From fe6bfbc51865fabd44e36f41525259b0bb35d21a Mon Sep 17 00:00:00 2001
From: "licheng.w.exiao" <631948983@qq.com>
Date: Sat, 16 Dec 2023 16:25:29 +0800
Subject: [PATCH] 1. Resolve the issue where unchecking all column permissions
 allows roles to see all fields. 2. Address the issue where using the
 'contains' method for column permissions leads to sub-strings not being
 filtered out. Switch to using regular expression for a more accurate
 permission check.

---
 .../src/main/java/datart/data/provider/ProviderManager.java  | 4 +++-
 .../datart/server/service/impl/DataProviderServiceImpl.java  | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/data-providers/data-provider-base/src/main/java/datart/data/provider/ProviderManager.java b/data-providers/data-provider-base/src/main/java/datart/data/provider/ProviderManager.java
index 9927d994f..204758004 100644
--- a/data-providers/data-provider-base/src/main/java/datart/data/provider/ProviderManager.java
+++ b/data-providers/data-provider-base/src/main/java/datart/data/provider/ProviderManager.java
@@ -34,6 +34,7 @@
 import java.sql.SQLException;
 import java.util.*;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.regex.Pattern;
 
 @Service
 @Slf4j
@@ -214,7 +215,8 @@ private void excludeColumns(Dataframe data, Set<SelectColumn> include) {
                     .noneMatch(selectColumn ->
                             column.columnKey().equals(selectColumn.getColumnKey())
                                     || column.columnKey().equals(selectColumn.getAlias())
-                                    || column.columnKey().contains(selectColumn.getColumnKey()))) {
+                                    // 用正则做聚合函数权限的判断 剔除原来的contains判断
+                                    ||  Pattern.matches("(\\w+\\(" + selectColumn.getColumnKey() +"\\))",column.columnKey()) ))  {
                 excludeIndex.add(i);
             }
         }
diff --git a/server/src/main/java/datart/server/service/impl/DataProviderServiceImpl.java b/server/src/main/java/datart/server/service/impl/DataProviderServiceImpl.java
index 09495f663..b2cebbadc 100644
--- a/server/src/main/java/datart/server/service/impl/DataProviderServiceImpl.java
+++ b/server/src/main/java/datart/server/service/impl/DataProviderServiceImpl.java
@@ -406,6 +406,11 @@ private Set<SelectColumn> parseColumnPermission(View view) {
         try {
             Set<SelectColumn> columns = new HashSet<>();
             List<RelSubjectColumns> relSubjectColumns = rscMapper.listByUser(view.getId(), getCurrentUser().getId());
+            if(relSubjectColumns.isEmpty()){
+                return Collections.singleton(SelectColumn.of(null, "*"));
+            }else if(relSubjectColumns.size() == 1 && relSubjectColumns.get(0).getColumnPermission().equals("[]")){
+                return Collections.singleton(SelectColumn.of(null, "''"));
+            }
             for (RelSubjectColumns relSubjectColumn : relSubjectColumns) {
                 List<String> cols = (List<String>) objectMapper.readValue(relSubjectColumn.getColumnPermission(), ArrayList.class);
                 if (!CollectionUtils.isEmpty(cols)) {