From c24cd14fd700b2846623d0c3e9683adb30c7062b Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: 星期四, 27 五月 2021 17:55:05 +0800
Subject: [PATCH] 修复两处存在SQL注入漏洞问题

---
 src/main/resources/mybatis/system/SysDeptMapper.xml |   14 ++++++++------
 1 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/main/resources/mybatis/system/SysDeptMapper.xml b/src/main/resources/mybatis/system/SysDeptMapper.xml
index 3338046..78cbb06 100644
--- a/src/main/resources/mybatis/system/SysDeptMapper.xml
+++ b/src/main/resources/mybatis/system/SysDeptMapper.xml
@@ -44,12 +44,14 @@
 		order by d.parent_id, d.order_num
     </select>
     
-    <select id="selectDeptListByRoleId" parameterType="Long" resultType="Integer">
-		select d.dept_id, d.parent_id
+    <select id="selectDeptListByRoleId" resultType="Integer">
+		select d.dept_id
 		from sys_dept d
             left join sys_role_dept rd on d.dept_id = rd.dept_id
         where rd.role_id = #{roleId}
-        	and d.dept_id not in (select d.parent_id from sys_dept d inner join sys_role_dept rd on d.dept_id = rd.dept_id and rd.role_id = #{roleId})
+            <if test="deptCheckStrictly">
+              and d.dept_id not in (select d.parent_id from sys_dept d inner join sys_role_dept rd on d.dept_id = rd.dept_id and rd.role_id = #{roleId})
+            </if>
 		order by d.parent_id, d.order_num
 	</select>
     
@@ -64,7 +66,7 @@
 	
 	<select id="hasChildByDeptId" parameterType="Long" resultType="int">
 		select count(1) from sys_dept
-		where del_flag = '0' and parent_id = #{deptId}
+		where del_flag = '0' and parent_id = #{deptId} limit 1
 	</select>
 	
 	<select id="selectChildrenDeptById" parameterType="Long" resultMap="SysDeptResult">
@@ -77,7 +79,7 @@
 	
 	<select id="checkDeptNameUnique" resultMap="SysDeptResult">
 	    <include refid="selectDeptVo"/>
-		where dept_name=#{deptName} and parent_id = #{parentId}
+		where dept_name=#{deptName} and parent_id = #{parentId} limit 1
 	</select>
     
     <insert id="insertDept" parameterType="SysDept">
@@ -145,7 +147,7 @@
  	        <if test="updateBy != null and updateBy != ''">update_by = #{updateBy},</if>
  	        update_time = sysdate()
         </set>
- 	    where dept_id in (${ancestors})
+ 	    where find_in_set(#{deptId}, ancestors)
 	</update>
 	
 	<delete id="deleteDeptById" parameterType="Long">

--
Gitblit v1.9.3