update

mec-common/common-core/src/main/java/com/ym/mec/common/security/PermissionCheckService.java

@@ -12,7 +12,7 @@ import org.springframework.stereotype.Component;
 public class PermissionCheckService {
 
 	public boolean hasPermissions(String... permissions) {
-		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		Authentication authentication = SecurityUtils.getAuthentication();
 		if (authentication == null) {
 			return false;
 		}

mec-web/src/main/java/com/ym/mec/web/controller/ChargeTypeController.java

@@ -4,10 +4,13 @@ import com.ym.mec.biz.dal.entity.ChargeType;
 import com.ym.mec.biz.service.ChargeTypeService;
 import com.ym.mec.common.controller.BaseController;
 import com.ym.mec.common.page.QueryInfo;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 @RequestMapping("chargeType")
@@ -20,6 +23,7 @@ public class ChargeTypeController extends BaseController {
 
     @ApiOperation(value = "新增、修改收费类型")
     @PostMapping("/upSet")
+    @PreAuthorize("@pcs.hasPermissions('chargeType/upSet')")
     public Object upSet(@RequestBody ChargeType chargeType) {
         chargeTypeService.upSet(chargeType);
         return succeed();
@@ -27,6 +31,7 @@ public class ChargeTypeController extends BaseController {
 
     @ApiOperation(value = "删除收费类型")
     @PostMapping("/del/{id}")
+    @PreAuthorize("@pcs.hasPermissions('chargeType/del')")
     public Object del(@ApiParam(value = "收费类型编号", required = true) @PathVariable("id") Integer id) {
         chargeTypeService.del(id);
         return succeed();
@@ -34,6 +39,7 @@ public class ChargeTypeController extends BaseController {
 
     @ApiOperation(value = "分页查询收费类型列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('chargeType/queryPage')")
     public Object queryPage(QueryInfo queryInfo) {
         return succeed(chargeTypeService.queryPage(queryInfo));
     }

mec-web/src/main/java/com/ym/mec/web/controller/ClassGroupController.java

@@ -9,9 +9,12 @@ import com.ym.mec.biz.service.ClassGroupTeacherMapperService;
 import com.ym.mec.common.controller.BaseController;
 import com.ym.mec.common.entity.HttpResponseResult;
 import com.ym.mec.common.page.QueryInfo;
+
 import io.swagger.annotations.*;
+
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.Date;
@@ -29,12 +32,14 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "新增单技班班级")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/add')")
     public Object add(@RequestBody ClassGroup classGroup) throws Exception {
         return succeed(classGroupService.addClassGroup(classGroup));
     }
 
     @ApiOperation(value = "新增合奏班")
     @PostMapping("/addMixClass")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/addMixClass')")
     public Object addMixClass(@ApiParam(value = "乐团编号", required = true) @RequestParam String musicGroupId,
                               @ApiParam(value = "班级名称", required = true) String name,
                               @ApiParam(value = "班级编号,号分割", required = true) String classGroupIds) throws Exception {
@@ -43,6 +48,7 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "新增提高班")
     @PostMapping("/addHighClass")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/addHighClass')")
     public Object addHighClass(@ApiParam(value = "乐团提高班json", required = true) @RequestParam List<HighClassGroupDto> highClassGroupDtoList) throws Exception {
         if (highClassGroupDtoList.size() <= 0) {
             return failed("参数不合法");
@@ -52,6 +58,7 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "删除单技班")
     @PostMapping("/delSingle")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/delSingle')")
     public Object delSingle(Integer classGroupId) {
         classGroupService.delete(classGroupId);
         return succeed();
@@ -59,6 +66,7 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "删除合奏班")
     @PostMapping("/delMix")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/delMix')")
     public Object delMix(Integer classGroupId) {
         classGroupService.delete(classGroupId);
         return succeed();
@@ -66,6 +74,7 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "修改班级")
     @PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/update')")
     public Object update(ClassGroup classGroup) {
         classGroup.setUpdateTime(new Date());
         classGroupService.update(classGroup);
@@ -74,12 +83,14 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "分页查询班级列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/queryPage')")
     public Object queryPage(QueryInfo queryInfo) {
         return succeed(classGroupService.queryPage(queryInfo));
     }
 
     @ApiOperation(value = "合奏班相关班级获取")
     @GetMapping("/findClassGroupAboutMix")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/findClassGroupAboutMix')")
     public HttpResponseResult findClassGroupAboutMix(@ApiParam(value = "乐团编号", required = true) @RequestParam String musicGroupId,
                                          @ApiParam(value = "班级编号", required = false) Integer mixClassGroupId) {
         return succeed(classGroupService.findClassGroup(musicGroupId, mixClassGroupId));
@@ -87,24 +98,28 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "乐团单技班列表")
     @GetMapping("/findMusicGroupClass")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/findMusicGroupClass')")
     public HttpResponseResult findMusicGroupClass(@ApiParam(value = "乐团编号", required = true) @RequestParam String musicGroupId) {
         return succeed(classGroupService.findAllNormalClassGroupByMusicGroupId(musicGroupId));
     }
 
     @ApiOperation(value = "获取未分班的单技班列表")
     @GetMapping("/findNoClassSubjects")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/findNoClassSubjects')")
     public HttpResponseResult findNoClassSubjects(@ApiParam(value = "乐团编号", required = true) @RequestParam String musicGroupId) {
         return succeed(classGroupService.findNoClassSubjects(musicGroupId));
     }
 
     @ApiOperation(value = "乐团合奏班列表")
     @GetMapping("/findMixMusicGroupClass")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/findMixMusicGroupClass')")
     public HttpResponseResult findMixMusicGroupClass(@ApiParam(value = "乐团编号", required = true) @RequestParam String musicGroupId) {
         return succeed(classGroupService.findAllMixClassGroupByMusicGroupId(musicGroupId));
     }
 
     @ApiOperation(value = "乐团所有班列表")
     @GetMapping("/findAllClassGroupByMusicGroup")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/findAllClassGroupByMusicGroup')")
     public HttpResponseResult findAllClassGroupByMusicGroup(@ApiParam(value = "乐团编号", required = true) @RequestParam String musicGroupId) {
         return succeed(classGroupService.findAllClassGroupByMusicGroup(musicGroupId));
     }
@@ -112,6 +127,7 @@ public class ClassGroupController extends BaseController {
     @ApiOperation(value = "乐团班级老师设置")
     @PostMapping("/addClassGroupTeacher")
     @ApiParam(value = "乐团班级老师json", required = true)
+    @PreAuthorize("@pcs.hasPermissions('classGroup/addClassGroupTeacher')")
     public HttpResponseResult addClassGroupTeacher(@RequestBody List<ClassGroupTeacherMapper> classGroupTeacherMapperList) {
         if (classGroupTeacherMapperList.size() <= 0) {
             return failed("参数不合法");
@@ -121,12 +137,14 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "获取乐团班级老师")
     @GetMapping("/findMusicGroupClassTeacher")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/findMusicGroupClassTeacher')")
     public HttpResponseResult findMusicGroupClassTeacher(@ApiParam(value = "乐团编号", required = true) @RequestParam String musicGroupId) {
         return succeed(classGroupService.getClassGroupAndTeachers(musicGroupId,"NORMAL,MIX"));
     }
 
     @ApiOperation(value = "获取乐团班级老师课酬")
     @GetMapping("/findMusicGroupClassTeacherSalary")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/findMusicGroupClassTeacherSalary')")
     @ApiImplicitParams({@ApiImplicitParam(name = "musicGroupId", value = "乐团编号", required = true, dataType = "String"),
             @ApiImplicitParam(name = "type", value = "结算类型（1-基准课酬，4-梯度课酬）", required = true, dataType = "Integer")})
     public HttpResponseResult findMusicGroupClassTeacherSalary(String musicGroupId, SalarySettlementTypeEnum type) {
@@ -139,6 +157,7 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "乐团班级老师课酬确认")
     @PostMapping("/setClassGroupTeacherSalary")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/setClassGroupTeacherSalary')")
     @ApiParam(value = "乐团班级老师<包含相应课酬>json", required = true)
     public Object setClassGroupTeacherSalary(@RequestBody List<ClassGroupTeacherMapper> classGroupTeacherMapperList) throws Exception {
         if (classGroupTeacherMapperList.size() <= 0) {
@@ -149,6 +168,7 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "根据群编号，获取群组所有成员基本信息")
     @GetMapping("/findGroupUsers")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/findGroupUsers')")
     public Object findGroupUsers(String groupId) {
         if (StringUtils.isEmpty(groupId)) {
             return failed("参数校验错误");
@@ -158,6 +178,7 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "乐团班级设置，成团确认")
     @PostMapping("/addMusicGroupTeam")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/addMusicGroupTeam')")
     @ApiImplicitParams({@ApiImplicitParam(name = "musicGroupId", value = "乐团编号", required = true, dataType = "String"),
             @ApiImplicitParam(name = "teacherId", value = "老师编号", required = true, dataType = "Integer")})
     public Object addMusicGroupTeam(Integer teacherId,String musicGroupId) throws Exception {
@@ -171,6 +192,7 @@ public class ClassGroupController extends BaseController {
 
