Merge branch 'hotfix/接口服务invoke脚本引擎未授权远程代码执行漏洞' into 'master'

[服务管理]修复接口服务invoke匿名创建修改权限的问题-hostfix

See merge request o2oa/o2oa!2568

(cherry picked from commit b8adbcb56f80c40114630389a410fef7f4408469)

d6a4f5a4 1、增加服务管理员角色；2、限制接口和代理管理权限

o2server/x_base_core_project/src/main/java/com/x/base/core/project/organization/OrganizationDefinition.java

@@ -58,7 +58,7 @@ public class OrganizationDefinition {
 
 	public final static String CRMManager = "CRMManager";
 	public final static String CRMManager_description = "CRM管理员(系统角色)，可以进行CRM系统相关配置，对客户信息，商机等信息进行管理操作。";
-	
+
 	public final static String TeamWorkManager = "TeamWorkManager";
 	public final static String TeamWorkManager_description = "TeamWork管理员(系统角色)，可以进行TeamWork系统相关配置，对项目，任务等信息进行管理操作。";
 
@@ -77,6 +77,9 @@ public class OrganizationDefinition {
 	public final static String FileManager = "FileManager";
 	public final static String FileManager_description = "云文件管理员(系统角色)，可以进行云文件系统相关配置。";
 
+	public final static String ServiceManager = "ServiceManager";
+	public final static String ServiceManager_description = "服务管理员(系统角色)，可以进行服务管理的接口和代理配置。";
+
 	public final static String RoleDefinitionSuffix = "SystemRole";
 
 	public final static Pattern person_distinguishedName_pattern = Pattern.compile("^(.+)\\@(\\S+)\\@P$");
@@ -100,7 +103,7 @@ public class OrganizationDefinition {
 	public final static List<String> DEFAULTROLES = new UnmodifiableList<String>(ListTools.toList(Manager,
 			AttendanceManager, OrganizationManager, PersonManager, GroupManager, UnitManager, RoleManager,
 			ProcessPlatformManager, ProcessPlatformCreator, MeetingManager, MeetingViewer, PortalManager, BBSManager,
-			CMSManager, OKRManager, CRMManager,TeamWorkManager, QueryManager, MessageManager, HotPictureManager, SearchPrivilege, FileManager));
+			CMSManager, OKRManager, CRMManager,TeamWorkManager, QueryManager, MessageManager, HotPictureManager, SearchPrivilege, FileManager, ServiceManager));
 
 	public static String name(String distinguishedName) {
 		if (StringUtils.contains(distinguishedName, "@")) {

o2server/x_program_center/src/main/java/com/x/program/center/Business.java

@@ -3,10 +3,13 @@ package com.x.program.center;
 import com.x.base.core.project.config.Collect;
 import com.x.base.core.project.config.Nodes;
 import com.x.base.core.project.gson.XGsonBuilder;
+import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.http.TokenType;
 import com.x.base.core.project.logger.Logger;
 import com.x.base.core.project.logger.LoggerFactory;
+import com.x.base.core.project.organization.OrganizationDefinition;
 import com.x.base.core.project.tools.Crypto;
+import com.x.organization.core.express.Organization;
 import org.apache.commons.lang3.StringUtils;
 
 import com.x.base.core.container.EntityManagerContainer;
@@ -41,6 +44,24 @@ public class Business {
 		return this.emc;
 	}
 
+	private Organization organization;
+
+	public Organization organization() throws Exception {
+		if (null == this.organization) {
+			this.organization = new Organization(ThisApplication.context());
+		}
+		return organization;
+	}
+
+	public boolean serviceControlAble(EffectivePerson effectivePerson) throws Exception {
+		boolean result = false;
+		if (effectivePerson.isManager()
+				|| (this.organization().person().hasRole(effectivePerson, OrganizationDefinition.ServiceManager))) {
+			result = true;
+		}
+		return result;
+	}
+
 	public Boolean collectAccountNotEmpty() throws Exception {
 		if (StringUtils.isEmpty(Config.collect().getName()) || StringUtils.isEmpty(Config.collect().getPassword())) {
 			return false;

