From 5ddb74854a36ba63f2ebf86a19bfcf69f4dd613b Mon Sep 17 00:00:00 2001 From: duandazhi Date: Tue, 27 Jul 2021 17:27:33 +0800 Subject: [PATCH] =?UTF-8?q?SysUserController=20=E5=AE=89=E5=85=A8=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E=E6=B5=8B=E8=AF=95fix=EF=BC=8C=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E9=98=B2=E6=AD=A2=E8=B6=8A=E6=9D=83=E7=9A=84=E6=93=8D=E4=BD=9C?= =?UTF-8?q?=EF=BC=9B=E4=B8=8D=E6=B3=95=E5=88=86=E5=AD=90=EF=BC=8C=E5=8F=AF?= =?UTF-8?q?=E8=83=BD=E9=80=9A=E8=BF=87=E4=BF=AE=E6=94=B9=20userid=20?= =?UTF-8?q?=E6=8A=93=E5=8F=96=E3=80=81=E4=BF=AE=E6=94=B9=E3=80=81=E5=88=A0?= =?UTF-8?q?=E9=99=A4=E3=80=81=E9=87=8D=E7=BD=AE=20=E4=BB=BB=E6=84=8F?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E6=95=8F=E6=84=9F=E4=BF=A1=E6=81=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../system/controller/SysUserController.java | 23 +++++++++++++++++++ .../ruoyi/system/service/ISysUserService.java | 8 +++++++ .../service/impl/SysUserServiceImpl.java | 18 +++++++++++++++ .../resources/mapper/system/SysUserMapper.xml | 3 +++ 4 files changed, 52 insertions(+) diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java index db88224d..c2b87a60 100644 --- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java +++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java @@ -146,6 +146,11 @@ public class SysUserController extends BaseController @GetMapping(value = { "/", "/{userId}" }) public AjaxResult getInfo(@PathVariable(value = "userId", required = false) Long userId) { + //安全漏洞测试fix,增加防止越权的操作;不法分子,可能通过修改 userid 抓取、修改、删除、重置 任意用户敏感信息 (1 getInfo) + if (!userService.checkUserIdAllowed(userId)) { + return AjaxResult.error("请勿非法操作,你无权操作该用户,userId = " + userId ); + } + AjaxResult ajax = AjaxResult.success(); List roles = roleService.selectRoleAll(); ajax.put("roles", SysUser.isAdmin(userId) ? roles : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList())); @@ -195,6 +200,15 @@ public class SysUserController extends BaseController public AjaxResult edit(@Validated @RequestBody SysUser user) { userService.checkUserAllowed(user); + + if (user.getUserId() == null) { + return AjaxResult.error("userId不能为空!"); + } + //安全漏洞测试fix,增加防止越权的操作;不法分子,可能通过修改 userid 抓取、修改、删除、重置 任意用户敏感信息 (2 edit) + if (!userService.checkUserIdAllowed(user.getUserId())) { + return AjaxResult.error("请勿非法操作,你无权操作该用户,userId = " + user.getUserId() ); + } + if (StringUtils.isNotEmpty(user.getPhonenumber()) && UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user))) { @@ -229,6 +243,15 @@ public class SysUserController extends BaseController public AjaxResult resetPwd(@RequestBody SysUser user) { userService.checkUserAllowed(user); + + if (user.getUserId() == null) { + return AjaxResult.error("userId不能为空!"); + } + //安全漏洞测试fix,增加防止越权的操作;不法分子,可能通过修改 userid 抓取、修改、删除、重置 任意用户敏感信息 (3 resetPwd) + if (!userService.checkUserIdAllowed(user.getUserId())) { + return AjaxResult.error("请勿非法操作,你无权操作该用户,userId = " + user.getUserId() ); + } + user.setPassword(SecurityUtils.encryptPassword(user.getPassword())); user.setUpdateBy(SecurityUtils.getUsername()); return toAjax(userService.resetPwd(user)); diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java index 869fbcc3..91c345af 100644 --- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java +++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java @@ -97,6 +97,14 @@ public interface ISysUserService */ public void checkUserAllowed(SysUser user); + /** + * @author dazer + * 检查userId,当前的管理员是否有权限操作 + * @param userId 被修改的userId + * @return true: 当前管理员有操作该 userId的权限 + */ + public boolean checkUserIdAllowed(Long userId); + /** * 新增用户信息 * diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java index cbbf35a7..52667a8d 100644 --- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java +++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java @@ -2,6 +2,8 @@ package com.ruoyi.system.service.impl; import java.util.ArrayList; import java.util.List; +import java.util.stream.Collectors; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -227,6 +229,22 @@ public class SysUserServiceImpl implements ISysUserService } } + /** + * @author dazer + * 检查userId,当前的管理员是否有权限操作 + * @param userId 被修改的userId + */ + @Override + public boolean checkUserIdAllowed(Long userId) { + if (userId == null) { + throw new CustomException("checkUserIdAllowed中:【userId】不能为空"); + } + SysUser user = new SysUser(); + user.setUserId(userId); + List sysUsers = this.selectUserList(user); + return sysUsers.stream().map(SysUser::getUserId).collect(Collectors.toSet()).contains(userId); + } + /** * 新增保存用户信息 * diff --git a/ruoyi-modules/ruoyi-system/src/main/resources/mapper/system/SysUserMapper.xml b/ruoyi-modules/ruoyi-system/src/main/resources/mapper/system/SysUserMapper.xml index 9dddd39b..a0ae90f9 100644 --- a/ruoyi-modules/ruoyi-system/src/main/resources/mapper/system/SysUserMapper.xml +++ b/ruoyi-modules/ruoyi-system/src/main/resources/mapper/system/SysUserMapper.xml @@ -62,6 +62,9 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" AND u.user_name like concat('%', #{userName}, '%') + + AND u.user_id = #{userId} + AND u.status = #{status}