     @ApiOperation(value = "合并班级")
     @PostMapping("/mergeClassGroup")
+    @PreAuthorize("@pcs.hasPermissions('classGroup/mergeClassGroup')")
     @ApiImplicitParams({@ApiImplicitParam(name = "classGroupIds", value = "班级编号,号分割", required = true, dataType = "String")})
     public HttpResponseResult mergeClassGroup(String classGroupIds) throws Exception {
         //软删除班级

mec-web/src/main/java/com/ym/mec/web/controller/CooperationOrganController.java

@@ -4,10 +4,13 @@ import com.ym.mec.biz.dal.entity.CooperationOrgan;
 import com.ym.mec.biz.service.CooperationOrganService;
 import com.ym.mec.common.controller.BaseController;
 import com.ym.mec.common.page.QueryInfo;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.Date;
@@ -22,6 +25,7 @@ public class CooperationOrganController extends BaseController {
 
     @ApiOperation(value = "新增合作单位(教学点)")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('cooperationOrgan/add')")
     public Object add(CooperationOrgan cooperationOrgan) {
         cooperationOrganService.insert(cooperationOrgan);
         return succeed();
@@ -29,6 +33,7 @@ public class CooperationOrganController extends BaseController {
 
     @ApiOperation(value = "删除合作单位(教学点)")
     @PostMapping("/del/{id}")
+    @PreAuthorize("@pcs.hasPermissions('cooperationOrgan/del')")
     public Object del(@ApiParam(value = "合作单位(教学点)编号", required = true) @PathVariable("id") Integer id) {
         cooperationOrganService.delete(id);
         return succeed();
@@ -36,6 +41,7 @@ public class CooperationOrganController extends BaseController {
 
     @ApiOperation(value = "修改合作单位(教学点)")
     @PutMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('cooperationOrgan/update')")
     public Object update(CooperationOrgan cooperationOrgan) {
         cooperationOrgan.setUpdateTime(new Date());
         cooperationOrganService.update(cooperationOrgan);
@@ -44,12 +50,14 @@ public class CooperationOrganController extends BaseController {
 
     @ApiOperation(value = "分页查询合作单位(教学点)列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('cooperationOrgan/queryPage')")
     public Object queryPage(QueryInfo queryInfo) {
         return succeed(cooperationOrganService.queryPage(queryInfo));
     }
 
     @ApiOperation(value = "根据机构编号获取合作单位(教学点)列表")
     @GetMapping("/queryByOrganId")
+    @PreAuthorize("@pcs.hasPermissions('cooperationOrgan/queryByOrganId')")
     public Object queryByOrganId(Integer organId){
         return succeed(cooperationOrganService.queryByOrganId(organId));
     }

mec-web/src/main/java/com/ym/mec/web/controller/CourseScheduleController.java

@@ -7,11 +7,14 @@ import com.ym.mec.biz.dal.page.StudentAttendanceQueryInfo;
 import com.ym.mec.biz.service.CourseScheduleService;
 import com.ym.mec.biz.service.StudentAttendanceService;
 import com.ym.mec.common.controller.BaseController;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.Date;
@@ -33,6 +36,7 @@ public class CourseScheduleController extends BaseController {
 
     @ApiOperation(value = "排课")
     @PostMapping("/batchAddCourseSchedule/{musicGroupID}")
+    @PreAuthorize("@pcs.hasPermissions('courseSchedule/batchAddCourseSchedule')")
     public Object batchAddCourseSchedule(@RequestBody List<CourseSchedule> courseSchedules,
                                          @ApiParam(value = "乐团编号", required = true) @PathVariable("musicGroupID") Long musicGroupID){
         scheduleService.batchAddCourseSchedule(courseSchedules);
@@ -41,6 +45,7 @@ public class CourseScheduleController extends BaseController {
 
     @ApiOperation(value = "批量跟新排课")
     @PostMapping("/batchUpdateCourseSchedule/{musicGroupID}")
+    @PreAuthorize("@pcs.hasPermissions('courseSchedule/batchUpdateCourseSchedule')")
     public Object batchUpdateCourseSchedule(@RequestBody List<CourseSchedule> courseSchedules,
                                             @ApiParam(value = "乐团编号", required = true) @PathVariable("musicGroupID") Long musicGroupID){
         scheduleService.batchUpdateCourseSchedule(courseSchedules,musicGroupID);
@@ -49,6 +54,7 @@ public class CourseScheduleController extends BaseController {
 
     @ApiOperation(value = "根据月份获取乐团在该月有课的日期")
     @GetMapping("/getCourseScheduleDateByMonth")
+    @PreAuthorize("@pcs.hasPermissions('courseSchedule/getCourseScheduleDateByMonth')")
         public Object getCourseScheduleDateByMonth(@ApiParam(value = "乐团编号", required = true) @RequestParam Long musicGroupID,
                                                    @ApiParam(value = "月份", required = true) @RequestParam Date month) {
         return succeed(scheduleService.getCourseScheduleDateByMonth(musicGroupID,month));
@@ -56,23 +62,27 @@ public class CourseScheduleController extends BaseController {
 
     @ApiOperation(value = "根据日期获取当日排课")
     @GetMapping("/getCourseSchedulesWithDate")
+    @PreAuthorize("@pcs.hasPermissions('courseSchedule/getCourseSchedulesWithDate')")
     public Object getCourseSchedulesWithDate(@ApiParam(value = "日期", required = true) Date date){
         return succeed(scheduleService.getCourseSchedulesWithDate(date));
     }
 
     @ApiOperation(value = "根据课程ID查询正在或即将开始的课程")
     @GetMapping("/getCurrentCourseDetail/{courseID}")
+    @PreAuthorize("@pcs.hasPermissions('courseSchedule/getCurrentCourseDetail')")
     public Object getCurrentCourseDetail(@ApiParam(value = "课程ID", required = true) @PathVariable("courseID") Long courseID){
         return succeed(scheduleService.getCurrentCourseDetail(courseID));
     }
 
     @ApiOperation(value = "根据班级ID获取当前课程的学生")
     @GetMapping("/getCurrentCourseStudents")
+    @PreAuthorize("@pcs.hasPermissions('courseSchedule/getCurrentCourseStudents')")
     public Object getCurrentCourseStudents(@RequestBody StudentAttendanceQueryInfo queryInfo){
         return succeed(studentAttendanceService.getCurrentCourseStudents(queryInfo));
     }
 
     @ApiOperation(value = "课时调整")
+    @PreAuthorize("@pcs.hasPermissions('courseSchedule/classStartDateAdjust')")
     @PostMapping(value = "/classStartDateAdjust",consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
     public Object classStartDateAdjust(ClassDateAdjustDto classDateAdjustDto){
         scheduleService.classStartDateAdjust(classDateAdjustDto);
@@ -80,6 +90,7 @@ public class CourseScheduleController extends BaseController {
     }
 
     @ApiOperation(value = "课时交换")
+    @PreAuthorize("@pcs.hasPermissions('courseSchedule/courseSwap')")
     @GetMapping(value = "/courseSwap",consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
     public Object courseSwap(Long courseScheduleId1,Long courseScheduleId2){
         scheduleService.courseSwap(courseScheduleId1,courseScheduleId2);
@@ -88,6 +99,7 @@ public class CourseScheduleController extends BaseController {
 
     @ApiOperation(value = "课程投诉审核")
     @GetMapping(value = "/courseScheduleCommplaintAudit")
+    @PreAuthorize("@pcs.hasPermissions('courseSchedule/courseScheduleCommplaintAudit')")
     public Object courseScheduleCommplaintAudit(CourseScheduleComplaints courseScheduleComplaints){
         scheduleService.courseScheduleCommplaintAudit(courseScheduleComplaints);
         return succeed();

mec-web/src/main/java/com/ym/mec/web/controller/CourseScheduleRewardsRulesController.java

@@ -4,6 +4,7 @@ import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -14,7 +15,7 @@ import com.ym.mec.biz.service.CourseScheduleRewardsRulesService;
 import com.ym.mec.common.controller.BaseController;
 import com.ym.mec.common.page.QueryInfo;
 
-@RequestMapping("courseSchedule")
+@RequestMapping("courseScheduleRewards")
 @Api(tags = "课程奖励规则")
 @RestController
 public class CourseScheduleRewardsRulesController extends BaseController {
@@ -24,30 +25,35 @@ public class CourseScheduleRewardsRulesController extends BaseController {
 
 	@ApiOperation(value = "查询规则列表")
 	@GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('courseScheduleRewards/queryPage')")
 	public Object queryPage(QueryInfo queryInfo) {
 		return succeed(courseScheduleRewardsRulesService.queryPage(queryInfo));
 	}
 
 	@ApiOperation(value = "单查询")
 	@GetMapping("/query")
+    @PreAuthorize("@pcs.hasPermissions('courseScheduleRewards/query')")
 	public Object query(Integer id) {
 		return succeed(courseScheduleRewardsRulesService.get(id));
 	}
 
 	@ApiOperation(value = "新增")
 	@PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('courseScheduleRewards/add')")
 	public Object add(CourseScheduleRewardsRules courseScheduleRewardsRules) {
 		return succeed(courseScheduleRewardsRulesService.insert(courseScheduleRewardsRules));
 	}
 
 	@ApiOperation(value = "修改")
 	@PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('courseScheduleRewards/update')")
 	public Object update(CourseScheduleRewardsRules courseScheduleRewardsRules) {
 		return succeed(courseScheduleRewardsRulesService.update(courseScheduleRewardsRules));
 	}
 
