From 2cdf6a3b6d7de7bf52ca7fc790724eb799a8b613 Mon Sep 17 00:00:00 2001
From: jack ning <github@bytedesk.com>
Date: Fri, 1 Aug 2025 23:19:44 +0800
Subject: [PATCH] update modules/core: mod        8 files

---
 .../com/bytedesk/core/base/BaseRequest.java   |  4 +-
 .../bytedesk/core/base/BaseSpecification.java | 69 +++++++++++++++++--
 .../core/message/MessageRestService.java      | 14 +---
 .../core/message/MessageSpecification.java    |  9 ++-
 .../core/thread/ThreadRestService.java        | 14 +---
 .../core/thread/ThreadSpecification.java      |  9 ++-
 6 files changed, 77 insertions(+), 42 deletions(-)

diff --git a/modules/core/src/main/java/com/bytedesk/core/base/BaseRequest.java b/modules/core/src/main/java/com/bytedesk/core/base/BaseRequest.java
index 199d6036d3..da17dc0dc0 100644
--- a/modules/core/src/main/java/com/bytedesk/core/base/BaseRequest.java
+++ b/modules/core/src/main/java/com/bytedesk/core/base/BaseRequest.java
@@ -2,7 +2,7 @@
  * @Author: jackning 270580156@qq.com
  * @Date: 2024-01-29 16:21:24
  * @LastEditors: jackning 270580156@qq.com
- * @LastEditTime: 2025-07-12 11:31:35
+ * @LastEditTime: 2025-08-01 23:01:41
  * @Description: bytedesk.com https://github.com/Bytedesk/bytedesk
  *   Please be aware of the BSL license restrictions before installing Bytedesk IM – 
  *  selling, reselling, or hosting Bytedesk IM as a service is a breach of the terms and automatically terminates your rights under the license.
@@ -100,7 +100,7 @@ public abstract class BaseRequest implements Serializable {
     private String platform = PlatformEnum.BYTEDESK.name();
 
     @Builder.Default
-    private Boolean isSuperUser = false;
+    private Boolean superUser = false;
 
     // 导出全部数据，默认false
     @Builder.Default
diff --git a/modules/core/src/main/java/com/bytedesk/core/base/BaseSpecification.java b/modules/core/src/main/java/com/bytedesk/core/base/BaseSpecification.java
index ac85f53a9b..c3866c46c1 100644
--- a/modules/core/src/main/java/com/bytedesk/core/base/BaseSpecification.java
+++ b/modules/core/src/main/java/com/bytedesk/core/base/BaseSpecification.java
@@ -1,8 +1,8 @@
 /*
  * @Author: jackning 270580156@qq.com
- * @Date: 2024-05-30 15:59:30
+ * @Date: 2024-06-05 22:46:54
  * @LastEditors: jackning 270580156@qq.com
- * @LastEditTime: 2025-07-24 21:25:30
+ * @LastEditTime: 2025-08-01 23:19:15
  * @Description: bytedesk.com https://github.com/Bytedesk/bytedesk
  *   Please be aware of the BSL license restrictions before installing Bytedesk IM – 
  *  selling, reselling, or hosting Bytedesk IM as a service is a breach of the terms and automatically terminates your rights under the license.
@@ -16,17 +16,78 @@ package com.bytedesk.core.base;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.springframework.util.StringUtils;
+
+import com.bytedesk.core.exception.NotLoginException;
+import com.bytedesk.core.rbac.auth.AuthService;
+import com.bytedesk.core.rbac.user.UserEntity;
+
 import jakarta.persistence.criteria.CriteriaBuilder;
 import jakarta.persistence.criteria.Predicate;
 import jakarta.persistence.criteria.Root;
 
+/**
+ * 基础Specification类
+ * 提供通用的查询条件构建方法
+ */
 public abstract class BaseSpecification {
 
-    public static List<Predicate> getBasicPredicates(Root<?> root, CriteriaBuilder criteriaBuilder, String orgUid) {
+    /**
+     * 获取基础查询条件
+     * 
+     * @param root 查询根对象
+     * @param criteriaBuilder 条件构建器
+     * @param orgUid 组织ID
+     * @return 基础查询条件列表
+     */
+    protected static List<Predicate> getBasicPredicates(Root<?> root, CriteriaBuilder criteriaBuilder, String orgUid) {
         List<Predicate> predicates = new ArrayList<>();
-        predicates.add(criteriaBuilder.equal(root.get("orgUid"), orgUid));
         predicates.add(criteriaBuilder.equal(root.get("deleted"), false));
+        if (StringUtils.hasText(orgUid)) {
+            predicates.add(criteriaBuilder.equal(root.get("orgUid"), orgUid));
+        }
         return predicates;
     }
 
