From c8d94da4fb66daff6fd5c19635c9f545af2e3ceb Mon Sep 17 00:00:00 2001
From: 疯狂的狮子Li <15040126243@163.com>
Date: 星期六, 17 六月 2023 22:38:06 +0800
Subject: [PATCH] fix 修复 用户篡改管理员角色标识符越权问题

---
 ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java |   17 +++++------------
 ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/ISysRoleService.java             |    4 ++--
 ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java     |   30 ++++++++++++++++++++++++------
 3 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java
index d6c1f6a..a474ed3 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java
@@ -1,19 +1,14 @@
 package org.dromara.system.controller.system;
 
 import cn.dev33.satoken.annotation.SaCheckPermission;
-import cn.dev33.satoken.exception.NotLoginException;
-import cn.dev33.satoken.stp.StpUtil;
-import cn.hutool.core.collection.CollUtil;
-import org.dromara.common.core.constant.GlobalConstants;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
 import org.dromara.common.core.domain.R;
-import org.dromara.common.core.domain.model.LoginUser;
-import org.dromara.common.core.utils.StringUtils;
 import org.dromara.common.excel.utils.ExcelUtil;
 import org.dromara.common.log.annotation.Log;
 import org.dromara.common.log.enums.BusinessType;
 import org.dromara.common.mybatis.core.page.PageQuery;
 import org.dromara.common.mybatis.core.page.TableDataInfo;
-import org.dromara.common.satoken.utils.LoginHelper;
 import org.dromara.common.web.core.BaseController;
 import org.dromara.system.domain.SysUserRole;
 import org.dromara.system.domain.bo.SysDeptBo;
@@ -25,8 +20,6 @@
 import org.dromara.system.service.ISysDeptService;
 import org.dromara.system.service.ISysRoleService;
 import org.dromara.system.service.ISysUserService;
-import jakarta.servlet.http.HttpServletResponse;
-import lombok.RequiredArgsConstructor;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
@@ -102,7 +95,7 @@
     @Log(title = "瑙掕壊绠＄悊", businessType = BusinessType.UPDATE)
     @PutMapping
     public R<Void> edit(@Validated @RequestBody SysRoleBo role) {
-        roleService.checkRoleAllowed(role.getRoleId());
+        roleService.checkRoleAllowed(role);
         roleService.checkRoleDataScope(role.getRoleId());
         if (!roleService.checkRoleNameUnique(role)) {
             return R.fail("淇敼瑙掕壊'" + role.getRoleName() + "'澶辫触锛岃鑹插悕绉板凡瀛樺湪");
@@ -124,7 +117,7 @@
     @Log(title = "瑙掕壊绠＄悊", businessType = BusinessType.UPDATE)
     @PutMapping("/dataScope")
     public R<Void> dataScope(@RequestBody SysRoleBo role) {
-        roleService.checkRoleAllowed(role.getRoleId());
+        roleService.checkRoleAllowed(role);
         roleService.checkRoleDataScope(role.getRoleId());
         return toAjax(roleService.authDataScope(role));
     }
@@ -136,7 +129,7 @@
     @Log(title = "瑙掕壊绠＄悊", businessType = BusinessType.UPDATE)
     @PutMapping("/changeStatus")
     public R<Void> changeStatus(@RequestBody SysRoleBo role) {
-        roleService.checkRoleAllowed(role.getRoleId());
+        roleService.checkRoleAllowed(role);
         roleService.checkRoleDataScope(role.getRoleId());
         return toAjax(roleService.updateRoleStatus(role.getRoleId(), role.getStatus()));
     }
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/ISysRoleService.java b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/ISysRoleService.java
index c073ce9..d2ee61f 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/ISysRoleService.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/ISysRoleService.java
@@ -85,9 +85,9 @@
     /**
      * 鏍￠獙瑙掕壊鏄惁鍏佽鎿嶄綔
      *
-     * @param roleId 瑙掕壊ID
+     * @param role 瑙掕壊淇℃伅
      */
-    void checkRoleAllowed(Long roleId);
+    void checkRoleAllowed(SysRoleBo role);
 
