admin/lx-admin-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix 修复用户相关更新操作会越权的问题

Browse Source
This commit is contained in:
jenn 2023-03-10 21:15:54 +08:00
parent f8c98a1f48
commit cdb509a4fa
5 changed files with 84 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java
View File

@ -83,7 +83,6 @@ public class SysProfileController extends BaseController {
@PutMapping("/updatePwd")
public R<Void> updatePwd(String oldPassword, String newPassword) {
SysUserVo user = userService.selectUserById(LoginHelper.getUserId());
String userName = user.getUserName();
String password = user.getPassword();
if (!BCrypt.checkpw(oldPassword, password)) {
return R.fail("修改密码失败,旧密码错误");
@ -92,7 +91,7 @@ public class SysProfileController extends BaseController {
return R.fail("新密码不能与旧密码相同");
}
if (userService.resetUserPwd(userName, BCrypt.hashpw(newPassword)) > 0) {
if (userService.resetUserPwd(user.getUserId(), BCrypt.hashpw(newPassword)) > 0) {
return R.ok();
}
return R.fail("修改密码异常,请联系管理员");
@ -113,7 +112,7 @@ public class SysProfileController extends BaseController {
}
SysOssVo oss = sysOssService.upload(avatarfile);
String avatar = oss.getUrl();
if (userService.updateUserAvatar(LoginHelper.getUsername(), oss.getOssId())) {
if (userService.updateUserAvatar(LoginHelper.getUserId(), oss.getOssId())) {
AvatarVo avatarVo = new AvatarVo();
avatarVo.setImgUrl(avatar);
return R.ok(avatarVo);

2
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java
View File

@ -182,7 +182,7 @@ public class SysUserController extends BaseController {
userService.checkUserAllowed(user);
userService.checkUserDataScope(user.getUserId());
user.setPassword(BCrypt.hashpw(user.getPassword()));
return toAjax(userService.resetPwd(user));
return toAjax(userService.resetUserPwd(user.getUserId(),user.getPassword()));
}
/**

14
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java
View File

@ -106,4 +106,18 @@ public interface SysUserMapper extends BaseMapperPlus<SysUserMapper, SysUser, Sy
*/
SysUserVo selectUserById(Long userId);
@Override
@DataPermission({
@DataColumn(key = "deptName", value = "dept_id"),
@DataColumn(key = "userName", value = "user_id")
})
int update(@Param(Constants.ENTITY) SysUser user,@Param(Constants.WRAPPER) Wrapper<SysUser> updateWrapper);
@Override
@DataPermission({
@DataColumn(key = "deptName", value = "dept_id"),
@DataColumn(key = "userName", value = "user_id")
})
int updateById(@Param(Constants.ENTITY) SysUser user);
}

16
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java
View File

@ -170,28 +170,20 @@ public interface ISysUserService {
/**
* 修改用户头像
*
* @param userName 用户名
* @param userId 用户ID
* @param avatar 头像地址
* @return 结果
*/
boolean updateUserAvatar(String userName, Long avatar);
boolean updateUserAvatar(Long userId, Long avatar);
/**
* 重置用户密码
*
* @param user 用户信息
* @return 结果
*/
int resetPwd(SysUserBo user);
/**
* 重置用户密码
*
* @param userName 用户名
* @param userId 用户ID
* @param password 密码
* @return 结果
*/
int resetUserPwd(String userName, String password);
int resetUserPwd(Long userId, String password);
/**
* 通过用户ID删除用户