 	@ApiOperation(value = "删除")
 	@PostMapping("/delete")
+    @PreAuthorize("@pcs.hasPermissions('courseScheduleRewards/delete')")
 	public Object delete(Integer id) {
 		return succeed(courseScheduleRewardsRulesService.delete(id));
 	}

mec-web/src/main/java/com/ym/mec/web/controller/GoodsCategoryController.java

@@ -4,9 +4,12 @@ import com.ym.mec.biz.dal.entity.GoodsCategory;
 import com.ym.mec.biz.dal.page.GoodsCategoryQueryInfo;
 import com.ym.mec.biz.service.GoodsCategoryService;
 import com.ym.mec.common.controller.BaseController;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 @RequestMapping("category")
@@ -19,12 +22,14 @@ public class GoodsCategoryController extends BaseController {
 
     @ApiOperation(value = "删除商品分类")
     @PostMapping("/del")
+    @PreAuthorize("@pcs.hasPermissions('category/del')")
     public Object del(Integer id) {
         return succeed(goodsCategoryService.delete(id));
     }
 
     @ApiOperation(value = "新增、修改商品类型")
     @PostMapping("/upset")
+    @PreAuthorize("@pcs.hasPermissions('category/upset')")
     public Object upset(@RequestBody GoodsCategory goodsCategory){
         goodsCategoryService.upsetGoodsCategory(goodsCategory);
         return succeed();
@@ -32,6 +37,7 @@ public class GoodsCategoryController extends BaseController {
 
     @ApiOperation(value = "分页查询商品分类列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('category/queryPage')")
     public Object queryPage(GoodsCategoryQueryInfo queryInfo) {
         return succeed(goodsCategoryService.queryPage(queryInfo));
     }

mec-web/src/main/java/com/ym/mec/web/controller/GoodsController.java

@@ -1,6 +1,5 @@
 package com.ym.mec.web.controller;
 
-import com.ym.mec.biz.dal.entity.SubjectGoodsMapper;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
 import io.swagger.annotations.ApiImplicitParams;
@@ -10,10 +9,10 @@ import io.swagger.annotations.ApiParam;
 import java.util.Date;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -32,6 +31,7 @@ public class GoodsController extends BaseController {
 
     @ApiOperation(value = "新增商品(教材、辅件)")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('goods/add')")
     public Object add(Goods goods){
         goodsService.insert(goods);
         return succeed();
@@ -39,6 +39,7 @@ public class GoodsController extends BaseController {
 
     @ApiOperation(value = "删除商品(教材、辅件)")
     @PostMapping("/del/{id}")
+    @PreAuthorize("@pcs.hasPermissions('goods/del')")
     public Object del(@ApiParam(value = "商品(教材、辅件)编号", required = true) @PathVariable("id") Integer id){
         goodsService.delete(id);
         return succeed();
@@ -46,6 +47,7 @@ public class GoodsController extends BaseController {
 
     @ApiOperation(value = "修改商品(教材、辅件)")
     @PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('goods/update')")
     public Object update(Goods goods){
         goods.setUpdateTime(new Date());
         goodsService.update(goods);
@@ -54,18 +56,21 @@ public class GoodsController extends BaseController {
 
     @ApiOperation(value = "根据商品(教材、辅件)编号查询商品(教材、辅件)")
     @GetMapping("/get/{id}")
+    @PreAuthorize("@pcs.hasPermissions('goods/get')")
     public Object get(@ApiParam(value = "商品(教材、辅件)编号", required = true) @PathVariable("id") Integer id){
         return succeed(goodsService.get(id));
     }
 
     @ApiOperation(value = "分页查询商品(教材、辅件)列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('goods/queryPage')")
     public Object queryPage(GoodsQueryInfo queryInfo){
         return succeed(goodsService.queryPage(queryInfo));
     }
 
     @ApiOperation(value = "通过科目编号、商品分类 查询商品(教材、辅件)列表")
     @GetMapping("/queryGoodsBySubId")
+    @PreAuthorize("@pcs.hasPermissions('goods/queryGoodsBySubId')")
     @ApiImplicitParams({ @ApiImplicitParam(name = "subjectId", value = "科目编号", required = true, dataType = "Integer"),
             @ApiImplicitParam(name = "type", value = "INSTRUMENT 乐器, ACCESSORIES 教辅", required = true, dataType = "String")})
     public Object findGoodsBySubId(Integer subjectId,String type){

mec-web/src/main/java/com/ym/mec/web/controller/HotWordLabelManageController.java

@@ -7,6 +7,7 @@ import io.swagger.annotations.ApiParam;
 import java.util.Date;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -30,10 +31,9 @@ public class HotWordLabelManageController extends BaseController {
     @Autowired
     private HotWordsLabelService hotWordsLabelService;
 
-
-
     @ApiOperation(value = "新增热词标签")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('hotWordLabelManage/add')")
     public Object add(HotWordsLabel hotWordsLabel) {
         hotWordsLabelService.insert(hotWordsLabel);
         return succeed();
@@ -41,6 +41,7 @@ public class HotWordLabelManageController extends BaseController {
 
     @ApiOperation(value = "删除热词标签")
     @PostMapping("/del/{id}")
+    @PreAuthorize("@pcs.hasPermissions('hotWordLabelManage/del')")
     public Object del(@ApiParam(value = "热词标签编号", required = true) @PathVariable("id") Integer id) {
         hotWordsLabelService.delete(id);
         return succeed();
@@ -48,6 +49,7 @@ public class HotWordLabelManageController extends BaseController {
 
     @ApiOperation(value = "修改热词标签")
     @PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('hotWordLabelManage/update')")
     public Object update(HotWordsLabel hotWordsLabel) {
         hotWordsLabel.setUpdateTime(new Date());
         hotWordsLabelService.update(hotWordsLabel);
@@ -57,6 +59,7 @@ public class HotWordLabelManageController extends BaseController {
 
     @ApiOperation("分页查询热词列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('hotWordLabelManage/queryPage')")
     public Object queryPage(QueryInfo queryInfo){
         return succeed(hotWordsLabelService.queryPage(queryInfo));
     }

mec-web/src/main/java/com/ym/mec/web/controller/LeaveCategoryController.java

@@ -7,6 +7,7 @@ import io.swagger.annotations.ApiParam;
 import java.util.Date;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -27,6 +28,7 @@ public class LeaveCategoryController extends BaseController {
 
     @ApiOperation(value = "新增请假类型")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('leaveCategory/add')")
     public Object add(LeaveCategory leaveCategory) {
         leaveCategoryService.insert(leaveCategory);
         return succeed();
@@ -34,6 +36,7 @@ public class LeaveCategoryController extends BaseController {
 
     @ApiOperation(value = "删除请假类型")
     @PostMapping("/del/{id}")
+    @PreAuthorize("@pcs.hasPermissions('leaveCategory/del')")
     public Object del(@ApiParam(value = "请假类型编号", required = true) @PathVariable("id") Integer id) {
         leaveCategoryService.delete(id);
         return succeed();
@@ -41,6 +44,7 @@ public class LeaveCategoryController extends BaseController {
 
     @ApiOperation(value = "修改请假类型")
     @PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('leaveCategory/update')")
     public Object update(LeaveCategory leaveCategory) {
         leaveCategory.setUpdateTime(new Date());
         leaveCategoryService.update(leaveCategory);
@@ -49,6 +53,7 @@ public class LeaveCategoryController extends BaseController {
 
     @ApiOperation(value = "分页查询请假类型列表")
     @PostMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('leaveCategory/queryPage')")
     public Object queryPage(QueryInfo queryInfo) {
         return succeed(leaveCategoryService.queryPage(queryInfo));
     }

mec-web/src/main/java/com/ym/mec/web/controller/MusicGroupBuildLogController.java

@@ -2,9 +2,12 @@ package com.ym.mec.web.controller;
 
 import com.ym.mec.biz.service.MusicGroupBuildLogService;
 import com.ym.mec.common.controller.BaseController;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -19,6 +22,7 @@ public class MusicGroupBuildLogController extends BaseController {
 
     @ApiOperation("根据乐团编号获取乐团流程记录")
     @GetMapping(value = "/findAll")
+    @PreAuthorize("@pcs.hasPermissions('recharge/findAll')")
     public Object findAll(String musicGroupId){
         return succeed(musicGroupBuildLogService.findById(musicGroupId));
     }

mec-web/src/main/java/com/ym/mec/web/controller/MusicGroupController.java

@@ -2,6 +2,7 @@ package com.ym.mec.web.controller;
 
 import com.ym.mec.auth.api.client.SysUserFeignService;
 import com.ym.mec.auth.api.entity.SysUser;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
@@ -9,6 +10,7 @@ import io.swagger.annotations.ApiParam;
 import java.util.Date;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -34,6 +36,7 @@ public class MusicGroupController extends BaseController {
 
     @ApiOperation(value = "修改乐团")
     @PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('musicGroup/update')")
     public Object update(MusicGroup musicGroup){
         musicGroup.setUpdateTime(new Date());
         musicGroupService.update(musicGroup);
@@ -42,18 +45,21 @@ public class MusicGroupController extends BaseController {
 
     @ApiOperation(value = "根据乐团编号查询乐团")
     @GetMapping("/get/{id}")
+    @PreAuthorize("@pcs.hasPermissions('musicGroup/get')")
     public Object get(@ApiParam(value = "乐团编号", required = true) @PathVariable("id") String id){
         return succeed(musicGroupService.get(id));
     }
 
     @ApiOperation(value = "分页查询乐团列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('musicGroup/queryPage')")
     public Object queryPage(MusicGroupQueryInfo queryInfo){
         return succeed(musicGroupService.queryMusicGroupPage(queryInfo));
     }
 
