From b49cdbbc9516352d1f4511e4223fa9d089b057b9 Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: 星期四, 27 一月 2022 12:12:30 +0800
Subject: [PATCH] 用户访问控制时校验数据权限,防止越权
---
src/main/java/com/ruoyi/project/system/service/impl/SysUserServiceImpl.java | 1 +
src/main/java/com/ruoyi/project/system/controller/SysUserController.java | 4 ++++
src/main/java/com/ruoyi/project/system/controller/SysRoleController.java | 4 ++++
src/main/java/com/ruoyi/project/system/controller/SysDeptController.java | 8 +++++---
src/main/java/com/ruoyi/project/system/service/impl/SysRoleServiceImpl.java | 1 +
5 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/src/main/java/com/ruoyi/project/system/controller/SysDeptController.java b/src/main/java/com/ruoyi/project/system/controller/SysDeptController.java
index 0f4b0a6..953747c 100644
--- a/src/main/java/com/ruoyi/project/system/controller/SysDeptController.java
+++ b/src/main/java/com/ruoyi/project/system/controller/SysDeptController.java
@@ -125,16 +125,17 @@
@PutMapping
public AjaxResult edit(@Validated @RequestBody SysDept dept)
{
+ Long deptId = dept.getDeptId();
+ deptService.checkDeptDataScope(deptId);
if (UserConstants.NOT_UNIQUE.equals(deptService.checkDeptNameUnique(dept)))
{
return AjaxResult.error("淇敼閮ㄩ棬'" + dept.getDeptName() + "'澶辫触锛岄儴闂ㄥ悕绉板凡瀛樺湪");
}
- else if (dept.getParentId().equals(dept.getDeptId()))
+ else if (dept.getParentId().equals(deptId))
{
return AjaxResult.error("淇敼閮ㄩ棬'" + dept.getDeptName() + "'澶辫触锛屼笂绾ч儴闂ㄤ笉鑳芥槸鑷繁");
}
- else if (StringUtils.equals(UserConstants.DEPT_DISABLE, dept.getStatus())
- && deptService.selectNormalChildrenDeptById(dept.getDeptId()) > 0)
+ else if (StringUtils.equals(UserConstants.DEPT_DISABLE, dept.getStatus()) && deptService.selectNormalChildrenDeptById(deptId) > 0)
{
return AjaxResult.error("璇ラ儴闂ㄥ寘鍚湭鍋滅敤鐨勫瓙閮ㄩ棬锛�");
}
@@ -158,6 +159,7 @@
{
return AjaxResult.error("閮ㄩ棬瀛樺湪鐢ㄦ埛,涓嶅厑璁稿垹闄�");
}
+ deptService.checkDeptDataScope(deptId);
return toAjax(deptService.deleteDeptById(deptId));
}
}
diff --git a/src/main/java/com/ruoyi/project/system/controller/SysRoleController.java b/src/main/java/com/ruoyi/project/system/controller/SysRoleController.java
index b98910e..30f656e 100644
--- a/src/main/java/com/ruoyi/project/system/controller/SysRoleController.java
+++ b/src/main/java/com/ruoyi/project/system/controller/SysRoleController.java
@@ -111,6 +111,7 @@
public AjaxResult edit(@Validated @RequestBody SysRole role)
{
roleService.checkRoleAllowed(role);
+ roleService.checkRoleDataScope(role.getRoleId());
if (UserConstants.NOT_UNIQUE.equals(roleService.checkRoleNameUnique(role)))
{
return AjaxResult.error("淇敼瑙掕壊'" + role.getRoleName() + "'澶辫触锛岃鑹插悕绉板凡瀛樺湪");
@@ -145,6 +146,7 @@
public AjaxResult dataScope(@RequestBody SysRole role)
{
roleService.checkRoleAllowed(role);
+ roleService.checkRoleDataScope(role.getRoleId());
return toAjax(roleService.authDataScope(role));
}
@@ -157,6 +159,7 @@
public AjaxResult changeStatus(@RequestBody SysRole role)
{
roleService.checkRoleAllowed(role);
+ roleService.checkRoleDataScope(role.getRoleId());
role.setUpdateBy(getUsername());
return toAjax(roleService.updateRoleStatus(role));
}
@@ -236,6 +239,7 @@
@PutMapping("/authUser/selectAll")
public AjaxResult selectAuthUserAll(Long roleId, Long[] userIds)
{
+ roleService.checkRoleDataScope(roleId);
return toAjax(roleService.insertAuthUsers(roleId, userIds));
}
}
\ No newline at end of file
diff --git a/src/main/java/com/ruoyi/project/system/controller/SysUserController.java b/src/main/java/com/ruoyi/project/system/controller/SysUserController.java
index 7c0f179..a79fed5 100644
--- a/src/main/java/com/ruoyi/project/system/controller/SysUserController.java
+++ b/src/main/java/com/ruoyi/project/system/controller/SysUserController.java
@@ -148,6 +148,7 @@
public AjaxResult edit(@Validated @RequestBody SysUser user)
{
userService.checkUserAllowed(user);
+ userService.checkUserDataScope(user.getUserId());
if (StringUtils.isNotEmpty(user.getPhonenumber())
&& UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
{
@@ -186,6 +187,7 @@
public AjaxResult resetPwd(@RequestBody SysUser user)
{
userService.checkUserAllowed(user);
+ userService.checkUserDataScope(user.getUserId());
user.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
user.setUpdateBy(getUsername());
return toAjax(userService.resetPwd(user));
@@ -200,6 +202,7 @@
public AjaxResult changeStatus(@RequestBody SysUser user)
{
userService.checkUserAllowed(user);
+ userService.checkUserDataScope(user.getUserId());
user.setUpdateBy(getUsername());
return toAjax(userService.updateUserStatus(user));
}
@@ -227,6 +230,7 @@
@PutMapping("/authRole")
public AjaxResult insertAuthRole(Long userId, Long[] roleIds)
{
+ userService.checkUserDataScope(userId);
userService.insertUserAuth(userId, roleIds);
return success();
}
diff --git a/src/main/java/com/ruoyi/project/system/service/impl/SysRoleServiceImpl.java b/src/main/java/com/ruoyi/project/system/service/impl/SysRoleServiceImpl.java
index 283d7f3..3ae790d 100644
--- a/src/main/java/com/ruoyi/project/system/service/impl/SysRoleServiceImpl.java
+++ b/src/main/java/com/ruoyi/project/system/service/impl/SysRoleServiceImpl.java
@@ -361,6 +361,7 @@
for (Long roleId : roleIds)
{
checkRoleAllowed(new SysRole(roleId));
+ checkRoleDataScope(roleId);
SysRole role = selectRoleById(roleId);
if (countUserRoleByRoleId(roleId) > 0)
{
diff --git a/src/main/java/com/ruoyi/project/system/service/impl/SysUserServiceImpl.java b/src/main/java/com/ruoyi/project/system/service/impl/SysUserServiceImpl.java
index 8fad21c..ddb46f7 100644
--- a/src/main/java/com/ruoyi/project/system/service/impl/SysUserServiceImpl.java
+++ b/src/main/java/com/ruoyi/project/system/service/impl/SysUserServiceImpl.java
@@ -482,6 +482,7 @@
for (Long userId : userIds)
{
checkUserAllowed(new SysUser(userId));
+ checkUserDataScope(userId);
}
// 鍒犻櫎鐢ㄦ埛涓庤鑹插叧鑱�
userRoleMapper.deleteUserRole(userIds);
--
Gitblit v1.9.3