o2server/x_program_center/src/main/java/com/x/program/center/Context.java

@@ -237,7 +237,7 @@ public class Context extends AbstractContext {
 				OrganizationDefinition.OKRManager, OrganizationDefinition.CRMManager,
 				OrganizationDefinition.QueryManager, OrganizationDefinition.MessageManager,
 				OrganizationDefinition.SearchPrivilege, OrganizationDefinition.HotPictureManager,
-				OrganizationDefinition.FileManager);
+				OrganizationDefinition.FileManager, OrganizationDefinition.ServiceManager);
 		roles = roles.stream().sorted(Comparator.comparing(String::toString)).collect(Collectors.toList());
 		for (String str : roles) {
 			EntityManager em = emc.get(Role.class);
@@ -266,7 +266,7 @@ public class Context extends AbstractContext {
 	 * OrganizationDefinition., OrganizationDefinition., OrganizationDefinition.,
 	 * OrganizationDefinition., ., OrganizationDefinition., OrganizationDefinition.,
 	 * OrganizationDefinition.
-	 * 
+	 *
 	 * @param str
 	 * @return
 	 */
@@ -313,6 +313,8 @@ public class Context extends AbstractContext {
 			return OrganizationDefinition.SearchPrivilege_description;
 		} else if (OrganizationDefinition.FileManager.equalsIgnoreCase(str)) {
 			return OrganizationDefinition.FileManager_description;
+		} else if (OrganizationDefinition.ServiceManager.equalsIgnoreCase(str)) {
+			return OrganizationDefinition.ServiceManager_description;
 		}
 		return "";
 	}
@@ -347,4 +349,4 @@ public class Context extends AbstractContext {
 		scheduler.scheduleJob(jobDetail, trigger);
 	}
 
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/AgentJaxrsFilter.java

@@ -2,9 +2,9 @@ package com.x.program.center.jaxrs;
 
 import javax.servlet.annotation.WebFilter;
 
-import com.x.base.core.project.jaxrs.CipherManagerJaxrsFilter;
+import com.x.base.core.project.jaxrs.CipherManagerUserJaxrsFilter;
 
 @WebFilter(urlPatterns = "/jaxrs/agent/*", asyncSupported = true)
-public class AgentJaxrsFilter extends CipherManagerJaxrsFilter {
+public class AgentJaxrsFilter extends CipherManagerUserJaxrsFilter {
 
 }

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/agent/ActionCreate.java

@@ -1,5 +1,7 @@
 package com.x.program.center.jaxrs.agent;
 
+import com.x.base.core.project.exception.ExceptionAccessDenied;
+import com.x.program.center.Business;
 import org.apache.commons.lang3.StringUtils;
 
 import com.google.gson.JsonElement;
@@ -20,6 +22,11 @@ class ActionCreate extends BaseAction {
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, JsonElement jsonElement) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Wi wi = this.convertToWrapIn(jsonElement, Wi.class);
 			Agent agent = Wi.copier.copy(wi);

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/agent/ActionDelete.java

@@ -3,16 +3,23 @@ package com.x.program.center.jaxrs.agent;
 import com.x.base.core.container.EntityManagerContainer;
 import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.entity.annotation.CheckRemoveType;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
 import com.x.base.core.project.exception.ExceptionWhen;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.jaxrs.WoId;
+import com.x.program.center.Business;
 import com.x.program.center.core.entity.Agent;
 
 class ActionDelete extends BaseAction {
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, String flag) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Agent agent = emc.flag(flag, Agent.class);
 			if (null == agent) {
@@ -31,4 +38,4 @@ class ActionDelete extends BaseAction {
 	public static class Wo extends WoId {
 
 	}
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/agent/ActionDisable.java

@@ -2,16 +2,23 @@ package com.x.program.center.jaxrs.agent;
 
 import com.x.base.core.container.EntityManagerContainer;
 import com.x.base.core.container.factory.EntityManagerContainerFactory;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
 import com.x.base.core.project.exception.ExceptionEntityNotExist;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.jaxrs.WoId;
+import com.x.program.center.Business;
 import com.x.program.center.core.entity.Agent;
 
 class ActionDisable extends BaseAction {
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, String flag) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Agent agent = emc.flag(flag, Agent.class);
 			if (null == agent) {
@@ -31,4 +38,4 @@ class ActionDisable extends BaseAction {
 
