fix 修复 用户篡改管理员角色标识符越权问题
This commit is contained in:
疯狂的狮子Li
parent
77a849992e
commit
c8d94da4fb
@ -1,19 +1,14 @@
|
|||||||
package org.dromara.system.controller.system;
|
package org.dromara.system.controller.system;
|
||||||
|
|
||||||
import cn.dev33.satoken.annotation.SaCheckPermission;
|
import cn.dev33.satoken.annotation.SaCheckPermission;
|
||||||
import cn.dev33.satoken.exception.NotLoginException;
|
import jakarta.servlet.http.HttpServletResponse;
|
||||||
import cn.dev33.satoken.stp.StpUtil;
|
import lombok.RequiredArgsConstructor;
|
||||||
import cn.hutool.core.collection.CollUtil;
|
|
||||||
import org.dromara.common.core.constant.GlobalConstants;
|
|
||||||
import org.dromara.common.core.domain.R;
|
import org.dromara.common.core.domain.R;
|
||||||
import org.dromara.common.core.domain.model.LoginUser;
|
|
||||||
import org.dromara.common.core.utils.StringUtils;
|
|
||||||
import org.dromara.common.excel.utils.ExcelUtil;
|
import org.dromara.common.excel.utils.ExcelUtil;
|
||||||
import org.dromara.common.log.annotation.Log;
|
import org.dromara.common.log.annotation.Log;
|
||||||
import org.dromara.common.log.enums.BusinessType;
|
import org.dromara.common.log.enums.BusinessType;
|
||||||
import org.dromara.common.mybatis.core.page.PageQuery;
|
import org.dromara.common.mybatis.core.page.PageQuery;
|
||||||
import org.dromara.common.mybatis.core.page.TableDataInfo;
|
import org.dromara.common.mybatis.core.page.TableDataInfo;
|
||||||
import org.dromara.common.satoken.utils.LoginHelper;
|
|
||||||
import org.dromara.common.web.core.BaseController;
|
import org.dromara.common.web.core.BaseController;
|
||||||
import org.dromara.system.domain.SysUserRole;
|
import org.dromara.system.domain.SysUserRole;
|
||||||
import org.dromara.system.domain.bo.SysDeptBo;
|
import org.dromara.system.domain.bo.SysDeptBo;
|
||||||
@ -25,8 +20,6 @@ import org.dromara.system.domain.vo.SysUserVo;
|
|||||||
import org.dromara.system.service.ISysDeptService;
|
import org.dromara.system.service.ISysDeptService;
|
||||||
import org.dromara.system.service.ISysRoleService;
|
import org.dromara.system.service.ISysRoleService;
|
||||||
import org.dromara.system.service.ISysUserService;
|
import org.dromara.system.service.ISysUserService;
|
||||||
import jakarta.servlet.http.HttpServletResponse;
|
|
||||||
import lombok.RequiredArgsConstructor;
|
|
||||||
import org.springframework.validation.annotation.Validated;
|
import org.springframework.validation.annotation.Validated;
|
||||||
import org.springframework.web.bind.annotation.*;
|
import org.springframework.web.bind.annotation.*;
|
||||||
|
|
||||||
@ -102,7 +95,7 @@ public class SysRoleController extends BaseController {
|
|||||||
@Log(title = "角色管理", businessType = BusinessType.UPDATE)
|
@Log(title = "角色管理", businessType = BusinessType.UPDATE)
|
||||||
@PutMapping
|
@PutMapping
|
||||||
public R<Void> edit(@Validated @RequestBody SysRoleBo role) {
|
public R<Void> edit(@Validated @RequestBody SysRoleBo role) {
|
||||||
roleService.checkRoleAllowed(role.getRoleId());
|
roleService.checkRoleAllowed(role);
|
||||||
roleService.checkRoleDataScope(role.getRoleId());
|
roleService.checkRoleDataScope(role.getRoleId());
|
||||||
if (!roleService.checkRoleNameUnique(role)) {
|
if (!roleService.checkRoleNameUnique(role)) {
|
||||||
return R.fail("修改角色'" + role.getRoleName() + "'失败,角色名称已存在");
|
