Implementing a Data Permission Interceptor for MyBatis-Plus Using Custom Annotations

In many development scenarios, you need to restrict data visibility based on the current user's role, and you may want to apply this restriction without modifying every mapper method.

This article demonstrates how to use MyBatis-Plus interceptors combined with a custom annotation to automatically inject WHERE clauses that enforce data permissions.

Steps:

Create a custom annotation @UserDataPermission :

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface UserDataPermission {
}

Implement an interceptor class that extends JsqlParserSupport and implements InnerInterceptor , overriding beforeQuery and processSelect to modify the SQL.

Write a handler that builds the permission SQL fragment (e.g., equality for self‑data, IN expression for department data) based on the logged‑in user and their roles.

Register the interceptor in a MybatisPlusInterceptor bean, adding it before the pagination interceptor.

If the project already configures a MybatisPlusInterceptor , insert the data‑permission interceptor into the existing bean to avoid affecting other configurations.

Apply the @UserDataPermission annotation on mapper methods (including those inherited from BaseMapper ) to activate the filter.

The article also provides an advanced version that supports role‑based scopes (ALL, DEPT, MYSELF) and shows how to retrieve role information from remote services, construct appropriate SQL expressions, and integrate the handler into the interceptor.

public class MyDataPermissionInterceptor extends JsqlParserSupport implements InnerInterceptor {
    private MyDataPermissionHandler dataPermissionHandler;

    @Override
    public void beforeQuery(Executor executor, MappedStatement ms, Object parameter,
                            RowBounds rowBounds, ResultHandler resultHandler, BoundSql boundSql)
            throws SQLException {
        if (InterceptorIgnoreHelper.willIgnoreDataPermission(ms.getId())) {
            return;
        }
        PluginUtils.MPBoundSql mpBs = PluginUtils.mpBoundSql(boundSql);
        mpBs.sql(this.parserSingle(mpBs.sql(), ms.getId()));
    }

    @Override
    protected void processSelect(Select select, int index, String sql, Object obj) {
        // modify the SELECT's WHERE clause based on permission logic
    }

    private void setWhere(PlainSelect plainSelect, String whereSegment) {
        // build and set the permission expression
    }
}

Finally, remember to add the interceptor to the MyBatis‑Plus plugin, ensure the permission field (e.g., creator_code ) exists in your tables, and adjust the field name if needed (e.g., dept_code ).