lbqms.git - Gitblit

疯狂的狮子Li

2023-03-10 69edf436da5d47d580b3554a8dadedc6697c74bb

!305 fix 修复用户相关更新操作会越权的问题
Merge pull request !305 from 丶Stone/5.X

已修改5个文件

	ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java	5 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java	2 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java	14 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java	16 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java	90 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史

 ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java

@@ -83,7 +83,6 @@
    @PutMapping("/updatePwd")
    public R<Void> updatePwd(String oldPassword, String newPassword) {
        SysUserVo user = userService.selectUserById(LoginHelper.getUserId());
        String userName = user.getUserName();
        String password = user.getPassword();
        if (!BCrypt.checkpw(oldPassword, password)) {
            return R.fail("修改密码失败，旧密码错误");
@@ -92,7 +91,7 @@
            return R.fail("新密码不能与旧密码相同");
        }

        if (userService.resetUserPwd(userName, BCrypt.hashpw(newPassword)) > 0) {
        if (userService.resetUserPwd(user.getUserId(), BCrypt.hashpw(newPassword)) > 0) {
            return R.ok();
        }
        return R.fail("修改密码异常，请联系管理员");
@@ -113,7 +112,7 @@
            }
            SysOssVo oss = sysOssService.upload(avatarfile);
            String avatar = oss.getUrl();
            if (userService.updateUserAvatar(LoginHelper.getUsername(), oss.getOssId())) {
            if (userService.updateUserAvatar(LoginHelper.getUserId(), oss.getOssId())) {
                AvatarVo avatarVo = new AvatarVo();
                avatarVo.setImgUrl(avatar);
                return R.ok(avatarVo);

 ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java

@@ -182,7 +182,7 @@
        userService.checkUserAllowed(user);
        userService.checkUserDataScope(user.getUserId());
        user.setPassword(BCrypt.hashpw(user.getPassword()));
        return toAjax(userService.resetPwd(user));
        return toAjax(userService.resetUserPwd(user.getUserId(),user.getPassword()));
    }

    /**

 ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java

@@ -106,4 +106,18 @@
     */
    SysUserVo selectUserById(Long userId);

    @Override
    @DataPermission({
        @DataColumn(key = "deptName", value = "dept_id"),
        @DataColumn(key = "userName", value = "user_id")
    })
    int update(@Param(Constants.ENTITY) SysUser user,@Param(Constants.WRAPPER) Wrapper<SysUser> updateWrapper);

    @Override
    @DataPermission({
        @DataColumn(key = "deptName", value = "dept_id"),
        @DataColumn(key = "userName", value = "user_id")
    })
    int updateById(@Param(Constants.ENTITY) SysUser user);

}

 ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java

@@ -170,28 +170,20 @@
    /**
     * 修改用户头像
     *
     * @param userName 用户名
     * @param userId 用户ID
     * @param avatar   头像地址
     * @return 结果
     */
    boolean updateUserAvatar(String userName, Long avatar);
    boolean updateUserAvatar(Long userId, Long avatar);

    /**
     * 重置用户密码
     *
     * @param user 用户信息
     * @return 结果
     */
    int resetPwd(SysUserBo user);

    /**
     * 重置用户密码
     *
     * @param userName 用户名
     * @param userId 用户ID
     * @param password 密码
     * @return 结果
     */
    int resetUserPwd(String userName, String password);
    int resetUserPwd(Long userId, String password);

    /**
     * 通过用户ID删除用户

 ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java

@@ -36,8 +36,10 @@
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;

/**
 * 用户 业务层处理
@@ -317,7 +319,12 @@
        // 新增用户与岗位管理
        insertUserPost(user);
        SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
        return baseMapper.updateById(sysUser);
        //防止错误更新后导致的数据误删除
        int flag = baseMapper.updateById(sysUser);
        if (flag <= 0){
            throw new ServiceException("修改用户"+user.getUserName()+"信息失败");
        }
        return flag;
    }

    /**
@@ -342,8 +349,10 @@
     */
    @Override
    public int updateUserStatus(SysUserBo user) {
        SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
        return baseMapper.updateById(sysUser);
        return baseMapper.update(null,
            new LambdaUpdateWrapper<SysUser>()
                .set(SysUser::getStatus, user.getStatus())
                .eq(SysUser::getUserId, user.getUserId()));
    }

