用户访问控制时校验数据权限,防止越权

master
RuoYi 3 years ago
parent 8007b22b85
commit 612c4293d1
  1. 8
      ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysDeptController.java
  2. 4
      ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysRoleController.java
  3. 4
      ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java
  4. 1
      ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java
  5. 1
      ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java

@ -125,16 +125,17 @@ public class SysDeptController extends BaseController
@PutMapping @PutMapping
public AjaxResult edit(@Validated @RequestBody SysDept dept) public AjaxResult edit(@Validated @RequestBody SysDept dept)
{ {
Long deptId = dept.getDeptId();
deptService.checkDeptDataScope(deptId);
if (UserConstants.NOT_UNIQUE.equals(deptService.checkDeptNameUnique(dept))) if (UserConstants.NOT_UNIQUE.equals(deptService.checkDeptNameUnique(dept)))
{ {
return AjaxResult.error("修改部门'" + dept.getDeptName() + "'失败,部门名称已存在"); return AjaxResult.error("修改部门'" + dept.getDeptName() + "'失败,部门名称已存在");
} }
else if (dept.getParentId().equals(dept.getDeptId())) else if (dept.getParentId().equals(deptId))
{ {
return AjaxResult.error("修改部门'" + dept.getDeptName() + "'失败,上级部门不能是自己"); return AjaxResult.error("修改部门'" + dept.getDeptName() + "'失败,上级部门不能是自己");
} }
else if (StringUtils.equals(UserConstants.DEPT_DISABLE, dept.getStatus()) else if (StringUtils.equals(UserConstants.DEPT_DISABLE, dept.getStatus()) && deptService.selectNormalChildrenDeptById(deptId) > 0)
&& deptService.selectNormalChildrenDeptById(dept.getDeptId()) > 0)
{ {
return AjaxResult.error("该部门包含未停用的子部门!"); return AjaxResult.error("该部门包含未停用的子部门!");
} }
@ -158,6 +159,7 @@ public class SysDeptController extends BaseController
{ {
return AjaxResult.error("部门存在用户,不允许删除"); return AjaxResult.error("部门存在用户,不允许删除");
} }
deptService.checkDeptDataScope(deptId);
return toAjax(deptService.deleteDeptById(deptId)); return toAjax(deptService.deleteDeptById(deptId));
} }
} }

@ -111,6 +111,7 @@ public class SysRoleController extends BaseController
public AjaxResult edit(@Validated @RequestBody SysRole role) public AjaxResult edit(@Validated @RequestBody SysRole role)
{ {
roleService.checkRoleAllowed(role); roleService.checkRoleAllowed(role);
roleService.checkRoleDataScope(role.getRoleId());
if (UserConstants.NOT_UNIQUE.equals(roleService.checkRoleNameUnique(role))) if (UserConstants.NOT_UNIQUE.equals(roleService.checkRoleNameUnique(role)))
{ {
return AjaxResult.error("修改角色'" + role.getRoleName() + "'失败,角色名称已存在"); return AjaxResult.error("修改角色'" + role.getRoleName() + "'失败,角色名称已存在");
@ -145,6 +146,7 @@ public class SysRoleController extends BaseController
public AjaxResult dataScope(@RequestBody SysRole role) public AjaxResult dataScope(@RequestBody SysRole role)
{ {
roleService.checkRoleAllowed(role); roleService.checkRoleAllowed(role);
roleService.checkRoleDataScope(role.getRoleId());
return toAjax(roleService.authDataScope(role)); return toAjax(roleService.authDataScope(role));
} }
@ -157,6 +159,7 @@ public class SysRoleController extends BaseController
public AjaxResult changeStatus(@RequestBody SysRole role) public AjaxResult changeStatus(@RequestBody SysRole role)
{ {
roleService.checkRoleAllowed(role); roleService.checkRoleAllowed(role);
roleService.checkRoleDataScope(role.getRoleId());
role.setUpdateBy(getUsername()); role.setUpdateBy(getUsername());
return toAjax(roleService.updateRoleStatus(role)); return toAjax(roleService.updateRoleStatus(role));
} }
@ -236,6 +239,7 @@ public class SysRoleController extends BaseController
@PutMapping("/authUser/selectAll") @PutMapping("/authUser/selectAll")
public AjaxResult selectAuthUserAll(Long roleId, Long[] userIds) public AjaxResult selectAuthUserAll(Long roleId, Long[] userIds)
{ {
roleService.checkRoleDataScope(roleId);
return toAjax(roleService.insertAuthUsers(roleId, userIds)); return toAjax(roleService.insertAuthUsers(roleId, userIds));
} }
} }

