clunt
/
RuoYi-Cloud
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Pre Merge pull request !92 from dazer007/master

This commit is contained in:
dazer007 2021-07-28 06:43:54 +00:00 committed by Gitee
parent f6c5c91eb1 ce6c2e09cc
commit 94b0799b8a
1 changed files with 65 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java
View File

@ -5,6 +5,9 @@ import java.util.List;
import java.util.Set; import java.util.Set;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import com.ruoyi.common.core.exception.CustomException;
import com.ruoyi.common.security.service.TokenService;
import org.apache.commons.lang3.ArrayUtils; import org.apache.commons.lang3.ArrayUtils;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.validation.annotation.Validated; import org.springframework.validation.annotation.Validated;
@ -57,6 +60,9 @@ public class SysUserController extends BaseController
@Autowired @Autowired
private ISysPermissionService permissionService; private ISysPermissionService permissionService;
@Autowired
private TokenService tokenService;
/** /**
* 获取用户列表 * 获取用户列表
*/ */
@ -147,6 +153,14 @@ public class SysUserController extends BaseController
@GetMapping(value = { "/", "/{userId}" }) @GetMapping(value = { "/", "/{userId}" })
public AjaxResult getInfo(@PathVariable(value = "userId", required = false) Long userId) public AjaxResult getInfo(@PathVariable(value = "userId", required = false) Long userId)
{ {
if (userId == null) {
return AjaxResult.error("userId不能为空");
}
// 用户信息可以被爆破 dazer
if (!this.checkUserIdAllowed(userId)) {
return AjaxResult.error("请勿非法操作你无权操作该用户userId = " + userId );
}
AjaxResult ajax = AjaxResult.success(); AjaxResult ajax = AjaxResult.success();
List<SysRole> roles = roleService.selectRoleAll(); List<SysRole> roles = roleService.selectRoleAll();
ajax.put("roles", SysUser.isAdmin(userId) ? roles : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList())); ajax.put("roles", SysUser.isAdmin(userId) ? roles : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList()));
@ -206,6 +220,15 @@ public class SysUserController extends BaseController
{ {
return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在"); return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在");
} }
// 用户信息可以被爆破 dazer
if (user.getUserId() == null) {
return AjaxResult.error("userId不能为空");
}
if (!this.checkUserIdAllowed(user.getUserId())) {
return AjaxResult.error("请勿非法操作你无权操作该用户userId = " + user.getUserId() );
}
user.setUpdateBy(SecurityUtils.getUsername()); user.setUpdateBy(SecurityUtils.getUsername());
return toAjax(userService.updateUser(user)); return toAjax(userService.updateUser(user));
} }
@ -218,10 +241,18 @@ public class SysUserController extends BaseController
@DeleteMapping("/{userIds}") @DeleteMapping("/{userIds}")
public AjaxResult remove(@PathVariable Long[] userIds) public AjaxResult remove(@PathVariable Long[] userIds)
{ {
if (ArrayUtils.contains(userIds, SecurityUtils.getUserId())) if (ArrayUtils.contains(userIds, SecurityUtils.getUserId())) {
{
return AjaxResult.error("当前用户不能删除"); return AjaxResult.error("当前用户不能删除");
} }
// 用户信息可以被爆破 dazer
for (int i = 0; i < userIds.length; i++) {
Long userId = userIds[i];
if (userId != null) {
if (!this.checkUserIdAllowed(userId)) {
return AjaxResult.error("请勿非法操作你无权操作该用户userId = " + userId );
}
}
}
return toAjax(userService.deleteUserByIds(userIds)); return toAjax(userService.deleteUserByIds(userIds));
} }
@ -234,9 +265,21 @@ public class SysUserController extends BaseController
public AjaxResult resetPwd(@RequestBody SysUser user) public AjaxResult resetPwd(@RequestBody SysUser user)
{ {
userService.checkUserAllowed(user); userService.checkUserAllowed(user);
user.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
user.setUpdateBy(SecurityUtils.getUsername()); // 用户信息可以被爆破 dazer
return toAjax(userService.resetPwd(user)); if (user.getUserId() == null) {
return AjaxResult.error("userId不能为空");
}
if (!this.checkUserIdAllowed(user.getUserId())) {
return AjaxResult.error("请勿非法操作你无权操作该用户userId = " + user.getUserId() );
}
//修改密码接口只进行密码修改防止 通过 修改密码 接口 把用户其他信息进行了修改
SysUser newSyuser = new SysUser();
newSyuser.setUserId(user.getUserId());
newSyuser.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
newSyuser.setUpdateBy(tokenService.getLoginUser().getUsername());
return toAjax(userService.resetPwd(newSyuser));
} }
/** /**
@ -278,4 +321,21 @@ public class SysUserController extends BaseController
userService.insertUserAuth(userId, roleIds); userService.insertUserAuth(userId, roleIds);
return success(); return success();
} }
/**
* @author dazer
* 1检查userId是否越权必须是自己能查看到的userid才能操作
* 2检查roleid是否越权必须是自己能查看到的roleid才能操作 待开发
* 用户模块必须做该校验否则 稍微有点经验的人就能修改 用户的敏感信息
* @param userId 被修改的userId
*/
private boolean checkUserIdAllowed(Long userId) {
if (userId == null) {
throw new CustomException("checkUserIdAllowed中【userId】不能为空");
}
SysUser query = new SysUser();
query.setUserId(userId);
List<SysUser> sysUsers = userService.selectUserList(query);
return sysUsers.stream().map(SysUser::getUserId).collect(Collectors.toSet()).contains(userId);
}
} }