     @ApiOperation(value = "新增乐团  建团申请数据提交")
     @PostMapping("/createGroup")
+    @PreAuthorize("@pcs.hasPermissions('musicGroup/createGroup')")
     public Object createGroup(@RequestBody SubFeeSettingDto subFeeSettingDto){
         SysUser sysUser = sysUserFeignService.queryUserInfo();
         if(sysUser == null || sysUser.getId() == null){

mec-web/src/main/java/com/ym/mec/web/controller/MusicGroupPaymentCalenderController.java

@@ -8,6 +8,7 @@ import java.util.Date;
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -30,6 +31,7 @@ public class MusicGroupPaymentCalenderController extends BaseController {
 
     @ApiOperation(value = "新增乐团缴费日历")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupPaymentCalender/add')")
     public Object add(MusicGroupPaymentCalender musicGroupPaymentCalender) {
         musicGroupPaymentCalenderService.insert(musicGroupPaymentCalender);
         return succeed();
@@ -37,6 +39,7 @@ public class MusicGroupPaymentCalenderController extends BaseController {
 
     @ApiOperation(value = "批量新增、修改乐团缴费周期")
     @PostMapping("/batchAdd")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupPaymentCalender/batchAdd')")
     public Object batchAdd(@RequestBody List<MusicGroupPaymentCalender> musicGroupPaymentCalenders) {
         musicGroupPaymentCalenderService.batchInsert(musicGroupPaymentCalenders);
         return succeed();
@@ -44,6 +47,7 @@ public class MusicGroupPaymentCalenderController extends BaseController {
 
     @ApiOperation(value = "删除乐团缴费日历")
     @PostMapping("/del/{id}")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupPaymentCalender/del')")
     public Object del(@ApiParam(value = "乐团缴费日历编号", required = true) @PathVariable("id") Long id) {
         musicGroupPaymentCalenderService.delete(id);
         return succeed();
@@ -51,6 +55,7 @@ public class MusicGroupPaymentCalenderController extends BaseController {
 
     @ApiOperation(value = "修改乐团缴费日历")
     @PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupPaymentCalender/update')")
     public Object update(MusicGroupPaymentCalender musicGroupPaymentCalender) {
         musicGroupPaymentCalender.setUpdateTime(new Date());
         musicGroupPaymentCalenderService.update(musicGroupPaymentCalender);
@@ -59,6 +64,7 @@ public class MusicGroupPaymentCalenderController extends BaseController {
 
     @ApiOperation(value = "分页查询乐团缴费日历列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupPaymentCalender/queryPage')")
     public Object queryPage(QueryInfo queryInfo) {
         return succeed(musicGroupPaymentCalenderService.queryPage(queryInfo));
     }

mec-web/src/main/java/com/ym/mec/web/controller/MusicGroupPaymentEntitiesController.java

@@ -8,6 +8,7 @@ import java.util.Date;
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -30,6 +31,7 @@ public class MusicGroupPaymentEntitiesController extends BaseController {
 
     @ApiOperation(value = "新增乐团付费主体")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupPaymentEntities/add')")
     public Object add(MusicGroupPaymentEntities musicGroupPaymentEntities){
         musicGroupPaymentEntitiesService.insert(musicGroupPaymentEntities);
         return succeed();
@@ -37,6 +39,7 @@ public class MusicGroupPaymentEntitiesController extends BaseController {
 
     @ApiOperation(value = "批量新增乐团付费主体")
     @PostMapping("/batchAdd")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupPaymentEntities/batchAdd')")
     public Object batchAdd(@RequestBody List<MusicGroupPaymentEntities> musicGroupPaymentEntities){
         musicGroupPaymentEntitiesService.batchInsert(musicGroupPaymentEntities);
         return succeed();
@@ -44,6 +47,7 @@ public class MusicGroupPaymentEntitiesController extends BaseController {
 
     @ApiOperation(value = "删除乐团付费主体")
     @PostMapping("/del/{id}")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupPaymentEntities/del')")
     public Object del(@ApiParam(value = "乐团付费主体编号", required = true) @PathVariable("id") Integer id){
         musicGroupPaymentEntitiesService.delete(id);
         return succeed();
@@ -51,6 +55,7 @@ public class MusicGroupPaymentEntitiesController extends BaseController {
 
     @ApiOperation(value = "修改乐团付费主体")
     @PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupPaymentEntities/update')")
     public Object update(MusicGroupPaymentEntities musicGroupPaymentEntities){
         musicGroupPaymentEntities.setUpdateTime(new Date());
         musicGroupPaymentEntitiesService.update(musicGroupPaymentEntities);
@@ -59,6 +64,7 @@ public class MusicGroupPaymentEntitiesController extends BaseController {
 
     @ApiOperation(value = "分页查询乐团付费主体")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupPaymentEntities/queryPage')")
     public Object queryPage(QueryInfo queryInfo){
         return succeed(musicGroupPaymentEntitiesService.queryPage(queryInfo));
     }

mec-web/src/main/java/com/ym/mec/web/controller/MusicGroupQuitController.java

@@ -6,6 +6,7 @@ import io.swagger.annotations.ApiImplicitParams;
 import io.swagger.annotations.ApiOperation;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -35,18 +36,21 @@ public class MusicGroupQuitController extends BaseController {
 
 	@ApiOperation(value = "分页查询")
 	@GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupQuit/queryPage')")
 	public HttpResponseResult queryPage(QueryInfo queryInfo) throws Exception {
 		return succeed(musicGroupQuitService.queryPage(queryInfo));
 	}
 	
 	@ApiOperation(value = "单查询")
 	@GetMapping("/query")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupQuit/query')")
 	public HttpResponseResult query(Long id) throws Exception {
 		return succeed(musicGroupQuitService.get(id));
 	}
 
 	@ApiOperation(value = "退团")
 	@PostMapping("/quitMusicGroup")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupQuit/quitMusicGroup')")
 	@ApiImplicitParams({ @ApiImplicitParam(name = "id", value = "退团申请id", required = true, dataType = "Long"),
 			@ApiImplicitParam(name = "status", value = "审批状态（APPROVED, DENIED, PROCESSING）", required = true, dataType = "String"),
 			@ApiImplicitParam(name = "reason", value = "原因", required = true, dataType = "String") })

mec-web/src/main/java/com/ym/mec/web/controller/MusicGroupSubjectPlanController.java

@@ -5,6 +5,7 @@ import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -23,12 +24,14 @@ public class MusicGroupSubjectPlanController extends BaseController {
 
     @ApiOperation(value = "根据id查询乐团声部招生情况")
     @GetMapping("/get/{id}")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupSubjectPlan/get')")
     public Object get(@ApiParam(value = "乐团编号", required = true) @PathVariable("id") int id) {
         return succeed(musicGroupSubjectPlanService.get(id));
     }
 
     @ApiOperation(value = "乐团声部分班情况")
     @GetMapping("/getMusicSubjectClass")
+    @PreAuthorize("@pcs.hasPermissions('musicGroupSubjectPlan/getMusicSubjectClass')")
     public Object getMusicSubjectClass(@ApiParam(value = "乐团编号", required = true) String musicGroupId) {
         return succeed(musicGroupSubjectPlanService.getMusicSubjectClassPlan(musicGroupId));
     }

mec-web/src/main/java/com/ym/mec/web/controller/OrganizationController.java

@@ -7,6 +7,7 @@ import io.swagger.annotations.ApiParam;
 import java.util.Date;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -28,24 +29,28 @@ public class OrganizationController extends BaseController {
 
     @ApiOperation(value = "分页查询分部列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('organization/queryPage')")
     public Object queryPage(OrganizationQueryInfo queryInfo){
         return succeed(organizationService.queryPage(queryInfo));
     }
 
     @ApiOperation(value = "新增分部")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('organization/add')")
     public Object add(Organization organization){
         return succeed(organizationService.insert(organization));
     }
 
     @ApiOperation(value = "根据分部编号删除分部")
     @PostMapping("/del/{id}")
+    @PreAuthorize("@pcs.hasPermissions('organization/del')")
     public Object del(@ApiParam(value = "分部编号", required = true) @PathVariable("id") Integer id){
         return succeed(organizationService.delete(id));
     }
 
     @ApiOperation(value = "修改分部信息")
     @PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('organization/update')")
     public Object update(Organization organization){
         organization.setUpdateTime(new Date());
         return succeed(organizationService.update(organization));
@@ -53,6 +58,7 @@ public class OrganizationController extends BaseController {
 
     @ApiOperation(value = "根据分部编号查询分部详情")
     @GetMapping("/get/{id}")
+    @PreAuthorize("@pcs.hasPermissions('organization/get')")
     @ApiParam(value = "分部编号", required = true)
     public Object get( @PathVariable("id") Integer id){
         return succeed(organizationService.get(id));

mec-web/src/main/java/com/ym/mec/web/controller/SchoolController.java

@@ -7,6 +7,7 @@ import io.swagger.annotations.ApiParam;
 import java.util.Date;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -29,6 +30,7 @@ public class SchoolController extends BaseController {
 
     @ApiOperation(value = "新增学校")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('school/add')")
     public Object add(School school){
         schoolService.insert(school);
         return succeed();
@@ -36,6 +38,7 @@ public class SchoolController extends BaseController {
 
     @ApiOperation(value = "删除学校")
     @PostMapping("/del/{id}")
+    @PreAuthorize("@pcs.hasPermissions('school/del')")
     public Object del(@ApiParam(value = "学校编号", required = true) @PathVariable("id") Integer id){
         schoolService.delete(id);
         return succeed();
@@ -43,6 +46,7 @@ public class SchoolController extends BaseController {
 
