欧阳子桐 / RuoYi · 提交

转到一个项目

作者 RuoYi
提交 612c4293d16e782e3905edc4e10cf621e1b4e411 1 个父辈 8007b22b

用户访问控制时校验数据权限,防止越权

内嵌 并排对比
正在显示 5 个修改的文件 包含 15 行增加3 行删除
@@ -125,16 +125,17 @@ public class SysDeptController extends BaseController @@ -125,16 +125,17 @@ public class SysDeptController extends BaseController
125 @PutMapping 125 @PutMapping
126 public AjaxResult edit(@Validated @RequestBody SysDept dept) 126 public AjaxResult edit(@Validated @RequestBody SysDept dept)
127 { 127 {
  128 + Long deptId = dept.getDeptId();
  129 + deptService.checkDeptDataScope(deptId);
128 if (UserConstants.NOT_UNIQUE.equals(deptService.checkDeptNameUnique(dept))) 130 if (UserConstants.NOT_UNIQUE.equals(deptService.checkDeptNameUnique(dept)))
129 { 131 {
130 return AjaxResult.error("修改部门'" + dept.getDeptName() + "'失败,部门名称已存在"); 132 return AjaxResult.error("修改部门'" + dept.getDeptName() + "'失败,部门名称已存在");
131 } 133 }
132 - else if (dept.getParentId().equals(dept.getDeptId())) 134 + else if (dept.getParentId().equals(deptId))
133 { 135 {
134 return AjaxResult.error("修改部门'" + dept.getDeptName() + "'失败,上级部门不能是自己"); 136 return AjaxResult.error("修改部门'" + dept.getDeptName() + "'失败,上级部门不能是自己");
135 } 137 }
136 - else if (StringUtils.equals(UserConstants.DEPT_DISABLE, dept.getStatus())  
137 - && deptService.selectNormalChildrenDeptById(dept.getDeptId()) > 0) 138 + else if (StringUtils.equals(UserConstants.DEPT_DISABLE, dept.getStatus()) && deptService.selectNormalChildrenDeptById(deptId) > 0)
138 { 139 {
139 return AjaxResult.error("该部门包含未停用的子部门!"); 140 return AjaxResult.error("该部门包含未停用的子部门!");
140 } 141 }
@@ -158,6 +159,7 @@ public class SysDeptController extends BaseController @@ -158,6 +159,7 @@ public class SysDeptController extends BaseController
158 { 159 {
159 return AjaxResult.error("部门存在用户,不允许删除"); 160 return AjaxResult.error("部门存在用户,不允许删除");
160 } 161 }
  162 + deptService.checkDeptDataScope(deptId);
161 return toAjax(deptService.deleteDeptById(deptId)); 163 return toAjax(deptService.deleteDeptById(deptId));
162 } 164 }
163 } 165 }
@@ -111,6 +111,7 @@ public class SysRoleController extends BaseController @@ -111,6 +111,7 @@ public class SysRoleController extends BaseController
111 public AjaxResult edit(@Validated @RequestBody SysRole role) 111 public AjaxResult edit(@Validated @RequestBody SysRole role)
112 { 112 {
113 roleService.checkRoleAllowed(role); 113 roleService.checkRoleAllowed(role);
  114 + roleService.checkRoleDataScope(role.getRoleId());
114 if (UserConstants.NOT_UNIQUE.equals(roleService.checkRoleNameUnique(role))) 115 if (UserConstants.NOT_UNIQUE.equals(roleService.checkRoleNameUnique(role)))
115 { 116 {
116 return AjaxResult.error("修改角色'" + role.getRoleName() + "'失败,角色名称已存在"); 117 return AjaxResult.error("修改角色'" + role.getRoleName() + "'失败,角色名称已存在");
@@ -145,6 +146,7 @@ public class SysRoleController extends BaseController @@ -145,6 +146,7 @@ public class SysRoleController extends BaseController
145 public AjaxResult dataScope(@RequestBody SysRole role) 146 public AjaxResult dataScope(@RequestBody SysRole role)
146 { 147 {
147 roleService.checkRoleAllowed(role); 148 roleService.checkRoleAllowed(role);
  149 + roleService.checkRoleDataScope(role.getRoleId());
148 return toAjax(roleService.authDataScope(role)); 150 return toAjax(roleService.authDataScope(role));
149 } 151 }
150 152
@@ -157,6 +159,7 @@ public class SysRoleController extends BaseController @@ -157,6 +159,7 @@ public class SysRoleController extends BaseController
157 public AjaxResult changeStatus(@RequestBody SysRole role) 159 public AjaxResult changeStatus(@RequestBody SysRole role)
158 { 160 {
159 roleService.checkRoleAllowed(role); 161 roleService.checkRoleAllowed(role);
  162 + roleService.checkRoleDataScope(role.getRoleId());
160 role.setUpdateBy(getUsername()); 163 role.setUpdateBy(getUsername());
161 return toAjax(roleService.updateRoleStatus(role)); 164 return toAjax(roleService.updateRoleStatus(role));
162 } 165 }
@@ -236,6 +239,7 @@ public class SysRoleController extends BaseController @@ -236,6 +239,7 @@ public class SysRoleController extends BaseController
