From 612c4293d16e782e3905edc4e10cf621e1b4e411 Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: Thu, 27 Jan 2022 12:05:04 +0800
Subject: [PATCH] 用户访问控制时校验数据权限,防止越权
---
ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java | 34 +++++++++++++++++-----------------
1 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java b/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
index b3febad..56f3dac 100644
--- a/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
+++ b/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
@@ -2,11 +2,14 @@
import java.util.ArrayList;
import java.util.List;
+import java.util.stream.Collectors;
+import javax.validation.Validator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
+import org.springframework.util.CollectionUtils;
import com.ruoyi.common.annotation.DataScope;
import com.ruoyi.common.constant.UserConstants;
import com.ruoyi.common.core.domain.entity.SysRole;
@@ -14,6 +17,7 @@
import com.ruoyi.common.exception.ServiceException;
import com.ruoyi.common.utils.SecurityUtils;
import com.ruoyi.common.utils.StringUtils;
+import com.ruoyi.common.utils.bean.BeanValidators;
import com.ruoyi.common.utils.spring.SpringUtils;
import com.ruoyi.system.domain.SysPost;
import com.ruoyi.system.domain.SysUserPost;
@@ -53,6 +57,9 @@
@Autowired
private ISysConfigService configService;
+
+ @Autowired
+ protected Validator validator;
/**
* 根据条件分页查询用户列表
@@ -127,16 +134,11 @@
public String selectUserRoleGroup(String userName)
{
List<SysRole> list = roleMapper.selectRolesByUserName(userName);
- StringBuffer idsStr = new StringBuffer();
- for (SysRole role : list)
+ if (CollectionUtils.isEmpty(list))
{
- idsStr.append(role.getRoleName()).append(",");
+ return StringUtils.EMPTY;
}
- if (StringUtils.isNotEmpty(idsStr.toString()))
- {
- return idsStr.substring(0, idsStr.length() - 1);
- }
- return idsStr.toString();
+ return list.stream().map(SysRole::getRoleName).collect(Collectors.joining(","));
}
/**
@@ -149,16 +151,11 @@
public String selectUserPostGroup(String userName)
{
List<SysPost> list = postMapper.selectPostsByUserName(userName);
- StringBuffer idsStr = new StringBuffer();
- for (SysPost post : list)
+ if (CollectionUtils.isEmpty(list))
{
- idsStr.append(post.getPostName()).append(",");
+ return StringUtils.EMPTY;
}
- if (StringUtils.isNotEmpty(idsStr.toString()))
- {
- return idsStr.substring(0, idsStr.length() - 1);
- }
- return idsStr.toString();
+ return list.stream().map(SysPost::getPostName).collect(Collectors.joining(","));
}
/**
@@ -179,7 +176,7 @@
}
/**
- * 校验用户名称是否唯一
+ * 校验手机号码是否唯一
*
* @param user 用户信息
* @return
@@ -485,6 +482,7 @@
for (Long userId : userIds)
{
checkUserAllowed(new SysUser(userId));
+ checkUserDataScope(userId);
}
// 删除用户与角色关联
userRoleMapper.deleteUserRole(userIds);
@@ -521,6 +519,7 @@
SysUser u = userMapper.selectUserByUserName(user.getUserName());
if (StringUtils.isNull(u))
{
+ BeanValidators.validateWithException(validator, user);
user.setPassword(SecurityUtils.encryptPassword(password));
user.setCreateBy(operName);
this.insertUser(user);
@@ -529,6 +528,7 @@
}
else if (isUpdateSupport)
{
+ BeanValidators.validateWithException(validator, user);
user.setUpdateBy(operName);
this.updateUser(user);
successNum++;
--
Gitblit v1.9.2