     @ApiOperation(value = "修改学校")
     @PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('school/update')")
     public Object update(School school){
         school.setUpdateTime(new Date());
         schoolService.update(school);
@@ -51,18 +55,21 @@ public class SchoolController extends BaseController {
 
     @ApiOperation(value = "根据学校编号查询学校")
     @GetMapping("/get/{id}")
+    @PreAuthorize("@pcs.hasPermissions('school/get')")
     public Object get(@ApiParam(value = "学校编号", required = true) @PathVariable("id") Integer id){
         return succeed(schoolService.get(id));
     }
 
     @ApiOperation(value = "分页查询学校列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('school/queryPage')")
     public Object queryPage(SchoolQueryInfo queryInfo){
         return succeed(schoolService.queryPage(queryInfo));
     }
 
     @ApiOperation(value = "根据机构编号获取学校列表")
     @GetMapping("/queryByOrganId")
+    @PreAuthorize("@pcs.hasPermissions('school/queryByOrganId')")
     public Object queryByOrganId(@RequestParam Integer organId){
         return succeed(schoolService.queryByOrganId(organId,null));
     }

mec-web/src/main/java/com/ym/mec/web/controller/StudentManageController.java

@@ -5,10 +5,9 @@ import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
 import com.ym.mec.biz.dal.page.StudentManageAttendanceQueryInfo;
@@ -31,42 +30,49 @@ public class StudentManageController extends BaseController {
 
     @ApiOperation(value = "获取学生列表")
     @GetMapping("/queryStudentList")
+    @PreAuthorize("@pcs.hasPermissions('studentManage/queryStudentList')")
     public Object queryStudentList(StudentManageQueryInfo queryInfo){
         return succeed(studentManageService.findStudentsByOrganId(queryInfo));
     }
 
     @ApiOperation(value = "根据学生ID获取学生基本报名信息")
     @GetMapping("/findStudentBaseInfo")
+    @PreAuthorize("@pcs.hasPermissions('studentManage/findStudentBaseInfo')")
     public Object findStudentBaseInfo(@ApiParam(value = "学生编号", required = true) Integer userId){
         return succeed(studentManageService.findStudentManageBaseInfo(userId));
     }
 
     @ApiOperation(value = "根据学生ID获取其所在的乐团")
     @GetMapping("/findStudentMusicGroups")
+    @PreAuthorize("@pcs.hasPermissions('studentManage/findStudentMusicGroups')")
     public Object findStudentMusicGroups(@ApiParam(value = "学生编号", required = true) Integer userId){
         return succeed(studentManageService.findStudentMusicGroupsByUserId(userId));
     }
 
     @ApiOperation(value = "根据乐团获取排课列表")
     @GetMapping("/findStudentCourses")
+    @PreAuthorize("@pcs.hasPermissions('studentManage/findStudentCourses')")
     public Object findStudentCourses(StudentManageCourseQueryInfo queryInfo){
         return succeed(studentManageService.findStudentCourseList(queryInfo));
     }
 
     @ApiOperation(value = "获取学生签到列表")
     @GetMapping("/findStudentAttendances")
+    @PreAuthorize("@pcs.hasPermissions('studentManage/findStudentAttendances')")
     public Object findStudentAttendances(StudentManageAttendanceQueryInfo queryInfo){
         return succeed(studentManageService.findStudentAttendances(queryInfo));
     }
 
     @ApiOperation(value = "获取学生vip课")
     @GetMapping("/findStudentVipGroups")
+    @PreAuthorize("@pcs.hasPermissions('studentManage/findStudentVipGroups')")
     public Object findStudentVipGroups(Integer userId){
         return succeed(studentManageService.findStudentVipGroups(userId));
     }
 
     @ApiOperation(value = "获取用户默认账户基本信息")
     @GetMapping("/getUserCashAccountBaseInfo")
+    @PreAuthorize("@pcs.hasPermissions('studentManage/getUserCashAccountBaseInfo')")
     public Object getUserCashAccountBaseInfo(Integer userId){
         return succeed(studentManageService.getStudentAccountBaseInfo(userId));
     }

mec-web/src/main/java/com/ym/mec/web/controller/StudentRegistrationController.java

@@ -10,6 +10,7 @@ import java.util.Date;
 
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -31,6 +32,7 @@ public class StudentRegistrationController extends BaseController {
 
     @ApiOperation(value = "乐团添加学员")
     @PostMapping("/insertStudent")
+    @PreAuthorize("@pcs.hasPermissions('studentRegistration/insertStudent')")
     public Object add(StudentRegistration studentRegistration) throws Exception {
         return succeed(studentRegistrationService.insertStudent(studentRegistration));
     }
@@ -44,6 +46,7 @@ public class StudentRegistrationController extends BaseController {
 
     @ApiOperation(value = "修改学生报名信息")
     @PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('studentRegistration/update')")
     public Object update(StudentRegistration studentRegistration) {
         studentRegistration.setUpdateTime(new Date());
         studentRegistrationService.update(studentRegistration);
@@ -52,6 +55,7 @@ public class StudentRegistrationController extends BaseController {
 
     @ApiOperation(value = "批量调剂学生报名专业")
     @PostMapping("/batchUpdateSubject")
+    @PreAuthorize("@pcs.hasPermissions('studentRegistration/batchUpdateSubject')")
     public Object batchUpdateSubject(String userId,Integer subId) {
         if (StringUtils.isEmpty(userId) || subId == null) {
             return failed();
@@ -61,12 +65,14 @@ public class StudentRegistrationController extends BaseController {
 
     @ApiOperation(value = "乐团【报名中、缴费中】 学生详情列表分页查询")
     @GetMapping("/queryStudentApplyDetail")
+    @PreAuthorize("@pcs.hasPermissions('studentRegistration/queryStudentApplyDetail')")
     public Object queryStudentApplyDetail(StudentRegistrationQueryInfo queryInfo) {
         return succeed(studentRegistrationService.queryStudentDetailPage(queryInfo));
     }
 
     @ApiOperation(value = "学生报名缴费金额详情")
     @GetMapping("/queryFeeDetail")
+    @PreAuthorize("@pcs.hasPermissions('studentRegistration/queryFeeDetail')")
     @ApiImplicitParams({@ApiImplicitParam(name = "studentId", value = "学生编号", required = true, dataType = "Integer"),
             @ApiImplicitParam(name = "musicGroupId", value = "乐团编号", required = true, dataType = "String")})
     public Object queryFeeDetail(String studentId,String musicGroupId) {
@@ -78,6 +84,7 @@ public class StudentRegistrationController extends BaseController {
 
     @ApiOperation(value = "获取未分班的学生")
     @GetMapping("/getNoClassStu")
+    @PreAuthorize("@pcs.hasPermissions('studentRegistration/getNoClassStu')")
     @ApiImplicitParams({@ApiImplicitParam(name = "musicGroupId", value = "乐团编号", required = true, dataType = "String"),
             @ApiImplicitParam(name = "actualSubjectId", value = "科目(声部)id,多个逗号分开", required = true, dataType = "String")})
     public Object getNoClassStuBySubjectId(String musicGroupId, String actualSubjectId) {
@@ -86,6 +93,7 @@ public class StudentRegistrationController extends BaseController {
 
     @ApiOperation(value = "获取班级学生")
     @GetMapping("/getClassStu")
+    @PreAuthorize("@pcs.hasPermissions('studentRegistration/getClassStu')")
     @ApiImplicitParams({@ApiImplicitParam(name = "musicGroupId", value = "乐团编号", required = true, dataType = "String"),
             @ApiImplicitParam(name = "classGroupId", value = "班级id", required = true, dataType = "int")})
     public Object getClassStu(String musicGroupId, int classGroupId) {

mec-web/src/main/java/com/ym/mec/web/controller/StudentWithdrawController.java

@@ -9,10 +9,13 @@ import com.ym.mec.biz.service.CooperationOrganService;
 import com.ym.mec.biz.service.StudentWithdrawService;
 import com.ym.mec.common.controller.BaseController;
 import com.ym.mec.common.page.QueryInfo;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.Date;
@@ -29,6 +32,7 @@ public class StudentWithdrawController extends BaseController {
 
     @ApiOperation(value = "新增提现申请")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('studentWithdraw//add')")
     public Object add(StudentWithdraw studentWithdraw) throws Exception {
         SysUser sysUser = sysUserFeignService.queryUserInfo();
         if(sysUser == null && sysUser.getId() == null){
@@ -41,6 +45,7 @@ public class StudentWithdrawController extends BaseController {
 
     @ApiOperation(value = "分页查询")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('studentWithdraw/queryPage')")
     public Object queryPage(WithdrawDto queryInfo) {
         return succeed(studentWithdrawService.queryPage(queryInfo));
     }

mec-web/src/main/java/com/ym/mec/web/controller/SubjectController.java

@@ -9,6 +9,7 @@ import io.swagger.annotations.ApiParam;
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -32,6 +33,7 @@ public class SubjectController extends BaseController {
 
     @ApiOperation(value = "修改、新增科目")
     @PostMapping("/upset")
+    @PreAuthorize("@pcs.hasPermissions('subject/upset')")
     public Object update(@RequestBody Subject subject){
         subjectService.upSetSubject(subject);
         return succeed();
@@ -39,24 +41,28 @@ public class SubjectController extends BaseController {
 
