From 146c268dff91432c368d610e7fdea9a3a75fdba8 Mon Sep 17 00:00:00 2001
From: 丶Stone <244251889@qq.com>
Date: 星期三, 30 八月 2023 21:35:57 +0800
Subject: [PATCH] !416 fix 修复可能会存在的越权行为 * fix 修复可能会存在的越权行为
---
ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java | 81 ++++++++++++++++++++++++++++++++++++----
1 files changed, 72 insertions(+), 9 deletions(-)
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java
index 47527da..79fada2 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java
@@ -1,5 +1,8 @@
package org.dromara.system.service.impl;
+import cn.dev33.satoken.exception.NotLoginException;
+import cn.dev33.satoken.stp.StpUtil;
+import cn.hutool.core.bean.BeanUtil;
import cn.hutool.core.collection.CollUtil;
import cn.hutool.core.util.ObjectUtil;
import com.baomidou.mybatisplus.core.conditions.Wrapper;
@@ -8,7 +11,10 @@
import com.baomidou.mybatisplus.core.conditions.update.LambdaUpdateWrapper;
import com.baomidou.mybatisplus.core.toolkit.Wrappers;
import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
+import lombok.RequiredArgsConstructor;
+import org.dromara.common.core.constant.TenantConstants;
import org.dromara.common.core.constant.UserConstants;
+import org.dromara.common.core.domain.model.LoginUser;
import org.dromara.common.core.exception.ServiceException;
import org.dromara.common.core.utils.MapstructUtils;
import org.dromara.common.core.utils.StreamUtils;
@@ -27,7 +33,6 @@
import org.dromara.system.mapper.SysRoleMenuMapper;
import org.dromara.system.mapper.SysUserRoleMapper;
import org.dromara.system.service.ISysRoleService;
-import lombok.RequiredArgsConstructor;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
@@ -180,12 +185,28 @@
/**
* 鏍¢獙瑙掕壊鏄惁鍏佽鎿嶄綔
*
- * @param roleId 瑙掕壊ID
+ * @param role 瑙掕壊淇℃伅
*/
@Override
- public void checkRoleAllowed(Long roleId) {
- if (ObjectUtil.isNotNull(roleId) && LoginHelper.isSuperAdmin(roleId)) {
+ public void checkRoleAllowed(SysRoleBo role) {
+ if (ObjectUtil.isNotNull(role.getRoleId()) && LoginHelper.isSuperAdmin(role.getRoleId())) {
throw new ServiceException("涓嶅厑璁告搷浣滆秴绾х鐞嗗憳瑙掕壊");
+ }
+ // 鏂板涓嶅厑璁镐娇鐢� 绠$悊鍛樻爣璇嗙
+ if (ObjectUtil.isNull(role.getRoleId())
+ && StringUtils.equalsAny(role.getRoleKey(),
+ TenantConstants.SUPER_ADMIN_ROLE_KEY, TenantConstants.TENANT_ADMIN_ROLE_KEY)) {
+ throw new ServiceException("涓嶅厑璁镐娇鐢ㄧ郴缁熷唴缃鐞嗗憳瑙掕壊鏍囪瘑绗�!");
+ }
+ // 淇敼涓嶅厑璁镐慨鏀� 绠$悊鍛樻爣璇嗙
+ if (ObjectUtil.isNotNull(role.getRoleId())) {
+ SysRole sysRole = baseMapper.selectById(role.getRoleId());
+ // 濡傛灉鏍囪瘑绗︿笉鐩哥瓑 鍒ゆ柇涓轰慨鏀逛簡绠$悊鍛樻爣璇嗙
+ if (!StringUtils.equals(sysRole.getRoleKey(), role.getRoleKey())
+ && StringUtils.equalsAny(sysRole.getRoleKey(),
+ TenantConstants.SUPER_ADMIN_ROLE_KEY, TenantConstants.TENANT_ADMIN_ROLE_KEY)) {
+ throw new ServiceException("涓嶅厑璁镐慨鏀圭郴缁熷唴缃鐞嗗憳瑙掕壊鏍囪瘑绗�!");
+ }
}
}