@ -148,6 +148,7 @@ public class SysUserController extends BaseController
public AjaxResult edit(@Validated @RequestBody SysUser user) public AjaxResult edit(@Validated @RequestBody SysUser user)
{ {
userService.checkUserAllowed(user); userService.checkUserAllowed(user);
userService.checkUserDataScope(user.getUserId());
if (StringUtils.isNotEmpty(user.getPhonenumber()) if (StringUtils.isNotEmpty(user.getPhonenumber())
&& UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user))) && UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
{ {
@ -186,6 +187,7 @@ public class SysUserController extends BaseController
public AjaxResult resetPwd(@RequestBody SysUser user) public AjaxResult resetPwd(@RequestBody SysUser user)
{ {
userService.checkUserAllowed(user); userService.checkUserAllowed(user);
userService.checkUserDataScope(user.getUserId());
user.setPassword(SecurityUtils.encryptPassword(user.getPassword())); user.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
user.setUpdateBy(getUsername()); user.setUpdateBy(getUsername());
return toAjax(userService.resetPwd(user)); return toAjax(userService.resetPwd(user));
@ -200,6 +202,7 @@ public class SysUserController extends BaseController
public AjaxResult changeStatus(@RequestBody SysUser user) public AjaxResult changeStatus(@RequestBody SysUser user)
{ {
userService.checkUserAllowed(user); userService.checkUserAllowed(user);
userService.checkUserDataScope(user.getUserId());
user.setUpdateBy(getUsername()); user.setUpdateBy(getUsername());
return toAjax(userService.updateUserStatus(user)); return toAjax(userService.updateUserStatus(user));
} }
@ -227,6 +230,7 @@ public class SysUserController extends BaseController
@PutMapping("/authRole") @PutMapping("/authRole")
public AjaxResult insertAuthRole(Long userId, Long[] roleIds) public AjaxResult insertAuthRole(Long userId, Long[] roleIds)
{ {
userService.checkUserDataScope(userId);
userService.insertUserAuth(userId, roleIds); userService.insertUserAuth(userId, roleIds);
return success(); return success();
} }

@ -361,6 +361,7 @@ public class SysRoleServiceImpl implements ISysRoleService
for (Long roleId : roleIds) for (Long roleId : roleIds)
{ {
checkRoleAllowed(new SysRole(roleId)); checkRoleAllowed(new SysRole(roleId));
checkRoleDataScope(roleId);
SysRole role = selectRoleById(roleId); SysRole role = selectRoleById(roleId);
if (countUserRoleByRoleId(roleId) > 0) if (countUserRoleByRoleId(roleId) > 0)
{ {

@ -482,6 +482,7 @@ public class SysUserServiceImpl implements ISysUserService
for (Long userId : userIds) for (Long userId : userIds)
{ {
checkUserAllowed(new SysUser(userId)); checkUserAllowed(new SysUser(userId));
checkUserDataScope(userId);
} }
// 删除用户与角色关联 // 删除用户与角色关联
userRoleMapper.deleteUserRole(userIds); userRoleMapper.deleteUserRole(userIds);

Loading…
Cancel
Save