From cdb509a4fa10bf32fd1341e04dee7c9c9c7f8c20 Mon Sep 17 00:00:00 2001
From: jenn <244251889@qq.com>
Date: 星期五, 10 三月 2023 21:15:54 +0800
Subject: [PATCH] fix 修复用户相关更新操作会越权的问题
---
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java | 5 -
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java | 2
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java | 14 ++++
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java | 16 +----
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java | 90 +++++++++++++++++++++---------
5 files changed, 84 insertions(+), 43 deletions(-)
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java
index 28b21c9..34aaae5 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java
@@ -83,7 +83,6 @@
@PutMapping("/updatePwd")
public R<Void> updatePwd(String oldPassword, String newPassword) {
SysUserVo user = userService.selectUserById(LoginHelper.getUserId());
- String userName = user.getUserName();
String password = user.getPassword();
if (!BCrypt.checkpw(oldPassword, password)) {
return R.fail("淇敼瀵嗙爜澶辫触锛屾棫瀵嗙爜閿欒");
@@ -92,7 +91,7 @@
return R.fail("鏂板瘑鐮佷笉鑳戒笌鏃у瘑鐮佺浉鍚�");
}
- if (userService.resetUserPwd(userName, BCrypt.hashpw(newPassword)) > 0) {
+ if (userService.resetUserPwd(user.getUserId(), BCrypt.hashpw(newPassword)) > 0) {
return R.ok();
}
return R.fail("淇敼瀵嗙爜寮傚父锛岃鑱旂郴绠$悊鍛�");
@@ -113,7 +112,7 @@
}
SysOssVo oss = sysOssService.upload(avatarfile);
String avatar = oss.getUrl();
- if (userService.updateUserAvatar(LoginHelper.getUsername(), oss.getOssId())) {
+ if (userService.updateUserAvatar(LoginHelper.getUserId(), oss.getOssId())) {
AvatarVo avatarVo = new AvatarVo();
avatarVo.setImgUrl(avatar);
return R.ok(avatarVo);
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java
index ed4d5ef..bc067a5 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java
@@ -182,7 +182,7 @@
userService.checkUserAllowed(user);
userService.checkUserDataScope(user.getUserId());
user.setPassword(BCrypt.hashpw(user.getPassword()));
- return toAjax(userService.resetPwd(user));
+ return toAjax(userService.resetUserPwd(user.getUserId(),user.getPassword()));
}
/**
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java
index 8fe4148..19df29b 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java
@@ -106,4 +106,18 @@
*/
SysUserVo selectUserById(Long userId);
+ @Override
+ @DataPermission({
+ @DataColumn(key = "deptName", value = "dept_id"),
+ @DataColumn(key = "userName", value = "user_id")
+ })
+ int update(@Param(Constants.ENTITY) SysUser user,@Param(Constants.WRAPPER) Wrapper<SysUser> updateWrapper);
+
+ @Override
+ @DataPermission({
+ @DataColumn(key = "deptName", value = "dept_id"),
+ @DataColumn(key = "userName", value = "user_id")
+ })
+ int updateById(@Param(Constants.ENTITY) SysUser user);
+
}
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java