 	}
 
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/agent/ActionEdit.java

@@ -1,6 +1,8 @@
 package com.x.program.center.jaxrs.agent;
 
 import com.x.base.core.project.cache.CacheManager;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
+import com.x.program.center.Business;
 import org.apache.commons.lang3.StringUtils;
 
 import com.google.gson.JsonElement;
@@ -22,6 +24,11 @@ class ActionEdit extends BaseAction {
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, String flag, JsonElement jsonElement) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Wi wi = this.convertToWrapIn(jsonElement, Wi.class);
 			Agent agent = emc.flag(flag, Agent.class );
@@ -61,4 +68,4 @@ class ActionEdit extends BaseAction {
 
 	}
 
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/agent/ActionEnable.java

@@ -2,16 +2,23 @@ package com.x.program.center.jaxrs.agent;
 
 import com.x.base.core.container.EntityManagerContainer;
 import com.x.base.core.container.factory.EntityManagerContainerFactory;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
 import com.x.base.core.project.exception.ExceptionEntityNotExist;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.jaxrs.WoId;
+import com.x.program.center.Business;
 import com.x.program.center.core.entity.Agent;
 
 class ActionEnable extends BaseAction {
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, String flag) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Agent agent = emc.flag(flag, Agent.class);
 			if (null == agent) {
@@ -31,4 +38,4 @@ class ActionEnable extends BaseAction {
 
 	}
 
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/agent/ActionExecute.java

@@ -14,6 +14,7 @@ import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.project.cache.Cache.CacheCategory;
 import com.x.base.core.project.cache.Cache.CacheKey;
 import com.x.base.core.project.cache.CacheManager;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.jaxrs.WoId;
@@ -24,6 +25,7 @@ import com.x.base.core.project.script.ScriptFactory;
 import com.x.base.core.project.tools.DateTools;
 import com.x.base.core.project.webservices.WebservicesClient;
 import com.x.organization.core.express.Organization;
+import com.x.program.center.Business;
 import com.x.program.center.ThisApplication;
 import com.x.program.center.core.entity.Agent;
 
@@ -35,6 +37,11 @@ class ActionExecute extends BaseAction {
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, String flag) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Agent agent = emc.flag(flag, Agent.class);
 			if (null == agent) {
@@ -109,4 +116,4 @@ class ActionExecute extends BaseAction {
 
 	}
 
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/agent/ActionGet.java

@@ -5,16 +5,23 @@ import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.entity.JpaObject;
 import com.x.base.core.project.bean.WrapCopier;
 import com.x.base.core.project.bean.WrapCopierFactory;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
 import com.x.base.core.project.exception.ExceptionWhen;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.tools.ListTools;
+import com.x.program.center.Business;
 import com.x.program.center.core.entity.Agent;
 
 class ActionGet extends BaseAction {
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, String flag) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Agent agent = emc.flag(flag, Agent.class );
 			if (null == agent) {
@@ -34,4 +41,4 @@ class ActionGet extends BaseAction {
 				ListTools.toList(JpaObject.FieldsInvisible));
 	}
 
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/agent/ActionList.java

@@ -13,9 +13,11 @@ import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.entity.JpaObject;
 import com.x.base.core.project.bean.WrapCopier;
 import com.x.base.core.project.bean.WrapCopierFactory;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.tools.ListTools;
+import com.x.program.center.Business;
 import com.x.program.center.core.entity.Agent;
 import com.x.program.center.core.entity.Agent_;
 
@@ -23,6 +25,11 @@ class ActionList extends BaseAction {
 
 	ActionResult<List<Wo>> execute(EffectivePerson effectivePerson) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<List<Wo>> result = new ActionResult<>();
 			List<Wo> wos = new ArrayList<>();
 			EntityManager em = emc.get(Agent.class);
@@ -44,4 +51,4 @@ class ActionList extends BaseAction {
 				ListTools.toList(JpaObject.singularAttributeField(Agent.class, true, true)), null);
 	}
 
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/agent/ActionUpdate.java

@@ -1,5 +1,7 @@
 package com.x.program.center.jaxrs.agent;
 
+import com.x.base.core.project.exception.ExceptionAccessDenied;
+import com.x.program.center.Business;
 import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
 
 import com.x.base.core.container.EntityManagerContainer;
@@ -15,6 +17,11 @@ class ActionUpdate extends BaseAction {
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, String flag, byte[] bytes,
 			FormDataContentDisposition disposition) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Wo wo = new Wo();
 			Agent agent = emc.flag(flag, Agent.class);

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/invoke/ActionCreate.java

@@ -1,5 +1,7 @@
 package com.x.program.center.jaxrs.invoke;
 
