequestid}
AND ','+signworkflowids+',' LIKE '%,{requestid},%'SQL 4 — 获取字段定义(isbill=1):
SELECT billid, fieldname, viewtype, detailtable FROM workflow_billfield WHERE id = {fieldid}
SELECT tablename FROM workflow_bill WHERE id = {billid}SQL 5 — 获取字段值:
-- 主表 (viewtype=0):
SELECT {fieldname} FROM {tablename} WHERE requestid = {mainRequestid}
-- 明细表 (viewtype>0):
SELECT {fieldname} FROM {detailtable} WHERE mainid IN (SELECT id FROM {tablename} WHERE requestid = {mainRequestid})判定条件:
- A/B流程操作人有交集(防篡改)
- 签字意见
signworkflowids包含目标 requestid,或表单字段值包含目标 requestid
涉及表: workflow_requestbase, workflow_currentoperator, workflow_requestlog, workflow_billfield, workflow_bill, {tablename}(动态), {detailtable}(动态)
Path 11: 计划会议权限 → getPlanMeetingRight()
子路径A: WorkPlan
SQL 1 — 检查日程是否关联流程:
SELECT * FROM workplan WHERE id = {workId}
AND (requestid = '{requestId}' OR requestid LIKE '{requestId},%'
OR requestid LIKE '%,{requestId},%' OR requestid LIKE '%,{requestId}')SQL 2 — 检查日程交流是否关联流程:
SELECT * FROM Exchange_Info WHERE type_n = 'WP' AND sortid = {workId}
AND (requestids LIKE '%,{requestId},%' OR relatedwf LIKE '%,{requestId},%')SQL 3 — 获取日程共享级别:
SELECT workId, MAX(shareLevel) AS shareLevel
FROM WorkPlanShareDetail
WHERE workid = {workplanId}
AND (
(objId={userId} AND shareType='1')
OR (objId=0 AND shareType='5' AND securityLevel<={seclevel} AND securityLevelMax>={seclevel})
OR (objId IN ({compid}) AND shareType='2' AND securityLevel<={seclevel})
OR (objId IN ({deptid}) AND shareType='3' AND securityLevel<={seclevel})
OR (objId={jobid} AND shareType='8')
OR (objId={roleid} AND shareType='4' AND securityLevel<={seclevel} AND {roleLevel}>=rolelevel)
)
GROUP BY workId子路径B: Meeting
SQL 4 — 检查会议是否关联流程:
SELECT * FROM meeting WHERE id = {meetingId}
AND ({fieldname} LIKE '%,{requestId},%' OR requestid = '{requestId}')SQL 5 — 检查会议共享:
SELECT * FROM Meeting_ShareDetail
WHERE meetingid = {meetingid} AND userid IN ({allUser}) AND sharelevel IN (1,2,4,5)SQL 6 — 检查会议成员:
SELECT * FROM Meeting_Member2 WHERE meetingid = {meetingid}
AND (membermanager IN ({allUser}) OR ','||othermember||',' LIKE '%,{userId},%')判定条件: 流程关联了日程/会议,且 getShareLevel > -1。
涉及表: workplan, Exchange_Info, WorkPlanShareDetail, meeting, Meeting_ShareDetail, Meeting_Member2, Meeting_Topic, Meeting_Decision
Path 12: 流程分享权限 → getRequestShareRight()
调用链: getRequestShareRight() → ChatResourceShareManager.authority()
SQL 1 — 验证分享人为流程操作者:
SELECT userid, usertype FROM workflow_currentoperator
WHERE requestid = {resourceid} AND userid = {sharer} AND usertype = {sharertype}SQL 2 — 检查当前用户是否在分享范围内:
SELECT 1
FROM mobile_ChatResourceShareScope a
INNER JOIN mobile_chatresourceshare b ON a.shareid = b.id
WHERE b.resourcetype = 0 AND b.resourceid = {requestid} AND b.sharer = {sharer}
AND a.resoueceid = {currentUserid} AND a.resouecetype = 0判定条件: 分享人是流程操作者,且当前用户在分享范围内。
涉及表: workflow_currentoperator, mobile_chatresourceshare, mobile_ChatResourceShareScope
Path 13: 协作权限 → getRequestCoworkRight()
调用链: getRequestCoworkRight() → CoworkCommonUtils.getWfRightByCowork()
SQL 1 — 检查协作审批状态:
SELECT approvalatatus FROM cowork_items WHERE id = {coworkId}SQL 2 — 获取协作参与者:
SELECT * FROM coworkshare WHERE sourceid = {coworkId} ORDER BY srcfrom DESC, type ASCSQL 3 — 获取退出协作者:
