https://github.com/Wizzercn/NutzWk/blob/v5.x/wk-app/wk-nb-web-vue/src/main/java/cn/wizzer/app/web/modules/controllers/platform/sys/SysUserController.java

Cnd cnd = Cnd.NEW();
            if (shiroUtil.hasRole("sysadmin")) {
                if (Strings.isNotBlank(searchUnit)) {
                    cnd.and("unitid", "=", searchUnit);
                }
            } else {
                Sys_user user = (Sys_user) shiroUtil.getPrincipal();
                if (Strings.isNotBlank(searchUnit)) {
                    Sys_unit unit = sysUnitService.fetch(searchUnit);
                    if (unit == null || !searchUnit.startsWith(unit.getPath())) {
                        //防止有人越级访问
                        return Result.error("非法操作");
                    } else
                        cnd.and("unitid", "=", searchUnit);
                } else {
                    cnd.and("unitid", "=", user.getUnitid());
                }
}

searchUnit.startsWith(unit.getPath())这个start永远都会有问题