+import com.x.base.core.project.exception.ExceptionAccessDenied;
+import com.x.program.center.Business;
 import org.apache.commons.lang3.StringUtils;
 
 import com.google.gson.JsonElement;
@@ -19,6 +21,11 @@ class ActionCreate extends BaseAction {
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, JsonElement jsonElement) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Wi wi = this.convertToWrapIn(jsonElement, Wi.class);
 			Invoke invoke = Wi.copier.copy(wi);

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/invoke/ActionDelete.java

@@ -3,16 +3,23 @@ package com.x.program.center.jaxrs.invoke;
 import com.x.base.core.container.EntityManagerContainer;
 import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.entity.annotation.CheckRemoveType;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
 import com.x.base.core.project.exception.ExceptionWhen;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.jaxrs.WoId;
+import com.x.program.center.Business;
 import com.x.program.center.core.entity.Invoke;
 
 class ActionDelete extends BaseAction {
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, String flag) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Invoke invoke = emc.flag(flag, Invoke.class );
 			if (null == invoke) {
@@ -31,4 +38,4 @@ class ActionDelete extends BaseAction {
 	public static class Wo extends WoId {
 
 	}
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/invoke/ActionEdit.java

@@ -1,6 +1,8 @@
 package com.x.program.center.jaxrs.invoke;
 
 import com.x.base.core.project.cache.CacheManager;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
+import com.x.program.center.Business;
 import org.apache.commons.lang3.StringUtils;
 
 import com.google.gson.JsonElement;
@@ -22,6 +24,11 @@ class ActionEdit extends BaseAction {
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, String flag, JsonElement jsonElement) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Wi wi = this.convertToWrapIn(jsonElement, Wi.class);
 			Invoke invoke = emc.flag(flag, Invoke.class);
@@ -61,4 +68,4 @@ class ActionEdit extends BaseAction {
 
 	}
 
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/invoke/ActionGet.java

@@ -5,15 +5,22 @@ import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.entity.JpaObject;
 import com.x.base.core.project.bean.WrapCopier;
 import com.x.base.core.project.bean.WrapCopierFactory;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.tools.ListTools;
+import com.x.program.center.Business;
 import com.x.program.center.core.entity.Invoke;
 
 class ActionGet extends BaseAction {
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, String flag) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Invoke invoke = emc.flag(flag, Invoke.class );
 			if (null == invoke) {
@@ -33,4 +40,4 @@ class ActionGet extends BaseAction {
 				ListTools.toList(JpaObject.FieldsInvisible));
 	}
 
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/invoke/ActionList.java

@@ -13,9 +13,11 @@ import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.entity.JpaObject;
 import com.x.base.core.project.bean.WrapCopier;
 import com.x.base.core.project.bean.WrapCopierFactory;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.tools.ListTools;
+import com.x.program.center.Business;
 import com.x.program.center.core.entity.Invoke;
 import com.x.program.center.core.entity.Invoke_;
 
@@ -23,6 +25,11 @@ class ActionList extends BaseAction {
 
 	ActionResult<List<Wo>> execute(EffectivePerson effectivePerson) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<List<Wo>> result = new ActionResult<>();
 			List<Wo> wos = new ArrayList<>();
 			EntityManager em = emc.get(Invoke.class);
@@ -44,4 +51,4 @@ class ActionList extends BaseAction {
 				ListTools.toList(JpaObject.singularAttributeField(Invoke.class, true, true)), null);
 	}
 
-}
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/invoke/ActionUpdate.java

@@ -1,5 +1,7 @@
 package com.x.program.center.jaxrs.invoke;
 
+import com.x.base.core.project.exception.ExceptionAccessDenied;
+import com.x.program.center.Business;
 import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
 
 import com.x.base.core.container.EntityManagerContainer;
@@ -15,6 +17,11 @@ class ActionUpdate extends BaseAction {
 	ActionResult<Wo> execute(EffectivePerson effectivePerson, String flag, byte[] bytes,
 			FormDataContentDisposition disposition) throws Exception {
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
+			Business business = new Business(emc);
+			/* 判断当前用户是否有权限访问 */
+			if(!business.serviceControlAble(effectivePerson)) {
+				throw new ExceptionAccessDenied(effectivePerson.getDistinguishedName());
+			}
 			ActionResult<Wo> result = new ActionResult<>();
 			Wo wo = new Wo();
 			Invoke invoke = emc.flag(flag, Invoke.class);