clunt
/
RuoYi-Cloud
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SysUserController 安全漏洞测试fix,增加防止越权的操作;不法分子,可能通过修改 userid 抓取、修改、删除、重置 任意用户敏感信息

This commit is contained in:
duandazhi 2021-07-27 17:27:33 +08:00
parent 7e72849d05
commit 5ddb74854a
4 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java
View File

@ -146,6 +146,11 @@ public class SysUserController extends BaseController
@GetMapping(value = { "/", "/{userId}" }) @GetMapping(value = { "/", "/{userId}" })
public AjaxResult getInfo(@PathVariable(value = "userId", required = false) Long userId) public AjaxResult getInfo(@PathVariable(value = "userId", required = false) Long userId)
{ {
//安全漏洞测试fix增加防止越权的操作不法分子可能通过修改 userid 抓取修改删除重置 任意用户敏感信息 (1 getInfo)
if (!userService.checkUserIdAllowed(userId)) {
return AjaxResult.error("请勿非法操作你无权操作该用户userId = " + userId );
}
AjaxResult ajax = AjaxResult.success(); AjaxResult ajax = AjaxResult.success();
List<SysRole> roles = roleService.selectRoleAll(); List<SysRole> roles = roleService.selectRoleAll();
ajax.put("roles", SysUser.isAdmin(userId) ? roles : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList())); ajax.put("roles", SysUser.isAdmin(userId) ? roles : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList()));
@ -195,6 +200,15 @@ public class SysUserController extends BaseController
public AjaxResult edit(@Validated @RequestBody SysUser user) public AjaxResult edit(@Validated @RequestBody SysUser user)
{ {
userService.checkUserAllowed(user); userService.checkUserAllowed(user);
if (user.getUserId() == null) {
return AjaxResult.error("userId不能为空");
}
//安全漏洞测试fix增加防止越权的操作不法分子可能通过修改 userid 抓取修改删除重置 任意用户敏感信息 (2 edit)
if (!userService.checkUserIdAllowed(user.getUserId())) {
return AjaxResult.error("请勿非法操作你无权操作该用户userId = " + user.getUserId() );
}
if (StringUtils.isNotEmpty(user.getPhonenumber()) if (StringUtils.isNotEmpty(user.getPhonenumber())
&& UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user))) && UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
{ {
@ -229,6 +243,15 @@ public class SysUserController extends BaseController
public AjaxResult resetPwd(@RequestBody SysUser user) public AjaxResult resetPwd(@RequestBody SysUser user)
{ {
userService.checkUserAllowed(user); userService.checkUserAllowed(user);
if (user.getUserId() == null) {
return AjaxResult.error("userId不能为空");
}
//安全漏洞测试fix增加防止越权的操作不法分子可能通过修改 userid 抓取修改删除重置 任意用户敏感信息 (3 resetPwd)
if (!userService.checkUserIdAllowed(user.getUserId())) {
return AjaxResult.error("请勿非法操作你无权操作该用户userId = " + user.getUserId() );
}
user.setPassword(SecurityUtils.encryptPassword(user.getPassword())); user.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
user.setUpdateBy(SecurityUtils.getUsername()); user.setUpdateBy(SecurityUtils.getUsername());
return toAjax(userService.resetPwd(user)); return toAjax(userService.resetPwd(user));

8
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java
View File

@ -97,6 +97,14 @@ public interface ISysUserService
*/ */
public void checkUserAllowed(SysUser user); public void checkUserAllowed(SysUser user);
/**
* @author dazer
* 检查userId,当前的管理员是否有权限操作
* @param userId 被修改的userId
* @return true: 当前管理员有操作该 userId的权限
*/
public boolean checkUserIdAllowed(Long userId);
/** /**
* 新增用户信息 * 新增用户信息
* *

18
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
View File

@ -2,6 +2,8 @@ package com.ruoyi.system.service.impl;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.stream.Collectors;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
@ -227,6 +229,22 @@ public class SysUserServiceImpl implements ISysUserService
} }
} }
/**
* @author dazer
* 检查userId,当前的管理员是否有权限操作
* @param userId 被修改的userId
*/
@Override
public boolean checkUserIdAllowed(Long userId) {
if (userId == null) {
throw new CustomException("checkUserIdAllowed中【userId】不能为空");
}
SysUser user = new SysUser();
user.setUserId(userId);
List<SysUser> sysUsers = this.selectUserList(user);
return sysUsers.stream().map(SysUser::getUserId).collect(Collectors.toSet()).contains(userId);
}
/** /**
* 新增保存用户信息 * 新增保存用户信息
* *

3
ruoyi-modules/ruoyi-system/src/main/resources/mapper/system/SysUserMapper.xml
View File

@ -62,6 +62,9 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
<if test="userName != null and userName != ''"> <if test="userName != null and userName != ''">
AND u.user_name like concat('%', #{userName}, '%') AND u.user_name like concat('%', #{userName}, '%')
</if> </if>
<if test="userId != null">
AND u.user_id = #{userId}
</if>
<if test="status != null and status != ''"> <if test="status != null and status != ''">
AND u.status = #{status} AND u.status = #{status}
</if> </if>