     /**
      * 鏍￠獙瑙掕壊鏄惁鏈夋暟鎹潈闄�
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java
index c4205eb..44491a7 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java
@@ -2,6 +2,7 @@
 
 import cn.dev33.satoken.exception.NotLoginException;
 import cn.dev33.satoken.stp.StpUtil;
+import cn.hutool.core.bean.BeanUtil;
 import cn.hutool.core.collection.CollUtil;
 import cn.hutool.core.util.ObjectUtil;
 import com.baomidou.mybatisplus.core.conditions.Wrapper;
@@ -10,6 +11,8 @@
 import com.baomidou.mybatisplus.core.conditions.update.LambdaUpdateWrapper;
 import com.baomidou.mybatisplus.core.toolkit.Wrappers;
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
+import lombok.RequiredArgsConstructor;
+import org.dromara.common.core.constant.TenantConstants;
 import org.dromara.common.core.constant.UserConstants;
 import org.dromara.common.core.domain.model.LoginUser;
 import org.dromara.common.core.exception.ServiceException;
@@ -30,7 +33,6 @@
 import org.dromara.system.mapper.SysRoleMenuMapper;
 import org.dromara.system.mapper.SysUserRoleMapper;
 import org.dromara.system.service.ISysRoleService;
-import lombok.RequiredArgsConstructor;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -183,12 +185,28 @@
     /**
      * 鏍￠獙瑙掕壊鏄惁鍏佽鎿嶄綔
      *
-     * @param roleId 瑙掕壊ID
+     * @param role 瑙掕壊淇℃伅
      */
     @Override
-    public void checkRoleAllowed(Long roleId) {
-        if (ObjectUtil.isNotNull(roleId) && LoginHelper.isSuperAdmin(roleId)) {
+    public void checkRoleAllowed(SysRoleBo role) {
+        if (ObjectUtil.isNotNull(role.getRoleId()) && LoginHelper.isSuperAdmin(role.getRoleId())) {
             throw new ServiceException("涓嶅厑璁告搷浣滆秴绾х鐞嗗憳瑙掕壊");
+        }
+        // 鏂板涓嶅厑璁镐娇鐢� 绠＄悊鍛樻爣璇嗙
+        if (ObjectUtil.isNull(role.getRoleId())
+            && StringUtils.equalsAny(role.getRoleKey(),
+            TenantConstants.SUPER_ADMIN_ROLE_KEY, TenantConstants.TENANT_ADMIN_ROLE_KEY)) {
+            throw new ServiceException("涓嶅厑璁镐娇鐢ㄧ郴缁熷唴缃鐞嗗憳瑙掕壊鏍囪瘑绗�!");
+        }
+        // 淇敼涓嶅厑璁镐慨鏀� 绠＄悊鍛樻爣璇嗙
+        if (ObjectUtil.isNotNull(role.getRoleId())) {
+            SysRole sysRole = baseMapper.selectById(role.getRoleId());
+            // 濡傛灉鏍囪瘑绗︿笉鐩哥瓑 鍒ゆ柇涓轰慨鏀逛簡绠＄悊鍛樻爣璇嗙
+            if (!StringUtils.equals(sysRole.getRoleKey(), role.getRoleKey())
+                && StringUtils.equalsAny(sysRole.getRoleKey(),
+                TenantConstants.SUPER_ADMIN_ROLE_KEY, TenantConstants.TENANT_ADMIN_ROLE_KEY)) {
+                throw new ServiceException("涓嶅厑璁镐慨鏀圭郴缁熷唴缃鐞嗗憳瑙掕壊鏍囪瘑绗�!");
+            }
         }
     }
 
@@ -357,9 +375,9 @@
     @Transactional(rollbackFor = Exception.class)
     public int deleteRoleByIds(Long[] roleIds) {
         for (Long roleId : roleIds) {
-            checkRoleAllowed(roleId);
-            checkRoleDataScope(roleId);
             SysRole role = baseMapper.selectById(roleId);
+            checkRoleAllowed(BeanUtil.toBean(role, SysRoleBo.class));
+            checkRoleDataScope(roleId);
             if (countUserRoleByRoleId(roleId) > 0) {
                 throw new ServiceException(String.format("%1$s宸插垎閰�,涓嶈兘鍒犻櫎", role.getRoleName()));
             }

--
Gitblit v1.9.3