用户访问控制时校验数据权限，防止越权

RuoYi

2022-01-27 b49cdbbc9516352d1f4511e4223fa9d089b057b9

 src/main/java/com/ruoyi/project/system/service/impl/SysUserServiceImpl.java

@@ -2,15 +2,19 @@


import java.util.ArrayList;

import java.util.List;

import java.util.stream.Collectors;

import javax.validation.Validator;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.stereotype.Service;

import org.springframework.transaction.annotation.Transactional;

import org.springframework.util.CollectionUtils;

import com.ruoyi.common.constant.UserConstants;

import com.ruoyi.common.exception.ServiceException;

import com.ruoyi.common.utils.SecurityUtils;

import com.ruoyi.common.utils.StringUtils;

import com.ruoyi.common.utils.bean.BeanValidators;

import com.ruoyi.common.utils.spring.SpringUtils;

import com.ruoyi.framework.aspectj.lang.annotation.DataScope;

import com.ruoyi.project.system.domain.SysPost;

@@ -53,6 +57,9 @@


    @Autowired

    private ISysConfigService configService;



    @Autowired

    protected Validator validator;



    /**

     * 根据条件分页查询用户列表

@@ -127,16 +134,11 @@
    public String selectUserRoleGroup(String userName)

    {

        List<SysRole> list = roleMapper.selectRolesByUserName(userName);

        StringBuffer idsStr = new StringBuffer();

        for (SysRole role : list)

        if (CollectionUtils.isEmpty(list))

        {

            idsStr.append(role.getRoleName()).append(",");

            return StringUtils.EMPTY;

        }

        if (StringUtils.isNotEmpty(idsStr.toString()))

        {

            return idsStr.substring(0, idsStr.length() - 1);

        }

        return idsStr.toString();

        return list.stream().map(SysRole::getRoleName).collect(Collectors.joining(","));

    }



    /**

@@ -149,16 +151,11 @@
    public String selectUserPostGroup(String userName)

    {

        List<SysPost> list = postMapper.selectPostsByUserName(userName);

        StringBuffer idsStr = new StringBuffer();

        for (SysPost post : list)

        if (CollectionUtils.isEmpty(list))

        {

            idsStr.append(post.getPostName()).append(",");

            return StringUtils.EMPTY;

        }

        if (StringUtils.isNotEmpty(idsStr.toString()))

        {

            return idsStr.substring(0, idsStr.length() - 1);

        }

        return idsStr.toString();

        return list.stream().map(SysPost::getPostName).collect(Collectors.joining(","));

    }



    /**

@@ -485,6 +482,7 @@
        for (Long userId : userIds)

        {

            checkUserAllowed(new SysUser(userId));

            checkUserDataScope(userId);

        }

        // 删除用户与角色关联

        userRoleMapper.deleteUserRole(userIds);

@@ -521,6 +519,7 @@
                SysUser u = userMapper.selectUserByUserName(user.getUserName());

                if (StringUtils.isNull(u))

                {

                    BeanValidators.validateWithException(validator, user);

                    user.setPassword(SecurityUtils.encryptPassword(password));

                    user.setCreateBy(operName);

                    this.insertUser(user);

@@ -529,6 +528,7 @@
                }

                else if (isUpdateSupport)

                {

                    BeanValidators.validateWithException(validator, user);

                    user.setUpdateBy(operName);

                    this.updateUser(user);

                    successNum++;