From c8d94da4fb66daff6fd5c19635c9f545af2e3ceb Mon Sep 17 00:00:00 2001
From: 疯狂的狮子Li <15040126243@163.com>
Date: 星期六, 17 六月 2023 22:38:06 +0800
Subject: [PATCH] fix 修复 用户篡改管理员角色标识符越权问题
---
ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java | 36 ++++++------------------------------
1 files changed, 6 insertions(+), 30 deletions(-)
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java
index 242fd9b..a474ed3 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java
@@ -1,18 +1,14 @@
package org.dromara.system.controller.system;
import cn.dev33.satoken.annotation.SaCheckPermission;
-import cn.dev33.satoken.exception.NotLoginException;
-import cn.dev33.satoken.stp.StpUtil;
-import cn.hutool.core.collection.CollUtil;
-import org.dromara.common.core.constant.GlobalConstants;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
import org.dromara.common.core.domain.R;
-import org.dromara.common.core.domain.model.LoginUser;
import org.dromara.common.excel.utils.ExcelUtil;
import org.dromara.common.log.annotation.Log;
import org.dromara.common.log.enums.BusinessType;
import org.dromara.common.mybatis.core.page.PageQuery;
import org.dromara.common.mybatis.core.page.TableDataInfo;
-import org.dromara.common.satoken.utils.LoginHelper;
import org.dromara.common.web.core.BaseController;
import org.dromara.system.domain.SysUserRole;
import org.dromara.system.domain.bo.SysDeptBo;
@@ -24,8 +20,6 @@
import org.dromara.system.service.ISysDeptService;
import org.dromara.system.service.ISysRoleService;
import org.dromara.system.service.ISysUserService;
-import jakarta.servlet.http.HttpServletResponse;
-import lombok.RequiredArgsConstructor;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.*;
@@ -101,7 +95,7 @@
@Log(title = "瑙掕壊绠$悊", businessType = BusinessType.UPDATE)
@PutMapping
public R<Void> edit(@Validated @RequestBody SysRoleBo role) {
- roleService.checkRoleAllowed(role.getRoleId());
+ roleService.checkRoleAllowed(role);
roleService.checkRoleDataScope(role.getRoleId());
if (!roleService.checkRoleNameUnique(role)) {
return R.fail("淇敼瑙掕壊'" + role.getRoleName() + "'澶辫触锛岃鑹插悕绉板凡瀛樺湪");
@@ -110,25 +104,7 @@
}
if (roleService.updateRole(role) > 0) {
- List<String> keys = StpUtil.searchTokenValue("", 0, -1, false);
- if (CollUtil.isEmpty(keys)) {
- return R.ok();
- }
- // 瑙掕壊鍏宠仈鐨勫湪绾跨敤鎴烽噺杩囧ぇ浼氬鑷磖edis闃诲鍗¢】 璋ㄦ厧鎿嶄綔
- keys.parallelStream().forEach(key -> {
- String token = key.replace(GlobalConstants.LOGIN_TOKEN_KEY, "");
- // 濡傛灉宸茬粡杩囨湡鍒欒烦杩�
- if (StpUtil.stpLogic.getTokenActivityTimeoutByToken(token) < -1) {
- return;
- }
- LoginUser loginUser = LoginHelper.getLoginUser(token);
- if (loginUser.getRoles().stream().anyMatch(r -> r.getRoleId().equals(role.getRoleId()))) {
- try {
- StpUtil.logoutByTokenValue(token);
- } catch (NotLoginException ignored) {
- }
- }
- });
+ roleService.cleanOnlineUserByRole(role.getRoleId());
return R.ok();
}
return R.fail("淇敼瑙掕壊'" + role.getRoleName() + "'澶辫触锛岃鑱旂郴绠$悊鍛�");
@@ -141,7 +117,7 @@
@Log(title = "瑙掕壊绠$悊", businessType = BusinessType.UPDATE)
@PutMapping("/dataScope")
public R<Void> dataScope(@RequestBody SysRoleBo role) {
- roleService.checkRoleAllowed(role.getRoleId());
+ roleService.checkRoleAllowed(role);
roleService.checkRoleDataScope(role.getRoleId());
return toAjax(roleService.authDataScope(role));
}
@@ -153,7 +129,7 @@
@Log(title = "瑙掕壊绠$悊", businessType = BusinessType.UPDATE)
@PutMapping("/changeStatus")
public R<Void> changeStatus(@RequestBody SysRoleBo role) {
- roleService.checkRoleAllowed(role.getRoleId());
+ roleService.checkRoleAllowed(role);
roleService.checkRoleDataScope(role.getRoleId());
return toAjax(roleService.updateRoleStatus(role.getRoleId(), role.getStatus()));
}
--
Gitblit v1.9.3