+    /**
+     * 检查并验证超级管理员权限
+     * 如果前端设置了superUser标志，则需要判断当前用户是否是超级管理员
+     * 如果不是超级管理员，则将superUser设置为false
+     * 
+     * @param request 请求对象，必须继承自BaseRequest
+     * @param authService 认证服务
+     * @throws NotLoginException 如果用户未登录
+     */
+    protected static void validateSuperUserPermission(BaseRequest request, AuthService authService) {
+        if (Boolean.TRUE.equals(request.getSuperUser())) {
+            UserEntity user = authService.getUser();
+            if (user == null) {
+                throw new NotLoginException("login first");
+            }
+            if (!user.isSuperUser()) {
+                // 如果不是超级管理员，则设置为false
+                request.setSuperUser(false);
+            }
+        }
+    }
+
+    /**
+     * 根据超级管理员权限和orgUid添加组织过滤条件
+     * 
+     * @param root 查询根对象
+     * @param criteriaBuilder 条件构建器
+     * @param predicates 条件列表
+     * @param request 请求对象
+     * @param authService 认证服务
+     */
+    protected static void addOrgFilterIfNotSuperUser(Root<?> root, CriteriaBuilder criteriaBuilder, 
+                                                   List<Predicate> predicates, BaseRequest request, AuthService authService) {
+        // 先验证超级管理员权限
+        validateSuperUserPermission(request, authService);
+        
+        // 如果不是超级管理员且有orgUid，则添加组织过滤条件
+        if (!Boolean.TRUE.equals(request.getSuperUser()) && StringUtils.hasText(request.getOrgUid())) {
+            predicates.add(criteriaBuilder.equal(root.get("orgUid"), request.getOrgUid()));
+        }
+    }
 }
diff --git a/modules/core/src/main/java/com/bytedesk/core/message/MessageRestService.java b/modules/core/src/main/java/com/bytedesk/core/message/MessageRestService.java
index d790377f36..e41a4235b2 100644
--- a/modules/core/src/main/java/com/bytedesk/core/message/MessageRestService.java
+++ b/modules/core/src/main/java/com/bytedesk/core/message/MessageRestService.java
@@ -53,20 +53,8 @@ public class MessageRestService extends BaseRestServiceWithExcel<MessageEntity,
 
     @Override
     public Page<MessageEntity> queryByOrgEntity(MessageRequest request) {
-        // 如果前端设置了isSuperUser标志，则需要判断一下，当前用户是否是超级管理员
-        if (Boolean.TRUE.equals(request.getIsSuperUser())) {
-            UserEntity user = authService.getUser();
-            if (user == null) {
-                throw new NotLoginException("login first");
-            }
-            if (!user.isSuperUser()) {
-                // 如果是不是超级管理员，则设置为false
-                request.setIsSuperUser(false);
-            }
-        }
-        // 
         Pageable pageable = request.getPageable();
-        Specification<MessageEntity> specs = MessageSpecification.search(request);
+        Specification<MessageEntity> specs = MessageSpecification.search(request, authService);
         return messageRepository.findAll(specs, pageable);
     }
 
diff --git a/modules/core/src/main/java/com/bytedesk/core/message/MessageSpecification.java b/modules/core/src/main/java/com/bytedesk/core/message/MessageSpecification.java
index 83c4295457..043382584b 100644
--- a/modules/core/src/main/java/com/bytedesk/core/message/MessageSpecification.java
+++ b/modules/core/src/main/java/com/bytedesk/core/message/MessageSpecification.java
@@ -21,6 +21,7 @@ import org.springframework.util.StringUtils;
 
 import com.bytedesk.core.base.BaseSpecification;
 import com.bytedesk.core.constant.TypeConsts;
+import com.bytedesk.core.rbac.auth.AuthService;
 import com.bytedesk.core.topic.TopicUtils;
 
 import jakarta.persistence.criteria.Join;
@@ -29,7 +30,7 @@ import jakarta.persistence.criteria.Predicate;
 