SELECT userid FROM cowork_quiter WHERE itemid = {coworkId}SQL 4 — 检查协作主项关联流程(Oracle版本):
SELECT relatedwf FROM cowork_items WHERE id = {coworkId}
AND relatedwf IS NOT NULL AND ','||relatedwf||',' LIKE '%,{requestid},%'SQL 5 — 检查协作讨论关联流程:
SELECT relatedwf FROM cowork_discuss
WHERE coworkid = {coworkId} AND (isdel <> 1 OR isdel IS NULL)
AND ','||relatedwf||',' LIKE '%,{requestid},%'判定条件: 用户是协作参与者/管理者,且协作主项或讨论中关联了目标流程。
涉及表: cowork_items, coworkshare, cotype_sharemanager, cowork_deftypeshare, cowork_quiter, cowork_discuss
Path 14: 报表权限 → getReportRequestRight()
子路径A: 自定义报表 (isfromreport=1)
SQL 1 — 验证报表共享权限:
SELECT shareType, userid, departmentid, subcompanyid, roleid, rolelevel,
allowlook, sharelevel, mutidepartmentid, seclevel, seclevel2
FROM WorkflowReportShare WHERE reportid = {reportid}SQL 2 — 获取报表关联的流程:
SELECT reportwfid FROM Workflow_Report WHERE id = {reportid}SQL 3 — 获取当前请求的流程ID:
SELECT workflowid FROM workflow_requestbase WHERE requestid = '{requestid}'判定条件: 用户有报表查看权限(allowlook='1'),且当前请求的 workflowid 在报表的 reportwfid 列表中。
子路径B: 新版报表 (isfromreport=2)
SQL 4 — 获取表单信息:
SELECT formid, isbill
FROM workflow_base a LEFT JOIN workflow_requestbase b ON a.id = b.workflowid
WHERE b.requestid = {requestid}SQL 5 — 获取报表数据权限配置:
SELECT type, objid, allowsub, minlevel, maxlevel, rolelevel, joblevel,
joblevelobjid, competencelevel, competenceobjid, dimension, dimensionval, allowlook
FROM workflow_report_competence
WHERE formid = {formid} AND isbill = {isbill} AND allowlook = '1'判定条件: 按 type 匹配用户(1=人员, 2=部门, 3=分部, 4=角色, 5=所有人, 6=岗位),安全级别在范围内。
涉及表: WorkflowReportShare, Workflow_Report, workflow_requestbase, workflow_base, workflow_report_competence, HrmresourceVirtual
涉及的核心数据库表汇总
| 表名 | 用途 | 涉及路径 |
|---|---|---|
workflow_requestbase | 流程请求基础表 | 1,3,4,6,8,10,14 |
workflow_currentoperator | 流程当前操作者表 | 2,10,12 |
workflow_base | 流程定义表 | 1,14 |
Workflow_SharedScope | 流程共享范围表 | 1 |
workflow_monitor_info | 流程监控配置表 | 4,6 |
workflow_monitor_detail | 流程监控权限明细表 | 4,6 |
WORKFLOW_SUPERVISEOPERATOR | 督办操作者表 | 5 |
workflow_subwfrequest | 主子流程关系表 | 8 |
workflow_requestlog | 流程操作日志表 | 10 |
workflow_billfield | 表单字段定义表 | 9,10 |
workflow_bill | 表单定义表 | 10 |
moderightinfo | 建模权限规则表 | 9 |
modeDataShare_{modeId} | 建模数据共享表(动态) | 9 |
ModeFieldAuthorize | 字段授权配置表 | 9 |
workflow_communicationcontent | 流程交流内容表 | 7 |
workflow_communicationreply | 流程交流回复表 | 7 |
workplan | 日程表 | 11 |
WorkPlanShareDetail | 日程共享明细表 | 11 |
meeting | 会议表 | 11 |
Meeting_ShareDetail | 会议共享明细表 | 11 |
mobile_chatresourceshare | IM分享记录表 | 12 |
mobile_ChatResourceShareScope | IM分享范围表 | 12 |
cowork_items | 协作主项表 | 13 |
coworkshare | 协作共享表 | 13 |
cowork_discuss | 协作讨论表 | 13 |
WorkflowReportShare | 报表共享权限表 | 14 |
Workflow_Report | 报表定义表 | 14 |
workflow_report_competence | 报表数据权限表 | 14 |
hrmresource | 人力资源表 | 4,6 |
hrmroles | 角色表 | 4,6 |
hrmresourcemanager | 系统管理员表 | 4,6 |
HrmResourceVirtualView | 虚拟组织视图 | 4,6 |
注意事项
- SPA vs JSP路由差异:
authStr仅在SPA路由中用于权限校验,JSP路由使用Session机制 - 防篡改校验: 相关流程权限会校验A/B流程是否有共同操作人,无交集则拒绝
- 字段值校验: 建模关联授权和相关流程权限都会校验表单字段值是否包含目标requestid
- 无条件检查: 共享权限和操作者权限是无条件检查的,不需要任何URL参数
- 动态表名: 建模共享表
modeDataShare_{modeId}和业务表{tablename}是动态生成的 - 数据库差异: 部分SQL因数据库类型(Oracle/MySQL/SQL Server/PostgreSQL)而有不同写法,主要是字符串拼接方式的差异
[泛微 EC9] 流程查看权限校验路径分析 by https://oneszhang.com/archives/204.html