    /**
@@ -354,50 +363,43 @@
     */
    @Override
    public int updateUserProfile(SysUserBo user) {
        SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
        return baseMapper.updateById(sysUser);
        return baseMapper.update(null,
            new LambdaUpdateWrapper<SysUser>()
                .set(ObjectUtil.isNotNull(user.getNickName()), SysUser::getNickName, user.getNickName())
                .set(SysUser::getPhonenumber, user.getPhonenumber())
                .set(SysUser::getEmail, user.getEmail())
                .set(SysUser::getSex, user.getSex())
                .eq(SysUser::getUserId, user.getUserId()));
    }

    /**
     * 修改用户头像
     *
     * @param userName 用户名
     * @param userId 用户ID
     * @param avatar   头像地址
     * @return 结果
     */
    @Override
    public boolean updateUserAvatar(String userName, Long avatar) {
    public boolean updateUserAvatar(Long userId, Long avatar) {
        return baseMapper.update(null,
            new LambdaUpdateWrapper<SysUser>()
                .set(SysUser::getAvatar, avatar)
                .eq(SysUser::getUserName, userName)) > 0;
                .eq(SysUser::getUserId, userId)) > 0;
    }

    /**
     * 重置用户密码
     *
     * @param user 用户信息
     * @return 结果
     */
    @Override
    public int resetPwd(SysUserBo user) {
        SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
        return baseMapper.updateById(sysUser);
    }

    /**
     * 重置用户密码
     *
     * @param userName 用户名
     * @param userId 用户ID
     * @param password 密码
     * @return 结果
     */
    @Override
    public int resetUserPwd(String userName, String password) {
    public int resetUserPwd(Long userId, String password) {
        return baseMapper.update(null,
            new LambdaUpdateWrapper<SysUser>()
                .set(SysUser::getPassword, password)
                .eq(SysUser::getUserName, userName));
                .eq(SysUser::getUserId, userId));
    }

    /**
@@ -417,8 +419,20 @@
    public void insertUserPost(SysUserBo user) {
        Long[] posts = user.getPostIds();
        if (ArrayUtil.isNotEmpty(posts)) {
            //判断是否具有此角色的岗位权限
            List<Long> postList = postMapper.selectPostListByUserId(LoginHelper.getUserId());
            if (postList.isEmpty()){
                throw new ServiceException("您不具有操作岗位的权限");
            }
            List<Long> postIdList = Arrays.asList(posts);
            List<Long> canDoPostList = postIdList.stream()
                .filter(postList::contains)
                .collect(Collectors.toList());
            if (canDoPostList.isEmpty()){
                throw new ServiceException("您不具有操作当前岗位的权限");
            }
            // 新增用户与岗位管理
            List<SysUserPost> list = StreamUtils.toList(List.of(posts), postId -> {
            List<SysUserPost> list = StreamUtils.toList(canDoPostList, postId -> {
                SysUserPost up = new SysUserPost();
                up.setUserId(user.getUserId());
                up.setPostId(postId);
@@ -436,8 +450,20 @@
     */
    public void insertUserRole(Long userId, Long[] roleIds) {
        if (ArrayUtil.isNotEmpty(roleIds)) {
            //判断是否具有此角色的操作权限
            List<Long> roleList = roleMapper.selectRoleListByUserId(LoginHelper.getUserId());
            if (roleList.isEmpty()){
                throw new ServiceException("您不具有操作角色的权限");
            }
            List<Long> roleIdList = Arrays.asList(roleIds);
            List<Long> canDoRoleList = roleIdList.stream()
                .filter(roleList::contains)
                .collect(Collectors.toList());
            if (canDoRoleList.isEmpty()){
                throw new ServiceException("您不具有操作当前角色的权限");
            }
            // 新增用户与角色管理
            List<SysUserRole> list = StreamUtils.toList(List.of(roleIds), roleId -> {
            List<SysUserRole> list = StreamUtils.toList(canDoRoleList, roleId -> {
                SysUserRole ur = new SysUserRole();
                ur.setUserId(userId);
                ur.setRoleId(roleId);
@@ -460,7 +486,12 @@
        userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
        // 删除用户与岗位表
        userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
        return baseMapper.deleteById(userId);
        // 防止更新失败导致的数据删除
        int flag = baseMapper.deleteById(userId);
        if (flag <= 0){
            throw new ServiceException("删除用户发生异常");
        }
        return flag;
    }

    /**
@@ -481,7 +512,12 @@
        userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().in(SysUserRole::getUserId, ids));
        // 删除用户与岗位表
        userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().in(SysUserPost::getUserId, ids));
        return baseMapper.deleteBatchIds(ids);
        // 防止更新失败导致的数据删除
        int flag = baseMapper.deleteBatchIds(ids);
        if (flag <= 0){
            throw new ServiceException("删除用户发生异常");
        }
        return flag;
    }

