|
|
|
@ -5,6 +5,9 @@ import java.util.List;
|
|
|
|
import java.util.Set;
|
|
|
|
import java.util.Set;
|
|
|
|
import java.util.stream.Collectors;
|
|
|
|
import java.util.stream.Collectors;
|
|
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
import com.ruoyi.common.core.exception.CustomException;
|
|
|
|
|
|
|
|
import com.ruoyi.common.security.service.TokenService;
|
|
|
|
import org.apache.commons.lang3.ArrayUtils;
|
|
|
|
import org.apache.commons.lang3.ArrayUtils;
|
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
|
|
import org.springframework.validation.annotation.Validated;
|
|
|
|
import org.springframework.validation.annotation.Validated;
|
|
|
|
@ -57,6 +60,9 @@ public class SysUserController extends BaseController
|
|
|
|
@Autowired
|
|
|
|
@Autowired
|
|
|
|
private ISysPermissionService permissionService;
|
|
|
|
private ISysPermissionService permissionService;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@Autowired
|
|
|
|
|
|
|
|
private TokenService tokenService;
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* 获取用户列表
|
|
|
|
* 获取用户列表
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
@ -147,6 +153,14 @@ public class SysUserController extends BaseController
|
|
|
|
@GetMapping(value = { "/", "/{userId}" })
|
|
|
|
@GetMapping(value = { "/", "/{userId}" })
|
|
|
|
public AjaxResult getInfo(@PathVariable(value = "userId", required = false) Long userId)
|
|
|
|
public AjaxResult getInfo(@PathVariable(value = "userId", required = false) Long userId)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
|
|
|
|
if (userId == null) {
|
|
|
|
|
|
|
|
return AjaxResult.error("userId不能为空!");
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
// 用户信息可以被爆破 dazer
|
|
|
|
|
|
|
|
if (!this.checkUserIdAllowed(userId)) {
|
|
|
|
|
|
|
|
return AjaxResult.error("请勿非法操作,你无权操作该用户,userId = " + userId );
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
AjaxResult ajax = AjaxResult.success();
|
|
|
|
AjaxResult ajax = AjaxResult.success();
|
|
|
|
List<SysRole> roles = roleService.selectRoleAll();
|
|
|
|
List<SysRole> roles = roleService.selectRoleAll();
|
|
|
|
ajax.put("roles", SysUser.isAdmin(userId) ? roles : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList()));
|
|
|
|
ajax.put("roles", SysUser.isAdmin(userId) ? roles : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList()));
|
|
|
|
@ -206,6 +220,15 @@ public class SysUserController extends BaseController
|
|
|
|
{
|
|
|
|
{
|
|
|
|
return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在");
|
|
|
|
return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// 用户信息可以被爆破 dazer
|
|
|
|
|
|
|
|
if (user.getUserId() == null) {
|
|
|
|
|
|
|
|
return AjaxResult.error("userId不能为空!");
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!this.checkUserIdAllowed(user.getUserId())) {
|
|
|
|
|
|
|
|
return AjaxResult.error("请勿非法操作,你无权操作该用户,userId = " + user.getUserId() );
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
user.setUpdateBy(SecurityUtils.getUsername());
|
|
|
|
user.setUpdateBy(SecurityUtils.getUsername());
|
|
|
|
return toAjax(userService.updateUser(user));
|
|
|
|
return toAjax(userService.updateUser(user));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@ -218,10 +241,18 @@ public class SysUserController extends BaseController
|
|
|
|
@DeleteMapping("/{userIds}")
|
|
|
|
@DeleteMapping("/{userIds}")
|
|
|
|
public AjaxResult remove(@PathVariable Long[] userIds)
|
|
|
|
public AjaxResult remove(@PathVariable Long[] userIds)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (ArrayUtils.contains(userIds, SecurityUtils.getUserId()))
|
|
|
|
if (ArrayUtils.contains(userIds, SecurityUtils.getUserId())) {
|
|
|
|
{
|
|
|
|
|
|
|
|
return AjaxResult.error("当前用户不能删除");
|
|
|
|
return AjaxResult.error("当前用户不能删除");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// 用户信息可以被爆破 dazer
|
|
|
|
|
|
|
|
for (int i = 0; i < userIds.length; i++) {
|
|
|
|
|
|
|
|
Long userId = userIds[i];
|
|
|
|
|
|
|
|
if (userId != null) {
|
|
|
|
|
|
|
|
if (!this.checkUserIdAllowed(userId)) {
|
|
|
|
|
|
|
|
return AjaxResult.error("请勿非法操作,你无权操作该用户,userId = " + userId );
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
return toAjax(userService.deleteUserByIds(userIds));
|
|
|
|
return toAjax(userService.deleteUserByIds(userIds));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@ -234,9 +265,21 @@ public class SysUserController extends BaseController
|
|
|
|
public AjaxResult resetPwd(@RequestBody SysUser user)
|
|
|
|
public AjaxResult resetPwd(@RequestBody SysUser user)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
userService.checkUserAllowed(user);
|
|
|
|
userService.checkUserAllowed(user);
|
|
|
|
user.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
|
|
|
|
|
|
|
|
user.setUpdateBy(SecurityUtils.getUsername());
|
|
|
|
// 用户信息可以被爆破 dazer
|
|
|
|
return toAjax(userService.resetPwd(user));
|
|
|
|
if (user.getUserId() == null) {
|
|
|
|
|
|
|
|
return AjaxResult.error("userId不能为空!");
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!this.checkUserIdAllowed(user.getUserId())) {
|
|
|
|
|
|
|
|
return AjaxResult.error("请勿非法操作,你无权操作该用户,userId = " + user.getUserId() );
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//修改密码接口,只进行密码修改;防止 通过 修改密码 接口 把用户其他信息进行了修改
|
|
|
|
|
|
|
|
SysUser newSyuser = new SysUser();
|
|
|
|
|
|
|
|
newSyuser.setUserId(user.getUserId());
|
|
|
|
|
|
|
|
newSyuser.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
|
|
|
|
|
|
|
|
newSyuser.setUpdateBy(tokenService.getLoginUser().getUsername());
|
|
|
|
|
|
|
|
return toAjax(userService.resetPwd(newSyuser));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
@ -278,4 +321,21 @@ public class SysUserController extends BaseController
|
|
|
|
userService.insertUserAuth(userId, roleIds);
|
|
|
|
userService.insertUserAuth(userId, roleIds);
|
|
|
|
return success();
|
|
|
|
return success();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
|
|
* @author dazer
|
|
|
|
|
|
|
|
* 1、检查userId是否越权,必须是自己能查看到的userid才能操作;
|
|
|
|
|
|
|
|
* 2、检查roleid是否越权,必须是自己能查看到的roleid才能操作 《待开发》
|
|
|
|
|
|
|
|
* 用户模块必须做该校验,否则 稍微有点经验的人,就能修改 用户的敏感信息
|
|
|
|
|
|
|
|
* @param userId 被修改的userId
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
private boolean checkUserIdAllowed(Long userId) {
|
|
|
|
|
|
|
|
if (userId == null) {
|
|
|
|
|
|
|
|
throw new CustomException("checkUserIdAllowed中:【userId】不能为空");
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
SysUser query = new SysUser();
|
|
|
|
|
|
|
|
query.setUserId(userId);
|
|
|
|
|
|
|
|
List<SysUser> sysUsers = userService.selectUserList(query);
|
|
|
|
|
|
|
|
return sysUsers.stream().map(SysUser::getUserId).collect(Collectors.toSet()).contains(userId);
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
dazer007
4 years ago
committed by
Gitee