     @ApiOperation(value = "根据科目编号查询科目")
     @GetMapping("/get/{id}")
+    @PreAuthorize("@pcs.hasPermissions('subject/get')")
     public Object get(@ApiParam(value = "科目编号", required = true) @PathVariable("id") Integer id){
         return succeed(subjectService.get(id));
     }
 
     @ApiOperation(value = "分页查询科目列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('subject/queryPage')")
     public Object queryPage(SubjectQueryInfo queryInfo){
         return succeed(subjectService.queryPage(queryInfo));
     }
 
     @ApiOperation(value = "分页查询科目树状列表")
     @GetMapping("/queryPageTree")
+    @PreAuthorize("@pcs.hasPermissions('subject/queryPageTree')")
     public Object queryPageTree(SubjectQueryInfo queryInfo){
         return succeed(subjectService.queryPageTree(queryInfo));
     }
 
     @ApiOperation(value = "通过乐团编号查询乐团科目规划")
     @GetMapping("/querySubByMusicGroupId")
+    @PreAuthorize("@pcs.hasPermissions('subject/querySubByMusicGroupId')")
     @ApiImplicitParams({ @ApiImplicitParam(name = "musicGroupId", value = "乐团编号", required = true, dataType = "String")})
     public Object findSubByMusicGroupId(String musicGroupId){
         return succeed(subjectService.findSubByMusicGroupId(musicGroupId));
@@ -64,6 +70,7 @@ public class SubjectController extends BaseController {
 
     @ApiOperation(value = "通过乐团收费类型，获取默认的声部列表")
     @GetMapping("/findDefaultSubByChargeTypeId")
+    @PreAuthorize("@pcs.hasPermissions('subject/findDefaultSubByChargeTypeId')")
     @ApiImplicitParams({ @ApiImplicitParam(name = "chargeTypeId", value = "收费类型编号", required = true, dataType = "Integer")})
     public Object findDefaultSubByChargeTypeId(Integer chargeTypeId){
         return succeed(subjectService.findDefaultSubByChargeTypeId(chargeTypeId));
@@ -71,6 +78,7 @@ public class SubjectController extends BaseController {
 
     @ApiOperation(value = "修改、新增声部关联的商品列表")
     @PostMapping("/markGoods")
+    @PreAuthorize("@pcs.hasPermissions('subject/markGoods')")
     public Object markGoods(@RequestBody List<SubjectGoodsMapper> subjectGoodsMappers){
         subjectService.markGoods(subjectGoodsMappers);
         return succeed();
@@ -78,6 +86,7 @@ public class SubjectController extends BaseController {
 
     @ApiOperation(value = "通过乐团编号获取声部列表以及声部报名、缴费、计划人数")
     @GetMapping("/findSubApplyDetail")
+    @PreAuthorize("@pcs.hasPermissions('subject/findSubApplyDetail')")
     @ApiImplicitParams({ @ApiImplicitParam(name = "musicGroupId", value = "乐团编号", required = true, dataType = "String")})
     public Object findSubApplyDetail(String musicGroupId){
         return succeed(subjectService.findSubApplyDetail(musicGroupId));

mec-web/src/main/java/com/ym/mec/web/controller/SysAreaController.java

@@ -2,9 +2,10 @@ package com.ym.mec.web.controller;
 
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
-
 import io.swagger.annotations.ApiParam;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -24,6 +25,7 @@ public class SysAreaController extends BaseController {
 
     @ApiOperation(value = "根据父节点查询区域树状列表（递归）")
     @GetMapping("/queryTree")
+    @PreAuthorize("@pcs.hasPermissions('area/queryTree')")
     public Object queryPage(TreeDto treeDto){
         if(treeDto.getParentId() == 0){
             return failed("非法参数");
@@ -33,6 +35,7 @@ public class SysAreaController extends BaseController {
 
     @ApiOperation(value = "根据父节点查询下一级子节点列表（不递归）")
     @GetMapping("/queryChild")
+    @PreAuthorize("@pcs.hasPermissions('area/queryChild')")
     public Object queryChild(TreeDto treeDto){
         return succeed(sysAreaService.queryChild(treeDto));
     }
@@ -58,6 +61,7 @@ public class SysAreaController extends BaseController {
 
     @ApiOperation(value = "根据子级区域获取父级节点")
     @GetMapping("/getParentArea/{id}")
+    @PreAuthorize("@pcs.hasPermissions('area/getParentArea')")
     @ApiParam(value = "区域编号", required = true)
     public Object getParentArea( @PathVariable("id") Integer id){
         return succeed(sysAreaService.getParentArea(id));

mec-web/src/main/java/com/ym/mec/web/controller/SysConfigController.java

@@ -10,6 +10,7 @@ import java.util.Map;
 
 import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -32,6 +33,7 @@ public class SysConfigController extends BaseController {
 
 	@ApiOperation(value = "参数列表")
 	@GetMapping(value = "list")
+    @PreAuthorize("@pcs.hasPermissions('sysConfig/list')")
 	public Object configList(String group) {
 		Map<String,Object> params = new HashMap<String, Object>();
 		params.put("group", group);
@@ -41,6 +43,7 @@ public class SysConfigController extends BaseController {
 
 	@ApiOperation(value = "修改参数")
 	@PostMapping(value = "update")
+    @PreAuthorize("@pcs.hasPermissions('sysConfig/update')")
 	public Object update(SysConfig config) {
 		config.setModifyOn(new Date());
 		sysConfigService.update(config);
@@ -49,6 +52,7 @@ public class SysConfigController extends BaseController {
 
 	@ApiOperation(value = "新增参数")
 	@PostMapping(value = "add")
+    @PreAuthorize("@pcs.hasPermissions('sysConfig/add')")
 	public Object addConfig(SysConfig config) {
 		if (config == null)
 			return failed("参数无效");
@@ -65,6 +69,7 @@ public class SysConfigController extends BaseController {
 
 	@ApiOperation(value = "查询参数")
 	@GetMapping(value = "get")
+    @PreAuthorize("@pcs.hasPermissions('sysConfig/get')")
 	public Object getConfig(Long id) {
 		if (id == null || id <= 0)
 			return failed("请检查输入的ID");
@@ -73,6 +78,7 @@ public class SysConfigController extends BaseController {
 
 	@ApiOperation(value = "查询参数")
 	@GetMapping(value = "queryByParamName")
+    @PreAuthorize("@pcs.hasPermissions('sysConfig/queryByParamName')")
 	public Object queryByParamName(String paramName) {
 		if(StringUtils.isBlank(paramName)){
 			return failed("参数不能为空");

mec-web/src/main/java/com/ym/mec/web/controller/SysUserBankCardController.java

@@ -5,9 +5,12 @@ import com.ym.mec.auth.api.entity.SysUser;
 import com.ym.mec.biz.dal.entity.SysUserBankCard;
 import com.ym.mec.biz.service.SysUserBankCardService;
 import com.ym.mec.common.controller.BaseController;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -25,6 +28,7 @@ public class SysUserBankCardController extends BaseController {
 
     @ApiOperation(value = "新增银行卡信息")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('userBankCard/add')")
     public Object add(SysUserBankCard sysUserBankCard) {
         if(sysUserBankCard == null){
             return failed("参数校验异常");
@@ -39,6 +43,7 @@ public class SysUserBankCardController extends BaseController {
 
     @ApiOperation(value = "删除银行卡信息")
     @PostMapping("/del")
+    @PreAuthorize("@pcs.hasPermissions('userBankCard/del')")
     public Object del(Long id) {
         if(id == null){
             return failed("参数校验失败");
@@ -53,6 +58,7 @@ public class SysUserBankCardController extends BaseController {
 
     @ApiOperation(value = "分页查询银行卡信息列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('userBankCard/queryPage')")
     public Object queryPage() {
         SysUser sysUser = sysUserFeignService.queryUserInfo();
         if(sysUser == null || sysUser.getId() == null){

mec-web/src/main/java/com/ym/mec/web/controller/SysUserCashAccountController.java

@@ -5,9 +5,12 @@ import com.ym.mec.auth.api.entity.SysUser;
 import com.ym.mec.biz.service.SysUserCashAccountService;
 import com.ym.mec.common.controller.BaseController;
 import com.ym.mec.common.page.QueryInfo;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -24,6 +27,7 @@ public class SysUserCashAccountController extends BaseController {
 
     @ApiOperation(value = "获取用户账户信息")
     @GetMapping("/get")
+    @PreAuthorize("@pcs.hasPermissions('userCashAccount/get')")
     public Object add() {
         SysUser sysUser = sysUserFeignService.queryUserInfo();
         if(sysUser == null){
@@ -34,6 +38,7 @@ public class SysUserCashAccountController extends BaseController {
 
     @ApiOperation(value = "分页查询收费类型列表")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('userCashAccount/queryPage')")
     public Object queryPage(QueryInfo queryInfo) {
         return succeed(sysUserCashAccountService.queryPage(queryInfo));
     }

mec-web/src/main/java/com/ym/mec/web/controller/SysUserCashAccountDetailController.java

@@ -6,9 +6,12 @@ import com.ym.mec.biz.dal.dto.CashAccountDetail;
 import com.ym.mec.biz.dal.entity.SysUserCashAccountDetail;
 import com.ym.mec.biz.service.SysUserCashAccountDetailService;
 import com.ym.mec.common.controller.BaseController;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -26,6 +29,7 @@ public class SysUserCashAccountDetailController extends BaseController {
 