@@ -262,6 +283,9 @@
*/
@Override
public int updateRoleStatus(Long roleId, String status) {
+ if (UserConstants.ROLE_DISABLE.equals(status) && this.countUserRoleByRoleId(roleId) > 0) {
+ throw new ServiceException("瑙掕壊宸插垎閰嶏紝涓嶈兘绂佺敤!");
+ }
return baseMapper.update(null,
new LambdaUpdateWrapper<SysRole>()
.set(SysRole::getStatus, status)
@@ -354,11 +378,11 @@
@Transactional(rollbackFor = Exception.class)
public int deleteRoleByIds(Long[] roleIds) {
for (Long roleId : roleIds) {
- checkRoleAllowed(roleId);
- checkRoleDataScope(roleId);
SysRole role = baseMapper.selectById(roleId);
+ checkRoleAllowed(BeanUtil.toBean(role, SysRoleBo.class));
+ checkRoleDataScope(roleId);
if (countUserRoleByRoleId(roleId) > 0) {
- throw new ServiceException(String.format("%1$s宸插垎閰�,涓嶈兘鍒犻櫎", role.getRoleName()));
+ throw new ServiceException(String.format("%1$s宸插垎閰嶏紝涓嶈兘鍒犻櫎!", role.getRoleName()));
}
}
List<Long> ids = Arrays.asList(roleIds);
@@ -377,9 +401,13 @@
*/
@Override
public int deleteAuthUser(SysUserRole userRole) {
- return userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>()
+ int rows = userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>()
.eq(SysUserRole::getRoleId, userRole.getRoleId())
.eq(SysUserRole::getUserId, userRole.getUserId()));
+ if (rows > 0) {
+ cleanOnlineUserByRole(userRole.getRoleId());
+ }
+ return rows;
}
/**
@@ -391,9 +419,13 @@
*/
@Override
public int deleteAuthUsers(Long roleId, Long[] userIds) {
- return userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>()
+ int rows = userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>()
.eq(SysUserRole::getRoleId, roleId)
.in(SysUserRole::getUserId, Arrays.asList(userIds)));
+ if (rows > 0) {
+ cleanOnlineUserByRole(roleId);
+ }
+ return rows;
}
/**
@@ -416,6 +448,37 @@
if (CollUtil.isNotEmpty(list)) {
rows = userRoleMapper.insertBatch(list) ? list.size() : 0;
}
+ if (rows > 0) {
+ cleanOnlineUserByRole(roleId);
+ }
return rows;
}
+
+ @Override
+ public void cleanOnlineUserByRole(Long roleId) {
+ // 濡傛灉瑙掕壊鏈粦瀹氱敤鎴� 鐩存帴杩斿洖
+ Long num = userRoleMapper.selectCount(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getRoleId, roleId));
+ if (num == 0) {
+ return;
+ }
+ List<String> keys = StpUtil.searchTokenValue("", 0, -1, false);
+ if (CollUtil.isEmpty(keys)) {
+ return;
+ }
+ // 瑙掕壊鍏宠仈鐨勫湪绾跨敤鎴烽噺杩囧ぇ浼氬鑷磖edis闃诲鍗¢】 璋ㄦ厧鎿嶄綔
+ keys.parallelStream().forEach(key -> {
+ String token = StringUtils.substringAfterLast(key, ":");
+ // 濡傛灉宸茬粡杩囨湡鍒欒烦杩�
+ if (StpUtil.stpLogic.getTokenActiveTimeoutByToken(token) < -1) {
+ return;
+ }
+ LoginUser loginUser = LoginHelper.getLoginUser(token);
+ if (loginUser.getRoles().stream().anyMatch(r -> r.getRoleId().equals(roleId))) {
+ try {
+ StpUtil.logoutByTokenValue(token);
+ } catch (NotLoginException ignored) {
+ }
+ }
+ });
+ }
}
--
Gitblit v1.9.3