fix: policy always checked regardless of caller-provided floors

Redesign addVisitor four-phase flow: - Phase1: ALWAYS query person detail (orgIds for policy lookup) - Phase2: candidate = caller floors or org floorList - Phase3: ALWAYS check policy; intersect candidate with allow - Phase4: empty set validation Fixes UC-02 bypass: policy was entirely skipped when caller provided floorIds. Now policy always constrains. Bump v2.0.19
2026-06-09 16:30:29 +08:00 · 2026-05-05 19:47:01 +08:00
parent c5febc9905
commit f7da04caea
42 changed files with 2584 additions and 43 deletions
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# shellcheck shell=bash
+# 由 v1-legacy/run.sh、v2-maven/run.sh source：JAVA_HOME；非 JDK8 时追加 --add-opens。
+#
+# === 本机 JDK 8 安装根目录（含 bin/java）；换机器只需改下行默认路径或通过环境变量覆盖 ===
+: "${DEPLOY_JDK8:=/usr/lib/jvm/java-8-openjdk-amd64}"
+
+_pick_java_home() {
+  if [[ "${ELEVATOR_USE_ENV_JAVA:-0}" == "1" ]] && [[ -n "${JAVA_HOME:-}" && -x "${JAVA_HOME}/bin/java" ]]; then
+    return 0
+  fi
+  if [[ -x "${DEPLOY_JDK8}/bin/java" ]]; then
+    export JAVA_HOME="${DEPLOY_JDK8}"
+    return 0
+  fi
+  for d in /usr/lib/jvm/java-8-openjdk-amd64 /usr/lib/jvm/java-1.8.0-openjdk; do
+    if [[ -x "$d/bin/java" ]]; then
+      export JAVA_HOME="$d"
+      return 0
+    fi
+  done
+  if [[ -n "${JAVA_HOME:-}" && -x "${JAVA_HOME}/bin/java" ]]; then
+    return 0
+  fi
+  export JAVA_HOME="${JAVA_HOME:-${DEPLOY_JDK8}}"
+}
+
+_jdk8_open_flags() {
+  local java="$1"
+  if "$java" -version 2>&1 | grep -qE 'version "1\.8\.'; then
+    echo ""
+    return
+  fi
+  echo "--add-opens=java.base/java.lang=ALL-UNNAMED"
+  echo "--add-opens=java.base/java.lang.reflect=ALL-UNNAMED"
+  echo "--add-opens=java.base/java.util=ALL-UNNAMED"
+  echo "--add-opens=java.base/java.io=ALL-UNNAMED"
+}