236 @PutMapping("/authUser/selectAll") 239 @PutMapping("/authUser/selectAll")
237 public AjaxResult selectAuthUserAll(Long roleId, Long[] userIds) 240 public AjaxResult selectAuthUserAll(Long roleId, Long[] userIds)
238 { 241 {
  242 + roleService.checkRoleDataScope(roleId);
239 return toAjax(roleService.insertAuthUsers(roleId, userIds)); 243 return toAjax(roleService.insertAuthUsers(roleId, userIds));
240 } 244 }
241 } 245 }
@@ -148,6 +148,7 @@ public class SysUserController extends BaseController @@ -148,6 +148,7 @@ public class SysUserController extends BaseController
148 public AjaxResult edit(@Validated @RequestBody SysUser user) 148 public AjaxResult edit(@Validated @RequestBody SysUser user)
149 { 149 {
150 userService.checkUserAllowed(user); 150 userService.checkUserAllowed(user);
  151 + userService.checkUserDataScope(user.getUserId());
151 if (StringUtils.isNotEmpty(user.getPhonenumber()) 152 if (StringUtils.isNotEmpty(user.getPhonenumber())
152 && UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user))) 153 && UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
153 { 154 {
@@ -186,6 +187,7 @@ public class SysUserController extends BaseController @@ -186,6 +187,7 @@ public class SysUserController extends BaseController
186 public AjaxResult resetPwd(@RequestBody SysUser user) 187 public AjaxResult resetPwd(@RequestBody SysUser user)
187 { 188 {
188 userService.checkUserAllowed(user); 189 userService.checkUserAllowed(user);
  190 + userService.checkUserDataScope(user.getUserId());
189 user.setPassword(SecurityUtils.encryptPassword(user.getPassword())); 191 user.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
190 user.setUpdateBy(getUsername()); 192 user.setUpdateBy(getUsername());
191 return toAjax(userService.resetPwd(user)); 193 return toAjax(userService.resetPwd(user));
@@ -200,6 +202,7 @@ public class SysUserController extends BaseController @@ -200,6 +202,7 @@ public class SysUserController extends BaseController
200 public AjaxResult changeStatus(@RequestBody SysUser user) 202 public AjaxResult changeStatus(@RequestBody SysUser user)
201 { 203 {
202 userService.checkUserAllowed(user); 204 userService.checkUserAllowed(user);
  205 + userService.checkUserDataScope(user.getUserId());
203 user.setUpdateBy(getUsername()); 206 user.setUpdateBy(getUsername());
204 return toAjax(userService.updateUserStatus(user)); 207 return toAjax(userService.updateUserStatus(user));
205 } 208 }
@@ -227,6 +230,7 @@ public class SysUserController extends BaseController @@ -227,6 +230,7 @@ public class SysUserController extends BaseController
227 @PutMapping("/authRole") 230 @PutMapping("/authRole")
228 public AjaxResult insertAuthRole(Long userId, Long[] roleIds) 231 public AjaxResult insertAuthRole(Long userId, Long[] roleIds)
229 { 232 {
  233 + userService.checkUserDataScope(userId);
230 userService.insertUserAuth(userId, roleIds); 234 userService.insertUserAuth(userId, roleIds);
231 return success(); 235 return success();
232 } 236 }
@@ -361,6 +361,7 @@ public class SysRoleServiceImpl implements ISysRoleService @@ -361,6 +361,7 @@ public class SysRoleServiceImpl implements ISysRoleService
361 for (Long roleId : roleIds) 361 for (Long roleId : roleIds)
362 { 362 {
363 checkRoleAllowed(new SysRole(roleId)); 363 checkRoleAllowed(new SysRole(roleId));
  364 + checkRoleDataScope(roleId);
364 SysRole role = selectRoleById(roleId); 365 SysRole role = selectRoleById(roleId);
365 if (countUserRoleByRoleId(roleId) > 0) 366 if (countUserRoleByRoleId(roleId) > 0)
366 { 367 {
@@ -482,6 +482,7 @@ public class SysUserServiceImpl implements ISysUserService @@ -482,6 +482,7 @@ public class SysUserServiceImpl implements ISysUserService
482 for (Long userId : userIds) 482 for (Long userId : userIds)
483 { 483 {
484 checkUserAllowed(new SysUser(userId)); 484 checkUserAllowed(new SysUser(userId));
  485 + checkUserDataScope(userId);
485 } 486 }
486 // 删除用户与角色关联 487 // 删除用户与角色关联
487 userRoleMapper.deleteUserRole(userIds); 488 userRoleMapper.deleteUserRole(userIds);