return R.fail("修改角色'" + role.getRoleName() + "'失败,角色名称已存在");
|
||||||
@ -124,7 +117,7 @@ public class SysRoleController extends BaseController {
|
|||||||
@Log(title = "角色管理", businessType = BusinessType.UPDATE)
|
@Log(title = "角色管理", businessType = BusinessType.UPDATE)
|
||||||
@PutMapping("/dataScope")
|
@PutMapping("/dataScope")
|
||||||
public R<Void> dataScope(@RequestBody SysRoleBo role) {
|
public R<Void> dataScope(@RequestBody SysRoleBo role) {
|
||||||
roleService.checkRoleAllowed(role.getRoleId());
|
roleService.checkRoleAllowed(role);
|
||||||
roleService.checkRoleDataScope(role.getRoleId());
|
roleService.checkRoleDataScope(role.getRoleId());
|
||||||
return toAjax(roleService.authDataScope(role));
|
return toAjax(roleService.authDataScope(role));
|
||||||
}
|
}
|
||||||
@ -136,7 +129,7 @@ public class SysRoleController extends BaseController {
|
|||||||
@Log(title = "角色管理", businessType = BusinessType.UPDATE)
|
@Log(title = "角色管理", businessType = BusinessType.UPDATE)
|
||||||
@PutMapping("/changeStatus")
|
@PutMapping("/changeStatus")
|
||||||
public R<Void> changeStatus(@RequestBody SysRoleBo role) {
|
public R<Void> changeStatus(@RequestBody SysRoleBo role) {
|
||||||
roleService.checkRoleAllowed(role.getRoleId());
|
roleService.checkRoleAllowed(role);
|
||||||
roleService.checkRoleDataScope(role.getRoleId());
|
roleService.checkRoleDataScope(role.getRoleId());
|
||||||
return toAjax(roleService.updateRoleStatus(role.getRoleId(), role.getStatus()));
|
return toAjax(roleService.updateRoleStatus(role.getRoleId(), role.getStatus()));
|
||||||
}
|
}
|
||||||
|
|||||||
@ -85,9 +85,9 @@ public interface ISysRoleService {
|
|||||||
/**
|
/**
|
||||||
* 校验角色是否允许操作
|
* 校验角色是否允许操作
|
||||||
*
|
*
|
||||||
* @param roleId 角色ID
|
* @param role 角色信息
|
||||||
*/
|
*/
|
||||||
void checkRoleAllowed(Long roleId);
|
void checkRoleAllowed(SysRoleBo role);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* 校验角色是否有数据权限
|
* 校验角色是否有数据权限
|
||||||
|
|||||||
@ -2,6 +2,7 @@ package org.dromara.system.service.impl;
|
|||||||
|
|
||||||
import cn.dev33.satoken.exception.NotLoginException;
|
import cn.dev33.satoken.exception.NotLoginException;
|
||||||
import cn.dev33.satoken.stp.StpUtil;
|
import cn.dev33.satoken.stp.StpUtil;
|
||||||
|
import cn.hutool.core.bean.BeanUtil;
|
||||||
import cn.hutool.core.collection.CollUtil;
|
import cn.hutool.core.collection.CollUtil;
|
||||||
import cn.hutool.core.util.ObjectUtil;
|
import cn.hutool.core.util.ObjectUtil;
|
||||||
import com.baomidou.mybatisplus.core.conditions.Wrapper;
|
import com.baomidou.mybatisplus.core.conditions.Wrapper;
|
||||||
@ -10,6 +11,8 @@ import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
|
|||||||
import com.baomidou.mybatisplus.core.conditions.update.LambdaUpdateWrapper;
|
import com.baomidou.mybatisplus.core.conditions.update.LambdaUpdateWrapper;
|
||||||
import com.baomidou.mybatisplus.core.toolkit.Wrappers;
|
import com.baomidou.mybatisplus.core.toolkit.Wrappers;
|
||||||
import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
|
import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
|
||||||
|
import lombok.RequiredArgsConstructor;
|
||||||
|
import org.dromara.common.core.constant.TenantConstants;
|
||||||
import org.dromara.common.core.constant.UserConstants;
|
import org.dromara.common.core.constant.UserConstants;
|
||||||