     @ApiOperation(value = "新增用户交易明细")
     @PostMapping("/add")
+    @PreAuthorize("@pcs.hasPermissions('userCashAccountDetail/add')")
     public Object add(SysUserCashAccountDetail sysUserCashAccountDetail) {
         sysUserCashAccountDetailService.insert(sysUserCashAccountDetail);
         return succeed();
@@ -33,6 +37,7 @@ public class SysUserCashAccountDetailController extends BaseController {
 
     @ApiOperation(value = "分页查询用户交易明细")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('userCashAccountDetail/queryPage')")
     public Object queryPage(CashAccountDetail queryInfo) {
         SysUser user = sysUserFeignService.queryUserInfo();
         if(user == null && user.getId() != null){

mec-web/src/main/java/com/ym/mec/web/controller/TeacherController.java

@@ -4,9 +4,12 @@ import com.ym.mec.auth.api.client.SysUserFeignService;
 import com.ym.mec.biz.service.TeacherService;
 import com.ym.mec.common.controller.BaseController;
 import com.ym.mec.common.entity.HttpResponseResult;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -23,6 +26,7 @@ public class TeacherController extends BaseController {
 
     @ApiOperation(value = "获取分部所有老师")
     @GetMapping("/findTeachers")
+    @PreAuthorize("@pcs.hasPermissions('teacher/findTeachers')")
     public HttpResponseResult findTeachers() {
         Integer organId = sysUserFeignService.queryUserInfo().getOrganId();
         return succeed(teacherService.findTeachers(organId));

mec-web/src/main/java/com/ym/mec/web/controller/TeacherDefaultVipGroupSalaryController.java

@@ -2,8 +2,11 @@ package com.ym.mec.web.controller;
 
 import com.ym.mec.biz.service.TeacherDefaultVipGroupSalaryService;
 import com.ym.mec.common.controller.BaseController;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -21,6 +24,7 @@ public class TeacherDefaultVipGroupSalaryController extends BaseController {
 
     @ApiOperation(value = "根据老师编号及课程类型编号获取默认课酬")
     @GetMapping("/findByTeacherAndCategory")
+    @PreAuthorize("@pcs.hasPermissions('teacherDefaultVipGroupSalary/findByTeacherAndCategory')")
     public Object findByTeacherAndCategory(Long userId, Long categoryId){
         return succeed(teacherDefaultVipGroupSalaryService.findByTeacherAndCategory(userId,categoryId));
     }

mec-web/src/main/java/com/ym/mec/web/controller/TeacherVipSchoolController.java

@@ -3,9 +3,12 @@ package com.ym.mec.web.controller;
 import com.ym.mec.biz.dal.entity.TeacherSchool;
 import com.ym.mec.biz.service.TeacherSchoolService;
 import com.ym.mec.common.controller.BaseController;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -27,18 +30,21 @@ public class TeacherVipSchoolController extends BaseController {
 
     @ApiOperation("单查询")
     @GetMapping(value = "/query")
+    @PreAuthorize("@pcs.hasPermissions('teacherVipSchool/query')")
     public Object query(Long id) {
         return succeed(teacherSchoolService.get(id));
     }
 
     @ApiOperation("根据教师编号获取教学点")
     @GetMapping(value = "/queryAll")
+    @PreAuthorize("@pcs.hasPermissions('teacherVipSchool/queryAll')")
     public Object queryAll(Integer teacherId) {
         return succeed(teacherSchoolService.findByTeacherId(teacherId));
     }
 
     @ApiOperation("新增")
     @PostMapping(value = "/add")
+    @PreAuthorize("@pcs.hasPermissions('teacherVipSchool/add')")
     public Object add(TeacherSchool teacherSchool) {
         Date date = new Date();
         teacherSchool.setCreateTime(date);
@@ -49,6 +55,7 @@ public class TeacherVipSchoolController extends BaseController {
 
     @ApiOperation("修改")
     @PostMapping(value = "/update")
+    @PreAuthorize("@pcs.hasPermissions('teacherVipSchool/update')")
     public Object update(TeacherSchool teacherSchool) {
         Date date = new Date();
         teacherSchool.setUpdateTime(date);
@@ -58,6 +65,7 @@ public class TeacherVipSchoolController extends BaseController {
 
     @ApiOperation("删除")
     @PostMapping(value = "/delete")
+    @PreAuthorize("@pcs.hasPermissions('teacherVipSchool/delete')")
     public Object delete(Long id) {
         teacherSchoolService.delete(id);
         return succeed();

mec-web/src/main/java/com/ym/mec/web/controller/UploadFileController.java

@@ -8,6 +8,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
@@ -31,6 +32,7 @@ public class UploadFileController extends BaseController {
 	private UploadFileService uploadFileService;
 
 	@PostMapping(value = "uploadFile")
+    @PreAuthorize("@pcs.hasPermissions('uploadFile')")
 	public Object uploadFile(@ApiParam(value = "上传的文件", required = true) @RequestParam("file") MultipartFile file) {
 		try {
 			if (file != null && StringUtils.isNotBlank(file.getOriginalFilename())) {

mec-web/src/main/java/com/ym/mec/web/controller/VipGroupActivityController.java

@@ -5,9 +5,12 @@ import com.ym.mec.biz.dal.page.VipGroupActivityQueryInfo;
 import com.ym.mec.biz.service.VipGroupActivityService;
 import com.ym.mec.common.controller.BaseController;
 import com.ym.mec.common.exception.BizException;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.Objects;
@@ -27,6 +30,7 @@ public class VipGroupActivityController extends BaseController {
 
     @ApiOperation(value = "新增vip课活动方案")
     @PostMapping("/addVipGroupActivity")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupActivity/addVipGroupActivity')")
     public Object addVipGroupActivity(@RequestBody VipGroupActivityAddDto vipGroupActivityAddDto){
         vipGroupActivityService.addVipGroupActivity(vipGroupActivityAddDto);
         return succeed();
@@ -34,12 +38,14 @@ public class VipGroupActivityController extends BaseController {
 
     @ApiOperation(value = "分页查询活动方案")
     @GetMapping("/queryPage")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupActivity/queryPage')")
     public Object queryPage(VipGroupActivityQueryInfo queryInfo){
         return succeed(vipGroupActivityService.queryPage(queryInfo));
     }
 
     @ApiOperation(value = "修改活动方案")
     @PostMapping("/update")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupActivity/update')")
     public Object update(@RequestBody VipGroupActivityAddDto vipGroupActivityAddDto){
         vipGroupActivityService.updateVipGroupActivity(vipGroupActivityAddDto);
         return succeed();
@@ -47,6 +53,7 @@ public class VipGroupActivityController extends BaseController {
 
     @ApiOperation(value = "删除活动方案")
     @PostMapping("/delete")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupActivity/delete')")
     public Object delete(Long id){
         if(Objects.isNull(id)){
             throw new BizException("请指定活动编号!");
@@ -57,6 +64,7 @@ public class VipGroupActivityController extends BaseController {
 
     @ApiOperation(value = "根据课程类型获取对应课程活动方案")
     @GetMapping("/findByVipGroupCategory")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupActivity/findByVipGroupCategory')")
     public Object findByVipGroupCategory(Long categoryId){
         return succeed(vipGroupActivityService.findByVipGroupCategory(categoryId));
     }

mec-web/src/main/java/com/ym/mec/web/controller/VipGroupCategoryController.java

@@ -3,9 +3,12 @@ package com.ym.mec.web.controller;
 import com.ym.mec.biz.dal.entity.VipGroupCategory;
 import com.ym.mec.biz.service.VipGroupCategoryService;
 import com.ym.mec.common.controller.BaseController;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -23,18 +26,21 @@ public class VipGroupCategoryController extends BaseController {
 
 	@ApiOperation("单查询")
 	@GetMapping(value = "/query")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupCategory/query')")
 	public Object query(int id) {
 		return succeed(vipGroupCategoryService.get(id));
 	}
 
 	@ApiOperation("全查询")
 	@GetMapping(value = "/queryAll")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupCategory/queryAll')")
 	public Object queryAll(Long organId) {
 		return succeed(vipGroupCategoryService.findAllByOrgan(organId));
 	}
 
 	@ApiOperation("新增")
 	@PostMapping(value = "/add")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupCategory/add')")
 	public Object add(VipGroupCategory vipGroupCategory) {
 		Date date = new Date();
 		vipGroupCategory.setCreateTime(date);
@@ -46,6 +52,7 @@ public class VipGroupCategoryController extends BaseController {
 
 	@ApiOperation("修改")
 	@PostMapping(value = "/update")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupCategory/update')")
 	public Object update(VipGroupCategory vipGroupCategory) {
 		Date date = new Date();
 		vipGroupCategory.setUpdateTime(date);
@@ -55,6 +62,7 @@ public class VipGroupCategoryController extends BaseController {
 
 	@ApiOperation("删除")
 	@PostMapping(value = "/delete")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupCategory/delete')")
 	public Object delete(int id) {
 		VipGroupCategory vipGroupCategory = vipGroupCategoryService.get(id);
 		Date date = new Date();

mec-web/src/main/java/com/ym/mec/web/controller/VipGroupDefaultClassesCycleController.java

@@ -3,9 +3,12 @@ package com.ym.mec.web.controller;
 import com.ym.mec.biz.dal.entity.VipGroupDefaultClassesCycle;
 import com.ym.mec.biz.service.VipGroupDefaultClassesCycleService;
 import com.ym.mec.common.controller.BaseController;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -23,18 +26,21 @@ public class VipGroupDefaultClassesCycleController extends BaseController {
 