    @Cacheable(cacheNames = CacheNames.SYS_USER_NAME, key = "#userId")

			@@ -83,7 +83,6 @@
			@PutMapping("/updatePwd")
			public R<Void> updatePwd(String oldPassword, String newPassword) {
			SysUserVo user = userService.selectUserById(LoginHelper.getUserId());
			String userName = user.getUserName();
			String password = user.getPassword();
			if (!BCrypt.checkpw(oldPassword, password)) {
			return R.fail("修改密码失败，旧密码错误");
			@@ -92,7 +91,7 @@
			return R.fail("新密码不能与旧密码相同");
			}

			if (userService.resetUserPwd(userName, BCrypt.hashpw(newPassword)) > 0) {
			if (userService.resetUserPwd(user.getUserId(), BCrypt.hashpw(newPassword)) > 0) {
			return R.ok();
			}
			return R.fail("修改密码异常，请联系管理员");
			@@ -113,7 +112,7 @@
			}
			SysOssVo oss = sysOssService.upload(avatarfile);
			String avatar = oss.getUrl();
			if (userService.updateUserAvatar(LoginHelper.getUsername(), oss.getOssId())) {
			if (userService.updateUserAvatar(LoginHelper.getUserId(), oss.getOssId())) {
			AvatarVo avatarVo = new AvatarVo();
			avatarVo.setImgUrl(avatar);
			return R.ok(avatarVo);

			@@ -182,7 +182,7 @@
			userService.checkUserAllowed(user);
			userService.checkUserDataScope(user.getUserId());
			user.setPassword(BCrypt.hashpw(user.getPassword()));
			return toAjax(userService.resetPwd(user));
			return toAjax(userService.resetUserPwd(user.getUserId(),user.getPassword()));
			}

			/**

			@@ -106,4 +106,18 @@
			*/
			SysUserVo selectUserById(Long userId);

			@Override
			@DataPermission({
			@DataColumn(key = "deptName", value = "dept_id"),
			@DataColumn(key = "userName", value = "user_id")
			})
			int update(@Param(Constants.ENTITY) SysUser user,@Param(Constants.WRAPPER) Wrapper<SysUser> updateWrapper);

			@Override
			@DataPermission({
			@DataColumn(key = "deptName", value = "dept_id"),
			@DataColumn(key = "userName", value = "user_id")
			})
			int updateById(@Param(Constants.ENTITY) SysUser user);

			}

			@@ -170,28 +170,20 @@
			/**
			* 修改用户头像
			*
			* @param userName 用户名
			* @param userId 用户ID
			* @param avatar 头像地址
			* @return 结果
			*/
			boolean updateUserAvatar(String userName, Long avatar);
			boolean updateUserAvatar(Long userId, Long avatar);

			/**
			* 重置用户密码
			*
			* @param user 用户信息
			* @return 结果
			*/
			int resetPwd(SysUserBo user);

			/**
			* 重置用户密码
			*
			* @param userName 用户名
			* @param userId 用户ID
			* @param password 密码
			* @return 结果
			*/
			int resetUserPwd(String userName, String password);
			int resetUserPwd(Long userId, String password);

			/**
			* 通过用户ID删除用户

			@@ -36,8 +36,10 @@
			import org.springframework.stereotype.Service;
			import org.springframework.transaction.annotation.Transactional;

			import java.util.Arrays;
			import java.util.List;
			import java.util.Map;
			import java.util.stream.Collectors;

			/**
			* 用户业务层处理
			@@ -317,7 +319,12 @@
			// 新增用户与岗位管理
			insertUserPost(user);
			SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
			return baseMapper.updateById(sysUser);
			//防止错误更新后导致的数据误删除
			int flag = baseMapper.updateById(sysUser);
			if (flag <= 0){
			throw new ServiceException("修改用户"+user.getUserName()+"信息失败");
			}
			return flag;
			}

			/**
			@@ -342,8 +349,10 @@
			*/
			@Override
			public int updateUserStatus(SysUserBo user) {
			SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
			return baseMapper.updateById(sysUser);
			return baseMapper.update(null,
			new LambdaUpdateWrapper<SysUser>()
			.set(SysUser::getStatus, user.getStatus())
			.eq(SysUser::getUserId, user.getUserId()));
			}

			/**
			@@ -354,50 +363,43 @@
			*/
			@Override
			public int updateUserProfile(SysUserBo user) {
			SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
			return baseMapper.updateById(sysUser);
			return baseMapper.update(null,
			new LambdaUpdateWrapper<SysUser>()
			.set(ObjectUtil.isNotNull(user.getNickName()), SysUser::getNickName, user.getNickName())
			.set(SysUser::getPhonenumber, user.getPhonenumber())
			.set(SysUser::getEmail, user.getEmail())
			.set(SysUser::getSex, user.getSex())
			.eq(SysUser::getUserId, user.getUserId()));
			}