90
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
View File

@ -36,8 +36,10 @@ import org.springframework.cache.annotation.Cacheable;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
/**
* 用户 业务层处理
@ -317,7 +319,12 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
// 新增用户与岗位管理
insertUserPost(user);
SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
return baseMapper.updateById(sysUser);
//防止错误更新后导致的数据误删除
int flag = baseMapper.updateById(sysUser);
if (flag <= 0){
throw new ServiceException("修改用户"+user.getUserName()+"信息失败");
}
return flag;
}
/**
@ -342,8 +349,10 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
*/
@Override
public int updateUserStatus(SysUserBo user) {
SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
return baseMapper.updateById(sysUser);
return baseMapper.update(null,
new LambdaUpdateWrapper<SysUser>()
.set(SysUser::getStatus, user.getStatus())
.eq(SysUser::getUserId, user.getUserId()));
}
/**
@ -354,50 +363,43 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
*/
@Override
public int updateUserProfile(SysUserBo user) {
SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
return baseMapper.updateById(sysUser);
return baseMapper.update(null,
new LambdaUpdateWrapper<SysUser>()
.set(ObjectUtil.isNotNull(user.getNickName()), SysUser::getNickName, user.getNickName())
.set(SysUser::getPhonenumber, user.getPhonenumber())
.set(SysUser::getEmail, user.getEmail())
.set(SysUser::getSex, user.getSex())
.eq(SysUser::getUserId, user.getUserId()));
}
/**
* 修改用户头像
*
* @param userName 用户名
* @param userId 用户ID
* @param avatar 头像地址
* @return 结果
*/
@Override
public boolean updateUserAvatar(String userName, Long avatar) {
public boolean updateUserAvatar(Long userId, Long avatar) {
return baseMapper.update(null,
new LambdaUpdateWrapper<SysUser>()
.set(SysUser::getAvatar, avatar)
.eq(SysUser::getUserName, userName)) > 0;
.eq(SysUser::getUserId, userId)) > 0;
}
/**
* 重置用户密码
*
* @param user 用户信息
* @return 结果
*/
@Override
public int resetPwd(SysUserBo user) {
SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
return baseMapper.updateById(sysUser);
}
/**
* 重置用户密码
*
* @param userName 用户名
* @param userId 用户ID
* @param password 密码
* @return 结果
*/
@Override
public int resetUserPwd(String userName, String password) {
public int resetUserPwd(Long userId, String password) {
return baseMapper.update(null,
new LambdaUpdateWrapper<SysUser>()
.set(SysUser::getPassword, password)
.eq(SysUser::getUserName, userName));
.eq(SysUser::getUserId, userId));
}
/**
@ -417,8 +419,20 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
public void insertUserPost(SysUserBo user) {
Long[] posts = user.getPostIds();
if (ArrayUtil.isNotEmpty(posts)) {
//判断是否具有此角色的岗位权限
List<Long> postList = postMapper.selectPostListByUserId(LoginHelper.getUserId());
if (postList.isEmpty()){
throw new ServiceException("您不具有操作岗位的权限");
}
List<Long> postIdList = Arrays.asList(posts);
List<Long> canDoPostList = postIdList.stream()
.filter(postList::contains)
.collect(Collectors.toList());
if (canDoPostList.isEmpty()){
throw new ServiceException("您不具有操作当前岗位的权限");
}
// 新增用户与岗位管理
List<SysUserPost> list = StreamUtils.toList(List.of(posts), postId -> {
List<SysUserPost> list = StreamUtils.toList(canDoPostList, postId -> {
SysUserPost up = new SysUserPost();
up.setUserId(user.getUserId());
up.setPostId(postId);
@ -436,8 +450,20 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
*/
public void insertUserRole(Long userId, Long[] roleIds) {
if (ArrayUtil.isNotEmpty(roleIds)) {
//判断是否具有此角色的操作权限
List<Long> roleList = roleMapper.selectRoleListByUserId(LoginHelper.getUserId());
if (roleList.isEmpty()){
throw new ServiceException("您不具有操作角色的权限");
}
List<Long> roleIdList = Arrays.asList(roleIds);
List<Long> canDoRoleList = roleIdList.stream()
.filter(roleList::contains)
.collect(Collectors.toList());
if (canDoRoleList.isEmpty()){
throw new ServiceException("您不具有操作当前角色的权限");
}
// 新增用户与角色管理
List<SysUserRole> list = StreamUtils.toList(List.of(roleIds), roleId -> {
List<SysUserRole> list = StreamUtils.toList(canDoRoleList, roleId -> {
SysUserRole ur = new SysUserRole();
ur.setUserId(userId);
ur.setRoleId(roleId);
@ -460,7 +486,12 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
// 删除用户与岗位表
userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
return baseMapper.deleteById(userId);
// 防止更新失败导致的数据删除
int flag = baseMapper.deleteById(userId);
if (flag <= 0){
throw new ServiceException("删除用户发生异常");
}
return flag;
}
/**
@ -481,7 +512,12 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().in(SysUserRole::getUserId, ids));
// 删除用户与岗位表
userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().in(SysUserPost::getUserId, ids));
return baseMapper.deleteBatchIds(ids);
// 防止更新失败导致的数据删除
int flag = baseMapper.deleteBatchIds(ids);
if (flag <= 0){
throw new ServiceException("删除用户发生异常");
}
return flag;
}
@Cacheable(cacheNames = CacheNames.SYS_USER_NAME, key = "#userId")