 	@ApiOperation("单查询")
 	@GetMapping(value = "/query")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupDefaultClassesCycle/query')")
 	public Object query(int id) {
 		return succeed(vipGroupDefaultClassesCycleService.get(id));
 	}
 
 	@ApiOperation("全查询")
 	@GetMapping(value = "/queryAll")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupDefaultClassesCycle/queryAll')")
 	public Object queryAll(Long organId) {
 		return succeed(vipGroupDefaultClassesCycleService.findAllByOrgan(organId));
 	}
 
 	@ApiOperation("新增")
 	@PostMapping(value = "/add")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupDefaultClassesCycle/add')")
 	public Object add(VipGroupDefaultClassesCycle vipGroupDefaultClassesCycle) {
 		vipGroupDefaultClassesCycleService.insert(vipGroupDefaultClassesCycle);
 		return succeed();
@@ -42,6 +48,7 @@ public class VipGroupDefaultClassesCycleController extends BaseController {
 
 	@ApiOperation("修改")
 	@PostMapping(value = "/update")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupDefaultClassesCycle/update')")
 	public Object update(VipGroupDefaultClassesCycle vipGroupDefaultClassesCycle) {
 		Date date = new Date();
 		vipGroupDefaultClassesCycle.setUpdateTime(date);
@@ -51,6 +58,7 @@ public class VipGroupDefaultClassesCycleController extends BaseController {
 
 	@ApiOperation("删除")
 	@PostMapping(value = "/delete")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupDefaultClassesCycle/delete')")
 	public Object delete(int id) {
 		vipGroupDefaultClassesCycleService.delete(id);
 		return succeed();

mec-web/src/main/java/com/ym/mec/web/controller/VipGroupDefaultClassesUnitPriceController.java

@@ -3,9 +3,12 @@ package com.ym.mec.web.controller;
 import com.ym.mec.biz.dal.entity.VipGroupDefaultClassesUnitPrice;
 import com.ym.mec.biz.service.VipGroupDefaultClassesUnitPriceService;
 import com.ym.mec.common.controller.BaseController;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -23,18 +26,21 @@ public class VipGroupDefaultClassesUnitPriceController extends BaseController {
 
 	@ApiOperation("单查询")
 	@GetMapping(value = "/query")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupDefaultClassesUnitPrice/query')")
 	public Object query(int id) {
 		return succeed(vipGroupDefaultClassesUnitPriceService.get(id));
 	}
 
 	@ApiOperation("全查询")
 	@GetMapping(value = "/queryAll")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupDefaultClassesUnitPrice/queryAll')")
 	public Object queryAll(Long organId) {
 		return succeed(vipGroupDefaultClassesUnitPriceService.findAll(null));
 	}
 
 	@ApiOperation("新增")
 	@PostMapping(value = "/add")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupDefaultClassesUnitPrice/add')")
 	public Object add(VipGroupDefaultClassesUnitPrice vipGroupDefaultClassesUnitPrice) {
 		Date date = new Date();
 		vipGroupDefaultClassesUnitPrice.setCreateTime(date);
@@ -45,6 +51,7 @@ public class VipGroupDefaultClassesUnitPriceController extends BaseController {
 
 	@ApiOperation("修改")
 	@PostMapping(value = "/update")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupDefaultClassesUnitPrice/update')")
 	public Object update(VipGroupDefaultClassesUnitPrice vipGroupDefaultClassesUnitPrice) {
 		Date date = new Date();
 		vipGroupDefaultClassesUnitPrice.setUpdateTime(date);
@@ -54,6 +61,7 @@ public class VipGroupDefaultClassesUnitPriceController extends BaseController {
 
 	@ApiOperation("删除")
 	@PostMapping(value = "/delete")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupDefaultClassesUnitPrice/delete')")
 	public Object delete(int id) {
 		vipGroupDefaultClassesUnitPriceService.delete(id);
 		return succeed();

mec-web/src/main/java/com/ym/mec/web/controller/VipGroupManageController.java

@@ -13,10 +13,13 @@ import com.ym.mec.biz.dal.page.VipGroupTeachingRecordQueryInfo;
 import com.ym.mec.biz.service.CourseScheduleService;
 import com.ym.mec.biz.service.VipGroupService;
 import com.ym.mec.common.controller.BaseController;
+
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.Map;
@@ -40,6 +43,7 @@ public class VipGroupManageController extends BaseController {
 
     @ApiOperation(value = "vip课申请")
     @PostMapping("/vipGroupApply")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/vipGroupApply')")
     public Object vipGroupApply(@RequestBody VipGroupApplyDto vipGroupApplyDto){
         SysUser sysUser = sysUserFeignService.queryUserById(vipGroupApplyDto.getVipGroupApplyBaseInfo().getUserId());
         if(Objects.isNull(sysUser)){
@@ -52,30 +56,35 @@ public class VipGroupManageController extends BaseController {
 
     @ApiOperation(value = "全查询")
     @GetMapping("/queryAll")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/queryAll')")
     public Object queryAll(VipGroupQueryInfo queryInfo) {
         return succeed(vipGroupService.findVipGroups(queryInfo));
     }
 
     @ApiOperation(value = "获取小课学员")
     @GetMapping(value = "/findVipGroupStudents")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/findVipGroupStudents')")
     public Object findVipGroupStudents(VipGroupQueryInfo queryInfo){
         return succeed(vipGroupService.findVipGroupStudents(queryInfo));
     }
 
     @ApiOperation(value = "vip课详情")
     @GetMapping("/getVipGroupDetail")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/getVipGroupDetail')")
     public Object getVipGroupDetail(Long vipGroupId){
         return succeed(vipGroupService.getVipGroupDetail(vipGroupId));
     }
 
     @ApiOperation(value = "获取vip课考勤记录")
     @PostMapping("/getVipGroupAttendances")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/getVipGroupAttendances')")
     public Object getVipGroupAttendances(@RequestBody VipGroupAttendanceQueryInfo queryInfo){
         return succeed(vipGroupService.findVipGroupAttendances(queryInfo));
     }
 
     @ApiOperation(value = "退课申请")
     @PostMapping("/applyRefundForStudent")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/applyRefundForStudent')")
     public Object applyRefundForStudent(Long vipGroupId,Long studentId){
         vipGroupService.applyRefund(vipGroupId,studentId);
         return succeed();
@@ -83,6 +92,7 @@ public class VipGroupManageController extends BaseController {
 
     @ApiOperation(value = "退课申请审核")
     @PostMapping("/applyRefundAudit")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/applyRefundAudit')")
     public Object applyRefundAudit(StudentApplyRefunds studentApplyRefunds){
         vipGroupService.applyRefundAudit(studentApplyRefunds);
         return succeed();
@@ -90,18 +100,21 @@ public class VipGroupManageController extends BaseController {
 
     @ApiOperation(value = "获取VIP课教学记录")
     @GetMapping("/findVipGroupTeachingRecord")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/findVipGroupTeachingRecord')")
     public Object findVipGroupTeachingRecord(VipGroupTeachingRecordQueryInfo queryInfo){
         return succeed(vipGroupService.findVipGroupTeachingRecord(queryInfo));
     }
 
     @ApiOperation(value = "获取vip课基本信息")
     @GetMapping("/findTeachingRecordBaseInfo")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/findTeachingRecordBaseInfo')")
     public Object findTeachingRecordBaseInfo(Long vipGroupId){
         return succeed(vipGroupService.findTeachingRecordBaseInfo(vipGroupId));
     }
 
     @ApiOperation("课酬总费用")
     @PostMapping("/getVipGroupCostCount")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/getVipGroupCostCount')")
     public Object getVipGroupCostCount(VipGroup vipGroup){
         Map results = vipGroupService.countVipGroupPredictFee(vipGroup, vipGroup.getOnlineClassesUnitPrice(), vipGroup.getOfflineClassesUnitPrice());
         return succeed(results);
@@ -109,6 +122,7 @@ public class VipGroupManageController extends BaseController {
 
     @ApiOperation(value = "停止vip课")
     @PostMapping("/stopVipGroup")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/stopVipGroup')")
     public Object stopVipGroup(Long vipGroupId){
         if(Objects.isNull(vipGroupId)){
             return failed(HttpStatus.FORBIDDEN,"请指定vip课");
@@ -119,18 +133,21 @@ public class VipGroupManageController extends BaseController {
 
     @ApiOperation(value = "获取vip课财务信息")
     @GetMapping("/findVipGroupSalarys")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/findVipGroupSalarys')")
     public Object findVipGroupSalarys(VipGroupSalaryQueryInfo queryInfo){
         return succeed(vipGroupService.findVipGroupSalarys(queryInfo));
     }
 
     @ApiOperation(value = "获取当前课程上课学员")
     @GetMapping("/findVipGroupAttendanceStudents")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/findVipGroupAttendanceStudents')")
     public Object findVipGroupStudents(Long courseScheduleId){
         return succeed(vipGroupService.findVipGroupAttendanceStudents(courseScheduleId));
     }
 
     @ApiOperation(value = "课时调整")
     @PostMapping(value = "/classStartDateAdjust")
+    @PreAuthorize("@pcs.hasPermissions('vipGroupManage/classStartDateAdjust')")
     public Object classStartDateAdjust(ClassDateAdjustDto classDateAdjustDto){
         if(Objects.isNull(classDateAdjustDto.getId())){
             return failed(HttpStatus.FORBIDDEN, "请指定课程!");