From f0a9768d8e7ee39e4e6b2e1646e8585504095ea3 Mon Sep 17 00:00:00 2001
From: 疯狂的狮子Li <15040126243@163.com>
Date: 星期六, 11 三月 2023 01:32:38 +0800
Subject: [PATCH] update 优化 重构系统业务数据权限 避免可能存在的越权风险
---
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java | 124 ++++++++++++++++++++---------------------
1 files changed, 60 insertions(+), 64 deletions(-)
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
index ea9cf94..5c69b77 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
@@ -36,10 +36,8 @@
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
-import java.util.Arrays;
import java.util.List;
import java.util.Map;
-import java.util.stream.Collectors;
/**
* 鐢ㄦ埛 涓氬姟灞傚鐞�
@@ -239,11 +237,11 @@
/**
* 鏍¢獙鐢ㄦ埛鏄惁鍏佽鎿嶄綔
*
- * @param user 鐢ㄦ埛淇℃伅
+ * @param userId 鐢ㄦ埛ID
*/
@Override
- public void checkUserAllowed(SysUserBo user) {
- if (ObjectUtil.isNotNull(user.getUserId()) && user.isSuperAdmin()) {
+ public void checkUserAllowed(Long userId) {
+ if (ObjectUtil.isNotNull(userId) && LoginHelper.isSuperAdmin(userId)) {
throw new ServiceException("涓嶅厑璁告搷浣滆秴绾х鐞嗗憳鐢ㄦ埛");
}
}
@@ -255,13 +253,14 @@
*/
@Override
public void checkUserDataScope(Long userId) {
- if (!LoginHelper.isSuperAdmin()) {
- SysUserBo user = new SysUserBo();
- user.setUserId(userId);
- List<SysUserVo> users = this.selectUserList(user);
- if (CollUtil.isEmpty(users)) {
- throw new ServiceException("娌℃湁鏉冮檺璁块棶鐢ㄦ埛鏁版嵁锛�");
- }
+ if (ObjectUtil.isNull(userId)) {
+ return;
+ }
+ if (LoginHelper.isSuperAdmin()) {
+ return;
+ }
+ if (ObjectUtil.isNull(baseMapper.selectUserById(userId))) {
+ throw new ServiceException("娌℃湁鏉冮檺璁块棶鐢ㄦ埛鏁版嵁锛�");
}
}
@@ -279,9 +278,9 @@
int rows = baseMapper.insert(sysUser);
user.setUserId(sysUser.getUserId());
// 鏂板鐢ㄦ埛宀椾綅鍏宠仈
- insertUserPost(user);
+ insertUserPost(user, false);
// 鏂板鐢ㄦ埛涓庤鑹茬鐞�
- insertUserRole(user);
+ insertUserRole(user, false);
return rows;
}
@@ -309,20 +308,15 @@
@Override
@Transactional(rollbackFor = Exception.class)
public int updateUser(SysUserBo user) {
- Long userId = user.getUserId();
- // 鍒犻櫎鐢ㄦ埛涓庤鑹插叧鑱�
- userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
// 鏂板鐢ㄦ埛涓庤鑹茬鐞�
- insertUserRole(user);
- // 鍒犻櫎鐢ㄦ埛涓庡矖浣嶅叧鑱�
- userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
+ insertUserRole(user, true);
// 鏂板鐢ㄦ埛涓庡矖浣嶇鐞�
- insertUserPost(user);
+ insertUserPost(user, true);
SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
- //闃叉閿欒鏇存柊鍚庡鑷寸殑鏁版嵁璇垹闄�
+ // 闃叉閿欒鏇存柊鍚庡鑷寸殑鏁版嵁璇垹闄�
int flag = baseMapper.updateById(sysUser);
- if (flag <= 0){