 public class MessageSpecification extends BaseSpecification {
 
-    public static Specification<MessageEntity> search(MessageRequest request) {
+    public static Specification<MessageEntity> search(MessageRequest request, AuthService authService) {
         return (root, query, criteriaBuilder) -> {
             List<Predicate> predicates = new ArrayList<>();
             // predicates.addAll(getBasicPredicates(root, criteriaBuilder, request.getOrgUid()));
@@ -74,10 +75,8 @@ public class MessageSpecification extends BaseSpecification {
                 }
             }
             predicates.add(criteriaBuilder.equal(root.get("deleted"), false));
-            // 如果前端设置了isSuperUser标志，则不需要过滤orgUid
-            if (!Boolean.TRUE.equals(request.getIsSuperUser()) && StringUtils.hasText(request.getOrgUid())) {
-                predicates.add(criteriaBuilder.equal(root.get("orgUid"), request.getOrgUid()));
-            }
+            // 使用基类方法处理超级管理员权限和组织过滤
+            addOrgFilterIfNotSuperUser(root, criteriaBuilder, predicates, request, authService);
             //
             if (StringUtils.hasText(request.getContent())) {
                 predicates.add(criteriaBuilder.like(root.get("content"), "%" + request.getContent() + "%"));
diff --git a/modules/core/src/main/java/com/bytedesk/core/thread/ThreadRestService.java b/modules/core/src/main/java/com/bytedesk/core/thread/ThreadRestService.java
index 2415be11aa..97422f08be 100644
--- a/modules/core/src/main/java/com/bytedesk/core/thread/ThreadRestService.java
+++ b/modules/core/src/main/java/com/bytedesk/core/thread/ThreadRestService.java
@@ -79,20 +79,8 @@ public class ThreadRestService
 
     @Override
     public Page<ThreadEntity> queryByOrgEntity(ThreadRequest request) {
-        // 如果前端设置了isSuperUser标志，则需要判断一下，当前用户是否是超级管理员
-        if (Boolean.TRUE.equals(request.getIsSuperUser())) {
-            UserEntity user = authService.getUser();
-            if (user == null) {
-                throw new NotLoginException("login first");
-            }
-            if (!user.isSuperUser()) {
-                // 如果是不是超级管理员，则设置为false
-                request.setIsSuperUser(false);
-            }
-        }
-        // 
         Pageable pageable = request.getPageable();
-        Specification<ThreadEntity> specs = ThreadSpecification.search(request);
+        Specification<ThreadEntity> specs = ThreadSpecification.search(request, authService);
         return threadRepository.findAll(specs, pageable);
     }
 
diff --git a/modules/core/src/main/java/com/bytedesk/core/thread/ThreadSpecification.java b/modules/core/src/main/java/com/bytedesk/core/thread/ThreadSpecification.java
index 3e91058426..c26f92ddc7 100644
--- a/modules/core/src/main/java/com/bytedesk/core/thread/ThreadSpecification.java
+++ b/modules/core/src/main/java/com/bytedesk/core/thread/ThreadSpecification.java
@@ -22,6 +22,7 @@ import org.springframework.util.StringUtils;
 
 import com.bytedesk.core.base.BaseSpecification;
 import com.bytedesk.core.constant.TypeConsts;
+import com.bytedesk.core.rbac.auth.AuthService;
 
 import jakarta.persistence.criteria.Expression;
 import jakarta.persistence.criteria.Path;
@@ -32,16 +33,14 @@ import lombok.extern.slf4j.Slf4j;
 @Slf4j
 public class ThreadSpecification extends BaseSpecification {
 
-    public static Specification<ThreadEntity> search(ThreadRequest request) {
+    public static Specification<ThreadEntity> search(ThreadRequest request, AuthService authService) {
         log.info("request: {}", request);
         return (root, query, criteriaBuilder) -> {
             List<Predicate> predicates = new ArrayList<>();
             // predicates.addAll(getBasicPredicates(root, criteriaBuilder,request.getOrgUid()));
             predicates.add(criteriaBuilder.equal(root.get("deleted"), false));
-            // 如果前端设置了isSuperUser标志，则不需要过滤orgUid
-            if (!Boolean.TRUE.equals(request.getIsSuperUser()) && StringUtils.hasText(request.getOrgUid())) {
-                predicates.add(criteriaBuilder.equal(root.get("orgUid"), request.getOrgUid()));
-            }
+            // 使用基类方法处理超级管理员权限和组织过滤
+            addOrgFilterIfNotSuperUser(root, criteriaBuilder, predicates, request, authService);
             
             // 仅当mergeByTopic为true时才应用topic合并逻辑
             if (Boolean.TRUE.equals(request.getMergeByTopic())) {