From 913d88c11d6b5a6239bc0671d1923a7514e47ef1 Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: 星期二, 27 七月 2021 12:51:15 +0800
Subject: [PATCH] 修复任意账户越权问题

---
 src/main/java/com/ruoyi/framework/aspectj/DataScopeAspect.java |   20 +++++++++++++++++---
 1 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/ruoyi/framework/aspectj/DataScopeAspect.java b/src/main/java/com/ruoyi/framework/aspectj/DataScopeAspect.java
index 62e77de..2cb8577 100644
--- a/src/main/java/com/ruoyi/framework/aspectj/DataScopeAspect.java
+++ b/src/main/java/com/ruoyi/framework/aspectj/DataScopeAspect.java
@@ -66,6 +66,7 @@
     @Before("dataScopePointCut()")
     public void doBefore(JoinPoint point) throws Throwable
     {
+        clearDataScope(point);
         handleDataScope(point);
     }
 
@@ -79,11 +80,11 @@
         }
         // 鑾峰彇褰撳墠鐨勭敤鎴�
         LoginUser loginUser = SpringUtils.getBean(TokenService.class).getLoginUser(ServletUtils.getRequest());
-        SysUser currentUser = loginUser.getUser();
-        if (currentUser != null)
+        if (StringUtils.isNotNull(loginUser))
         {
+            SysUser currentUser = loginUser.getUser();
             // 濡傛灉鏄秴绾х鐞嗗憳锛屽垯涓嶈繃婊ゆ暟鎹�
-            if (!currentUser.isAdmin())
+            if (StringUtils.isNotNull(currentUser) && !currentUser.isAdmin())
             {
                 dataScopeFilter(joinPoint, currentUser, controllerDataScope.deptAlias(),
                         controllerDataScope.userAlias());
@@ -166,4 +167,17 @@
         }
         return null;
     }
+
+    /**
+     * 鎷兼帴鏉冮檺sql鍓嶅厛娓呯┖params.dataScope鍙傛暟闃叉娉ㄥ叆
+     */
+    private void clearDataScope(final JoinPoint joinPoint)
+    {
+        Object params = joinPoint.getArgs()[0];
+        if (StringUtils.isNotNull(params) && params instanceof BaseEntity)
+        {
+            BaseEntity baseEntity = (BaseEntity) params;
+            baseEntity.getParams().put(DATA_SCOPE, "");
+        }
+    }
 }

--
Gitblit v1.9.3