			/**
			* 修改用户头像
			*
			* @param userName 用户名
			* @param userId 用户ID
			* @param avatar 头像地址
			* @return 结果
			*/
			@Override
			public boolean updateUserAvatar(String userName, Long avatar) {
			public boolean updateUserAvatar(Long userId, Long avatar) {
			return baseMapper.update(null,
			new LambdaUpdateWrapper<SysUser>()
			.set(SysUser::getAvatar, avatar)
			.eq(SysUser::getUserName, userName)) > 0;
			.eq(SysUser::getUserId, userId)) > 0;
			}

			/**
			* 重置用户密码
			*
			* @param user 用户信息
			* @return 结果
			*/
			@Override
			public int resetPwd(SysUserBo user) {
			SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
			return baseMapper.updateById(sysUser);
			}

			/**
			* 重置用户密码
			*
			* @param userName 用户名
			* @param userId 用户ID
			* @param password 密码
			* @return 结果
			*/
			@Override
			public int resetUserPwd(String userName, String password) {
			public int resetUserPwd(Long userId, String password) {
			return baseMapper.update(null,
			new LambdaUpdateWrapper<SysUser>()
			.set(SysUser::getPassword, password)
			.eq(SysUser::getUserName, userName));
			.eq(SysUser::getUserId, userId));
			}

			/**
			@@ -417,8 +419,20 @@
			public void insertUserPost(SysUserBo user) {
			Long[] posts = user.getPostIds();
			if (ArrayUtil.isNotEmpty(posts)) {
			//判断是否具有此角色的岗位权限
			List<Long> postList = postMapper.selectPostListByUserId(LoginHelper.getUserId());
			if (postList.isEmpty()){
			throw new ServiceException("您不具有操作岗位的权限");
			}
			List<Long> postIdList = Arrays.asList(posts);
			List<Long> canDoPostList = postIdList.stream()
			.filter(postList::contains)
			.collect(Collectors.toList());
			if (canDoPostList.isEmpty()){
			throw new ServiceException("您不具有操作当前岗位的权限");
			}
			// 新增用户与岗位管理
			List<SysUserPost> list = StreamUtils.toList(List.of(posts), postId -> {
			List<SysUserPost> list = StreamUtils.toList(canDoPostList, postId -> {
			SysUserPost up = new SysUserPost();
			up.setUserId(user.getUserId());
			up.setPostId(postId);
			@@ -436,8 +450,20 @@
			*/
			public void insertUserRole(Long userId, Long[] roleIds) {
			if (ArrayUtil.isNotEmpty(roleIds)) {
			//判断是否具有此角色的操作权限
			List<Long> roleList = roleMapper.selectRoleListByUserId(LoginHelper.getUserId());
			if (roleList.isEmpty()){
			throw new ServiceException("您不具有操作角色的权限");
			}
			List<Long> roleIdList = Arrays.asList(roleIds);
			List<Long> canDoRoleList = roleIdList.stream()
			.filter(roleList::contains)
			.collect(Collectors.toList());
			if (canDoRoleList.isEmpty()){
			throw new ServiceException("您不具有操作当前角色的权限");
			}
			// 新增用户与角色管理
			List<SysUserRole> list = StreamUtils.toList(List.of(roleIds), roleId -> {
			List<SysUserRole> list = StreamUtils.toList(canDoRoleList, roleId -> {
			SysUserRole ur = new SysUserRole();
			ur.setUserId(userId);
			ur.setRoleId(roleId);
			@@ -460,7 +486,12 @@
			userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
			// 删除用户与岗位表
			userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
			return baseMapper.deleteById(userId);
			// 防止更新失败导致的数据删除
			int flag = baseMapper.deleteById(userId);
			if (flag <= 0){
			throw new ServiceException("删除用户发生异常");
			}
			return flag;
			}

			/**
			@@ -481,7 +512,12 @@
			userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().in(SysUserRole::getUserId, ids));
			// 删除用户与岗位表
			userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().in(SysUserPost::getUserId, ids));
			return baseMapper.deleteBatchIds(ids);
			// 防止更新失败导致的数据删除
			int flag = baseMapper.deleteBatchIds(ids);
			if (flag <= 0){
			throw new ServiceException("删除用户发生异常");
			}
			return flag;
			}

			@Cacheable(cacheNames = CacheNames.SYS_USER_NAME, key = "#userId")