- throw new ServiceException("淇敼鐢ㄦ埛"+user.getUserName()+"淇℃伅澶辫触");
+ if (flag < 1) {
+ throw new ServiceException("淇敼鐢ㄦ埛" + user.getUserName() + "淇℃伅澶辫触");
}
return flag;
}
@@ -338,21 +332,22 @@
public void insertUserAuth(Long userId, Long[] roleIds) {
userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>()
.eq(SysUserRole::getUserId, userId));
- insertUserRole(userId, roleIds);
+ insertUserRole(userId, roleIds, false);
}
/**
* 淇敼鐢ㄦ埛鐘舵��
*
- * @param user 鐢ㄦ埛淇℃伅
+ * @param userId 鐢ㄦ埛ID
+ * @param status 甯愬彿鐘舵��
* @return 缁撴灉
*/
@Override
- public int updateUserStatus(SysUserBo user) {
+ public int updateUserStatus(Long userId, String status) {
return baseMapper.update(null,
new LambdaUpdateWrapper<SysUser>()
- .set(SysUser::getStatus, user.getStatus())
- .eq(SysUser::getUserId, user.getUserId()));
+ .set(SysUser::getStatus, status)
+ .eq(SysUser::getUserId, userId));
}
/**
@@ -376,7 +371,7 @@
* 淇敼鐢ㄦ埛澶村儚
*
* @param userId 鐢ㄦ埛ID
- * @param avatar 澶村儚鍦板潃
+ * @param avatar 澶村儚鍦板潃
* @return 缁撴灉
*/
@Override
@@ -390,7 +385,7 @@
/**
* 閲嶇疆鐢ㄦ埛瀵嗙爜
*
- * @param userId 鐢ㄦ埛ID
+ * @param userId 鐢ㄦ埛ID
* @param password 瀵嗙爜
* @return 缁撴灉
*/
@@ -405,34 +400,29 @@
/**
* 鏂板鐢ㄦ埛瑙掕壊淇℃伅
*
- * @param user 鐢ㄦ埛瀵硅薄
+ * @param user 鐢ㄦ埛瀵硅薄
+ * @param clear 娓呴櫎宸插瓨鍦ㄧ殑鍏宠仈鏁版嵁
*/
- public void insertUserRole(SysUserBo user) {
- this.insertUserRole(user.getUserId(), user.getRoleIds());
+ public void insertUserRole(SysUserBo user, boolean clear) {
+ this.insertUserRole(user.getUserId(), user.getRoleIds(), clear);
}
/**
* 鏂板鐢ㄦ埛宀椾綅淇℃伅
*
- * @param user 鐢ㄦ埛瀵硅薄
+ * @param user 鐢ㄦ埛瀵硅薄
+ * @param clear 娓呴櫎宸插瓨鍦ㄧ殑鍏宠仈鏁版嵁
*/
- public void insertUserPost(SysUserBo user) {
+ public void insertUserPost(SysUserBo user, boolean clear) {
Long[] posts = user.getPostIds();
if (ArrayUtil.isNotEmpty(posts)) {
- //鍒ゆ柇鏄惁鍏锋湁姝よ鑹茬殑宀椾綅鏉冮檺
- List<Long> postList = postMapper.selectPostListByUserId(LoginHelper.getUserId());
- if (postList.isEmpty()){
- throw new ServiceException("鎮ㄤ笉鍏锋湁鎿嶄綔宀椾綅鐨勬潈闄�");
- }
- List<Long> postIdList = Arrays.asList(posts);
- List<Long> canDoPostList = postIdList.stream()
- .filter(postList::contains)
- .collect(Collectors.toList());
- if (canDoPostList.isEmpty()){
- throw new ServiceException("鎮ㄤ笉鍏锋湁鎿嶄綔褰撳墠宀椾綅鐨勬潈闄�");
+ Long userId = LoginHelper.getUserId();
+ if (clear) {
+ // 鍒犻櫎鐢ㄦ埛涓庡矖浣嶅叧鑱�
+ userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
}
// 鏂板鐢ㄦ埛涓庡矖浣嶇鐞�
- List<SysUserPost> list = StreamUtils.toList(canDoPostList, postId -> {