index e1c4c22..b39a473 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java
@@ -170,28 +170,20 @@
/**
* 淇敼鐢ㄦ埛澶村儚
*
- * @param userName 鐢ㄦ埛鍚�
+ * @param userId 鐢ㄦ埛ID
* @param avatar 澶村儚鍦板潃
* @return 缁撴灉
*/
- boolean updateUserAvatar(String userName, Long avatar);
+ boolean updateUserAvatar(Long userId, Long avatar);
/**
* 閲嶇疆鐢ㄦ埛瀵嗙爜
*
- * @param user 鐢ㄦ埛淇℃伅
- * @return 缁撴灉
- */
- int resetPwd(SysUserBo user);
-
- /**
- * 閲嶇疆鐢ㄦ埛瀵嗙爜
- *
- * @param userName 鐢ㄦ埛鍚�
+ * @param userId 鐢ㄦ埛ID
* @param password 瀵嗙爜
* @return 缁撴灉
*/
- int resetUserPwd(String userName, String password);
+ int resetUserPwd(Long userId, String password);
/**
* 閫氳繃鐢ㄦ埛ID鍒犻櫎鐢ㄦ埛
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
index 598ce47..ea9cf94 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
@@ -36,8 +36,10 @@
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
+import java.util.Arrays;
import java.util.List;
import java.util.Map;
+import java.util.stream.Collectors;
/**
* 鐢ㄦ埛 涓氬姟灞傚鐞�
@@ -317,7 +319,12 @@
// 鏂板鐢ㄦ埛涓庡矖浣嶇鐞�
insertUserPost(user);
SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
- return baseMapper.updateById(sysUser);
+ //闃叉閿欒鏇存柊鍚庡鑷寸殑鏁版嵁璇垹闄�
+ int flag = baseMapper.updateById(sysUser);
+ if (flag <= 0){
+ throw new ServiceException("淇敼鐢ㄦ埛"+user.getUserName()+"淇℃伅澶辫触");
+ }
+ return flag;
}
/**
@@ -342,8 +349,10 @@
*/
@Override
public int updateUserStatus(SysUserBo user) {
- SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
- return baseMapper.updateById(sysUser);
+ return baseMapper.update(null,
+ new LambdaUpdateWrapper<SysUser>()
+ .set(SysUser::getStatus, user.getStatus())
+ .eq(SysUser::getUserId, user.getUserId()));
}
/**
@@ -354,50 +363,43 @@
*/
@Override
public int updateUserProfile(SysUserBo user) {
- SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
- return baseMapper.updateById(sysUser);
+ return baseMapper.update(null,
+ new LambdaUpdateWrapper<SysUser>()
+ .set(ObjectUtil.isNotNull(user.getNickName()), SysUser::getNickName, user.getNickName())
+ .set(SysUser::getPhonenumber, user.getPhonenumber())
+ .set(SysUser::getEmail, user.getEmail())
+ .set(SysUser::getSex, user.getSex())
+ .eq(SysUser::getUserId, user.getUserId()));
}
/**
* 淇敼鐢ㄦ埛澶村儚
*
- * @param userName 鐢ㄦ埛鍚�
+ * @param userId 鐢ㄦ埛ID
* @param avatar 澶村儚鍦板潃
* @return 缁撴灉
*/
@Override
- public boolean updateUserAvatar(String userName, Long avatar) {
+ public boolean updateUserAvatar(Long userId, Long avatar) {
return baseMapper.update(null,
new LambdaUpdateWrapper<SysUser>()
.set(SysUser::getAvatar, avatar)
- .eq(SysUser::getUserName, userName)) > 0;
+ .eq(SysUser::getUserId, userId)) > 0;
}
/**
* 閲嶇疆鐢ㄦ埛瀵嗙爜
*
- * @param user 鐢ㄦ埛淇℃伅
- * @return 缁撴灉
- */
- @Override
- public int resetPwd(SysUserBo user) {
- SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
- return baseMapper.updateById(sysUser);
- }
-
- /**
- * 閲嶇疆鐢ㄦ埛瀵嗙爜
- *
- * @param userName 鐢ㄦ埛鍚�
