我有一个看起来像这样的存储库(其他CRUD方法被剥离)
import com.querydsl.core.types.Predicate;
import com.querydsl.core.types.dsl.StringPath;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.Pageable;
import org.springframework.data.jpa.repository.Query;
import org.springframework.data.querydsl.QuerydslPredicateExecutor;
import org.springframework.data.querydsl.binding.QuerydslBinderCustomizer;
import org.springframework.data.querydsl.binding.QuerydslBindings;
import org.springframework.data.repository.CrudRepository;
import org.springframework.data.repository.query.Param;
import org.springframework.lang.NonNull;
import org.springframework.security.access.prepost.PreAuthorize;
import java.util.Optional;
import java.util.UUID;
@PreAuthorize("hasRole('" + Constants.ROLE_USER + "')")
public interface ProjectRepository extends CrudRepository<Project, UUID>, QuerydslPredicateExecutor<Project>, QuerydslBinderCustomizer<QProject> {
@Override
default void customize(@NonNull QuerydslBindings bindings, @NonNull QProject root) {
bindings.bind(String.class).first(
(StringPath path, String value) -> path.containsIgnoreCase(value));
bindings.including(root.name);
bindings.including(root.description);
}
@Override
@Query("select p from Project p left join p.roles r left join r.account a where ?#{principal.username} = a.username")
@NonNull
Page<Project> findAll(@NonNull Predicate predicate, @NonNull Pageable pageable);
}
正如您所看到的,我有一个@Query注释,它根据用户的身份限制了findAll的响应。这会导致谓词被完全忽略。因此,如果我搜索任何内容,它仍会返回用户有权访问的所有对象。如果我删除@Query注释,那么搜索工作正常。但当然,我希望我的安全性得到应用。这是QueryDsl中的错误吗?或者只是一个限制?我怎么能做这个工作?