+ List<SysUserPost> list = StreamUtils.toList(List.of(posts), postId -> {
SysUserPost up = new SysUserPost();
up.setUserId(user.getUserId());
up.setPostId(postId);
@@ -447,20 +437,26 @@
*
* @param userId 鐢ㄦ埛ID
* @param roleIds 瑙掕壊缁�
+ * @param clear 娓呴櫎宸插瓨鍦ㄧ殑鍏宠仈鏁版嵁
*/
- public void insertUserRole(Long userId, Long[] roleIds) {
+ public void insertUserRole(Long userId, Long[] roleIds, boolean clear) {
if (ArrayUtil.isNotEmpty(roleIds)) {
- //鍒ゆ柇鏄惁鍏锋湁姝よ鑹茬殑鎿嶄綔鏉冮檺
- List<Long> roleList = roleMapper.selectRoleListByUserId(LoginHelper.getUserId());
- if (roleList.isEmpty()){
- throw new ServiceException("鎮ㄤ笉鍏锋湁鎿嶄綔瑙掕壊鐨勬潈闄�");
+ // 鍒ゆ柇鏄惁鍏锋湁姝よ鑹茬殑鎿嶄綔鏉冮檺
+ List<SysRoleVo> roles = roleMapper.selectRoleList(new LambdaQueryWrapper<>());
+ if (CollUtil.isEmpty(roles)) {
+ throw new ServiceException("娌℃湁鏉冮檺璁块棶瑙掕壊鐨勬暟鎹�");
}
- List<Long> roleIdList = Arrays.asList(roleIds);
- List<Long> canDoRoleList = roleIdList.stream()
- .filter(roleList::contains)
- .collect(Collectors.toList());
- if (canDoRoleList.isEmpty()){
- throw new ServiceException("鎮ㄤ笉鍏锋湁鎿嶄綔褰撳墠瑙掕壊鐨勬潈闄�");
+ List<Long> roleList = StreamUtils.toList(roles, SysRoleVo::getRoleId);
+ if (!LoginHelper.isSuperAdmin(userId)) {
+ roleList.remove(UserConstants.SUPER_ADMIN_ID);
+ }
+ List<Long> canDoRoleList = StreamUtils.filter(List.of(roleIds), roleList::contains);
+ if (CollUtil.isEmpty(canDoRoleList)) {
+ throw new ServiceException("娌℃湁鏉冮檺璁块棶瑙掕壊鐨勬暟鎹�");
+ }
+ if (clear) {
+ // 鍒犻櫎鐢ㄦ埛涓庤鑹插叧鑱�
+ userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
}
// 鏂板鐢ㄦ埛涓庤鑹茬鐞�
List<SysUserRole> list = StreamUtils.toList(canDoRoleList, roleId -> {
@@ -488,8 +484,8 @@
userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
// 闃叉鏇存柊澶辫触瀵艰嚧鐨勬暟鎹垹闄�
int flag = baseMapper.deleteById(userId);
- if (flag <= 0){
- throw new ServiceException("鍒犻櫎鐢ㄦ埛鍙戠敓寮傚父");
+ if (flag < 1) {
+ throw new ServiceException("鍒犻櫎鐢ㄦ埛澶辫触!");
}
return flag;
}
@@ -504,7 +500,7 @@
@Transactional(rollbackFor = Exception.class)
public int deleteUserByIds(Long[] userIds) {
for (Long userId : userIds) {
- checkUserAllowed(new SysUserBo(userId));
+ checkUserAllowed(userId);
checkUserDataScope(userId);
}
List<Long> ids = List.of(userIds);
@@ -514,8 +510,8 @@
userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().in(SysUserPost::getUserId, ids));
// 闃叉鏇存柊澶辫触瀵艰嚧鐨勬暟鎹垹闄�
int flag = baseMapper.deleteBatchIds(ids);
- if (flag <= 0){
- throw new ServiceException("鍒犻櫎鐢ㄦ埛鍙戠敓寮傚父");
+ if (flag < 1) {
+ throw new ServiceException("鍒犻櫎鐢ㄦ埛澶辫触!");
}
return flag;
}
--
Gitblit v1.9.3