import org.dromara.common.core.domain.model.LoginUser;
|
import org.dromara.common.core.domain.model.LoginUser;
|
||||||
import org.dromara.common.core.exception.ServiceException;
|
import org.dromara.common.core.exception.ServiceException;
|
||||||
@ -30,7 +33,6 @@ import org.dromara.system.mapper.SysRoleMapper;
|
|||||||
import org.dromara.system.mapper.SysRoleMenuMapper;
|
import org.dromara.system.mapper.SysRoleMenuMapper;
|
||||||
import org.dromara.system.mapper.SysUserRoleMapper;
|
import org.dromara.system.mapper.SysUserRoleMapper;
|
||||||
import org.dromara.system.service.ISysRoleService;
|
import org.dromara.system.service.ISysRoleService;
|
||||||
import lombok.RequiredArgsConstructor;
|
|
||||||
import org.springframework.stereotype.Service;
|
import org.springframework.stereotype.Service;
|
||||||
import org.springframework.transaction.annotation.Transactional;
|
import org.springframework.transaction.annotation.Transactional;
|
||||||
|
|
||||||
@ -183,13 +185,29 @@ public class SysRoleServiceImpl implements ISysRoleService {
|
|||||||
/**
|
/**
|
||||||
* 校验角色是否允许操作
|
* 校验角色是否允许操作
|
||||||
*
|
*
|
||||||
* @param roleId 角色ID
|
* @param role 角色信息
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public void checkRoleAllowed(Long roleId) {
|
public void checkRoleAllowed(SysRoleBo role) {
|
||||||
if (ObjectUtil.isNotNull(roleId) && LoginHelper.isSuperAdmin(roleId)) {
|
if (ObjectUtil.isNotNull(role.getRoleId()) && LoginHelper.isSuperAdmin(role.getRoleId())) {
|
||||||
throw new ServiceException("不允许操作超级管理员角色");
|
throw new ServiceException("不允许操作超级管理员角色");
|
||||||
}
|
}
|
||||||
|
// 新增不允许使用 管理员标识符
|
||||||
|
if (ObjectUtil.isNull(role.getRoleId())
|
||||||
|
&& StringUtils.equalsAny(role.getRoleKey(),
|
||||||
|
TenantConstants.SUPER_ADMIN_ROLE_KEY, TenantConstants.TENANT_ADMIN_ROLE_KEY)) {
|
||||||
|
throw new ServiceException("不允许使用系统内置管理员角色标识符!");
|
||||||
|
}
|
||||||
|
// 修改不允许修改 管理员标识符
|
||||||
|
if (ObjectUtil.isNotNull(role.getRoleId())) {
|
||||||
|
SysRole sysRole = baseMapper.selectById(role.getRoleId());
|
||||||
|
// 如果标识符不相等 判断为修改了管理员标识符
|
||||||
|
if (!StringUtils.equals(sysRole.getRoleKey(), role.getRoleKey())
|
||||||
|
&& StringUtils.equalsAny(sysRole.getRoleKey(),
|
||||||
|
TenantConstants.SUPER_ADMIN_ROLE_KEY, TenantConstants.TENANT_ADMIN_ROLE_KEY)) {
|
||||||
|
throw new ServiceException("不允许修改系统内置管理员角色标识符!");
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -357,9 +375,9 @@ public class SysRoleServiceImpl implements ISysRoleService {
|
|||||||
@Transactional(rollbackFor = Exception.class)
|
@Transactional(rollbackFor = Exception.class)
|
||||||
public int deleteRoleByIds(Long[] roleIds) {
|
public int deleteRoleByIds(Long[] roleIds) {
|
||||||
for (Long roleId : roleIds) {
|
for (Long roleId : roleIds) {
|
||||||
checkRoleAllowed(roleId);
|
|
||||||
checkRoleDataScope(roleId);
|
|
||||||
SysRole role = baseMapper.selectById(roleId);
|
SysRole role = baseMapper.selectById(roleId);
|
||||||
|
checkRoleAllowed(BeanUtil.toBean(role, SysRoleBo.class));
|
||||||
|
checkRoleDataScope(roleId);
|
||||||
if (countUserRoleByRoleId(roleId) > 0) {
|
if (countUserRoleByRoleId(roleId) > 0) {
|
||||||
throw new ServiceException(String.format("%1$s已分配,不能删除", role.getRoleName()));
|
throw new ServiceException(String.format("%1$s已分配,不能删除", role.getRoleName()));
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user