+ * @param userId 鐢ㄦ埛ID
* @param password 瀵嗙爜
* @return 缁撴灉
*/
@Override
- public int resetUserPwd(String userName, String password) {
+ public int resetUserPwd(Long userId, String password) {
return baseMapper.update(null,
new LambdaUpdateWrapper<SysUser>()
.set(SysUser::getPassword, password)
- .eq(SysUser::getUserName, userName));
+ .eq(SysUser::getUserId, userId));
}
/**
@@ -417,8 +419,20 @@
public void insertUserPost(SysUserBo user) {
Long[] posts = user.getPostIds();
if (ArrayUtil.isNotEmpty(posts)) {
+ //鍒ゆ柇鏄惁鍏锋湁姝よ鑹茬殑宀椾綅鏉冮檺
+ List<Long> postList = postMapper.selectPostListByUserId(LoginHelper.getUserId());
+ if (postList.isEmpty()){
+ throw new ServiceException("鎮ㄤ笉鍏锋湁鎿嶄綔宀椾綅鐨勬潈闄�");
+ }
+ List<Long> postIdList = Arrays.asList(posts);
+ List<Long> canDoPostList = postIdList.stream()
+ .filter(postList::contains)
+ .collect(Collectors.toList());
+ if (canDoPostList.isEmpty()){
+ throw new ServiceException("鎮ㄤ笉鍏锋湁鎿嶄綔褰撳墠宀椾綅鐨勬潈闄�");
+ }
// 鏂板鐢ㄦ埛涓庡矖浣嶇鐞�
- List<SysUserPost> list = StreamUtils.toList(List.of(posts), postId -> {
+ List<SysUserPost> list = StreamUtils.toList(canDoPostList, postId -> {
SysUserPost up = new SysUserPost();
up.setUserId(user.getUserId());
up.setPostId(postId);
@@ -436,8 +450,20 @@
*/
public void insertUserRole(Long userId, Long[] roleIds) {
if (ArrayUtil.isNotEmpty(roleIds)) {
+ //鍒ゆ柇鏄惁鍏锋湁姝よ鑹茬殑鎿嶄綔鏉冮檺
+ List<Long> roleList = roleMapper.selectRoleListByUserId(LoginHelper.getUserId());
+ if (roleList.isEmpty()){
+ throw new ServiceException("鎮ㄤ笉鍏锋湁鎿嶄綔瑙掕壊鐨勬潈闄�");
+ }
+ List<Long> roleIdList = Arrays.asList(roleIds);
+ List<Long> canDoRoleList = roleIdList.stream()
+ .filter(roleList::contains)
+ .collect(Collectors.toList());
+ if (canDoRoleList.isEmpty()){
+ throw new ServiceException("鎮ㄤ笉鍏锋湁鎿嶄綔褰撳墠瑙掕壊鐨勬潈闄�");
+ }
// 鏂板鐢ㄦ埛涓庤鑹茬鐞�
- List<SysUserRole> list = StreamUtils.toList(List.of(roleIds), roleId -> {
+ List<SysUserRole> list = StreamUtils.toList(canDoRoleList, roleId -> {
SysUserRole ur = new SysUserRole();
ur.setUserId(userId);
ur.setRoleId(roleId);
@@ -460,7 +486,12 @@
userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
// 鍒犻櫎鐢ㄦ埛涓庡矖浣嶈〃
userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
- return baseMapper.deleteById(userId);
+ // 闃叉鏇存柊澶辫触瀵艰嚧鐨勬暟鎹垹闄�
+ int flag = baseMapper.deleteById(userId);
+ if (flag <= 0){
+ throw new ServiceException("鍒犻櫎鐢ㄦ埛鍙戠敓寮傚父");
+ }
+ return flag;
}
/**
@@ -481,7 +512,12 @@
userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().in(SysUserRole::getUserId, ids));
// 鍒犻櫎鐢ㄦ埛涓庡矖浣嶈〃
userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().in(SysUserPost::getUserId, ids));
- return baseMapper.deleteBatchIds(ids);
+ // 闃叉鏇存柊澶辫触瀵艰嚧鐨勬暟鎹垹闄�
+ int flag = baseMapper.deleteBatchIds(ids);
+ if (flag <= 0){
+ throw new ServiceException("鍒犻櫎鐢ㄦ埛鍙戠敓寮傚父");
+ }
+ return flag;
}
@Cacheable(cacheNames = CacheNames.SYS_USER_NAME, key = "#userId")
--
Gitblit v1.9.3