用户访问控制时校验数据权限，防止越权

2022-01-27 11:13:59 +08:00 · 2022-01-27 11:13:59 +08:00 · ed1e7e69a8
parent e9ebf86ac8
commit ed1e7e69a8
5 changed files with 16 additions and 4 deletions
--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysDeptController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysDeptController.java
@ -109,16 +109,17 @@ public class SysDeptController extends BaseController
    @ResponseBody
    public AjaxResult editSave(@Validated SysDept dept)
    {
+        Long deptId = dept.getDeptId();
+        deptService.checkDeptDataScope(deptId);
        if (UserConstants.DEPT_NAME_NOT_UNIQUE.equals(deptService.checkDeptNameUnique(dept)))
        {
            return error("修改部门'" + dept.getDeptName() + "'失败，部门名称已存在");
        }
-        else if (dept.getParentId().equals(dept.getDeptId()))
+        else if (dept.getParentId().equals(deptId))
        {
            return error("修改部门'" + dept.getDeptName() + "'失败，上级部门不能是自己");
        }
-        else if (StringUtils.equals(UserConstants.DEPT_DISABLE, dept.getStatus())
-                && deptService.selectNormalChildrenDeptById(dept.getDeptId()) > 0)
+        else if (StringUtils.equals(UserConstants.DEPT_DISABLE, dept.getStatus()) && deptService.selectNormalChildrenDeptById(deptId) > 0)
        {
            return AjaxResult.error("该部门包含未停用的子部门！");
        }
@ -143,6 +144,7 @@ public class SysDeptController extends BaseController
        {
            return AjaxResult.warn("部门存在用户,不允许删除");
        }
+        deptService.checkDeptDataScope(deptId);
        return toAjax(deptService.deleteDeptById(deptId));
    }

--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysRoleController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysRoleController.java
@ -124,6 +124,7 @@ public class SysRoleController extends BaseController
    public AjaxResult editSave(@Validated SysRole role)
    {
        roleService.checkRoleAllowed(role);
+        roleService.checkRoleDataScope(role.getRoleId());
        if (UserConstants.ROLE_NAME_NOT_UNIQUE.equals(roleService.checkRoleNameUnique(role)))
        {
            return error("修改角色'" + role.getRoleName() + "'失败，角色名称已存在");
@ -157,6 +158,7 @@ public class SysRoleController extends BaseController
    public AjaxResult authDataScopeSave(SysRole role)
    {
        roleService.checkRoleAllowed(role);
+        roleService.checkRoleDataScope(role.getRoleId());
        role.setUpdateBy(getLoginName());
        if (roleService.authDataScope(role) > 0)
        {
@ -214,6 +216,7 @@ public class SysRoleController extends BaseController
    public AjaxResult changeStatus(SysRole role)
    {
        roleService.checkRoleAllowed(role);
+        roleService.checkRoleDataScope(role.getRoleId());
        return toAjax(roleService.changeStatus(role));
    }

@ -297,6 +300,7 @@ public class SysRoleController extends BaseController
    @ResponseBody
    public AjaxResult selectAuthUserAll(Long roleId, String userIds)
    {
+        roleService.checkRoleDataScope(roleId);
        return toAjax(roleService.insertAuthUsers(roleId, userIds));
    }
 }
--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java
@ -169,6 +169,7 @@ public class SysUserController extends BaseController
    public AjaxResult editSave(@Validated SysUser user)
    {
        userService.checkUserAllowed(user);
+        userService.checkUserDataScope(user.getUserId());
        if (StringUtils.isNotEmpty(user.getPhonenumber())
                && UserConstants.USER_PHONE_NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
        {
@ -199,6 +200,7 @@ public class SysUserController extends BaseController
    public AjaxResult resetPwdSave(SysUser user)
    {
        userService.checkUserAllowed(user);
+        userService.checkUserDataScope(user.getUserId());
        user.setSalt(ShiroUtils.randomSalt());
        user.setPassword(passwordService.encryptPassword(user.getLoginName(), user.getPassword(), user.getSalt()));
        if (userService.resetUserPwd(user) > 0)
@ -235,6 +237,7 @@ public class SysUserController extends BaseController
    @ResponseBody
    public AjaxResult insertAuthRole(Long userId, Long[] roleIds)
    {
+        userService.checkUserDataScope(userId);
        userService.insertUserAuth(userId, roleIds);
        AuthorizationUtils.clearAllCachedAuthorizationInfo();
        return success();
@ -293,6 +296,7 @@ public class SysUserController extends BaseController
    public AjaxResult changeStatus(SysUser user)
    {
        userService.checkUserAllowed(user);
+        userService.checkUserDataScope(user.getUserId());
        return toAjax(userService.changeStatus(user));
    }
 }
--- a/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java
+++ b/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java
@ -159,6 +159,7 @@ public class SysRoleServiceImpl implements ISysRoleService
        for (Long roleId : roleIds)
        {
            checkRoleAllowed(new SysRole(roleId));
+            checkRoleDataScope(roleId);
            SysRole role = selectRoleById(roleId);
            if (countUserRoleByRoleId(roleId) > 0)
            {
--- a/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
+++ b/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
@ -47,7 +47,7 @@ public class SysUserServiceImpl implements ISysUserService

    @Autowired
    private SysRoleMapper roleMapper;
-
+    
    @Autowired
    private SysPostMapper postMapper;

@ -193,6 +193,7 @@ public class SysUserServiceImpl implements ISysUserService
        for (Long userId : userIds)
        {
            checkUserAllowed(new SysUser(userId));
+            checkUserDataScope(userId);
        }
        // 删除用户与角色关联
        userRoleMapper.deleteUserRole(userIds);