feat: JWT内容增加deptId,修复部门数据权限sql漏洞

JWT内容增加deptId,修复部门数据权限sql漏洞
2024-12-22 20:54:26 +08:00 · 2021-12-11 14:47:52 +08:00 · 2021-12-11 14:47:52 +08:00 · 57b6759051
commit 57b6759051
parent 3c052f57f2
6 changed files with 23 additions and 22 deletions
--- a/youlai-admin/admin-api/src/main/java/com/youlai/admin/dto/UserAuthDTO.java
+++ b/youlai-admin/admin-api/src/main/java/com/youlai/admin/dto/UserAuthDTO.java
@ -38,6 +38,11 @@ public class UserAuthDTO {
     */
    private List<String> roles;

+    /**
+     * 部门ID
+     */
+    private Long deptId;
+


 }
--- a/youlai-admin/admin-boot/src/main/java/com/youlai/admin/service/impl/SysDeptServiceImpl.java
+++ b/youlai-admin/admin-boot/src/main/java/com/youlai/admin/service/impl/SysDeptServiceImpl.java
@ -120,9 +120,8 @@ public class SysDeptServiceImpl extends ServiceImpl<SysDeptMapper, SysDept> impl
                .eq(SysDept::getStatus, GlobalConstants.STATUS_YES)
                .orderByAsc(SysDept::getSort)
        );
-        Long userId = JwtUtils.getUserId();
-        SysUser user = iSysUserService.getById(userId);
-        List<TreeSelectVO> deptSelectList = recursionTreeSelectList(user.getDeptId(), deptList);
+
+        List<TreeSelectVO> deptSelectList = recursionTreeSelectList(JwtUtils.getJwtPayload().getLong("deptId"), deptList);
        return deptSelectList;
    }

--- a/youlai-admin/admin-boot/src/main/resources/mapper/SysUserMapper.xml
+++ b/youlai-admin/admin-boot/src/main/resources/mapper/SysUserMapper.xml
@ -37,13 +37,14 @@
        <result property="username" column="username" jdbcType="VARCHAR"/>
        <result property="password" column="password" jdbcType="VARCHAR"/>
        <result property="status" column="status" jdbcType="BOOLEAN"/>
+        <result property="deptId" column="deptId" jdbcType="BIGINT"></result>
        <collection property="roles" ofType="string" javaType="list">
            <result column="roleCode"></result>
        </collection>
    </resultMap>

    <select id="getByUsername" resultMap="UserAuthMap">
-        select t1.id userId, t1.username, t1.nickname, t1.password, t1.status, t3.code roleCode
+        select t1.id userId, t1.username, t1.nickname, t1.password, t1.status, t1.dept_id deptId,t3.code roleCode
                from sys_user t1,
                sys_user_role t2,
                sys_role t3
--- a/youlai-auth/src/main/java/com/youlai/auth/security/config/AuthorizationServerConfig.java
+++ b/youlai-auth/src/main/java/com/youlai/auth/security/config/AuthorizationServerConfig.java
@ -173,6 +173,7 @@ public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdap
                SysUserDetails sysUserDetails = (SysUserDetails) principal;
                additionalInfo.put("userId", sysUserDetails.getUserId());
                additionalInfo.put("username", sysUserDetails.getUsername());
+                additionalInfo.put("deptId",sysUserDetails.getDeptId());
                if (StrUtil.isNotBlank(sysUserDetails.getAuthenticationMethod())) {
                    additionalInfo.put("authenticationMethod", sysUserDetails.getAuthenticationMethod());
                }
--- a/youlai-auth/src/main/java/com/youlai/auth/security/core/userdetails/user/SysUserDetails.java
+++ b/youlai-auth/src/main/java/com/youlai/auth/security/core/userdetails/user/SysUserDetails.java
@ -27,6 +27,7 @@ public class SysUserDetails implements UserDetails {
     */
    private Long userId;
    private String authenticationMethod;
+    private Long deptId;

    /**
     * 默认字段
@ -42,6 +43,7 @@ public class SysUserDetails implements UserDetails {
    public SysUserDetails(UserAuthDTO user) {
        this.setUserId(user.getUserId());
        this.setUsername(user.getUsername());
+        this.setDeptId(user.getDeptId());
        this.setPassword(PasswordEncoderTypeEnum.BCRYPT.getPrefix() + user.getPassword());
        this.setEnabled(GlobalConstants.STATUS_YES.equals(user.getStatus()));
        if (CollectionUtil.isNotEmpty(user.getRoles())) {
--- a/youlai-common/common-mybatis/src/main/java/com/youlai/common/mybatis/handler/DataPermissionHandlerImpl.java
+++ b/youlai-common/common-mybatis/src/main/java/com/youlai/common/mybatis/handler/DataPermissionHandlerImpl.java
@ -50,14 +50,13 @@ public class DataPermissionHandlerImpl implements DataPermissionHandler {
            for (Method method : methods) {
                InterceptorIgnore annotation = method.getAnnotation(InterceptorIgnore.class);
                if (ObjectUtils.isNotEmpty(annotation) && (method.getName().equals(methodName) || (method.getName() + "_COUNT").equals(methodName))) {
-                    // 获取当前的用户
-                    Long userId = JwtUtils.getUserId();
+                    // 获取当前的用户角色
                    List<String> roles = JwtUtils.getRoles();
                    if( !roles.isEmpty() && roles.contains(GlobalConstants.ROOT_ROLE_CODE)) {
                        // 如果是超级管理员则放行
                        return where;
                    }else{
-                        return dataScopeFilter(userId, annotation.dataPermission(), where);
+                        return dataScopeFilter(annotation.dataPermission(), where);
                    }
                }
            }
@ -70,16 +69,15 @@ public class DataPermissionHandlerImpl implements DataPermissionHandler {
    /**
     * 构建过滤条件
     *
-     * @param userId 当前登录用户id
     * @param where 当前查询条件
     * @return 构建后查询条件
     */
-    public static Expression dataScopeFilter(Long userId, String dataPermission, Expression where) {
+    public static Expression dataScopeFilter(String dataPermission, Expression where) {
        Expression expression = null;
        if(dataPermission.equals("1")){
            return where;
        }else{
-            EqualsTo equalsTo = new EqualsTo(new Column( "id"),getDeptId(userId));
+            EqualsTo equalsTo = new EqualsTo(new Column( "id"),getDeptId());
            expression = ObjectUtils.isNotEmpty(expression) ? new AndExpression(expression, equalsTo) : equalsTo;
            LikeExpression likeExpression = new LikeExpression();
            Function left = new Function();
@ -88,24 +86,19 @@ public class DataPermissionHandlerImpl implements DataPermissionHandler {
            likeExpression.setLeftExpression(left);
            Function right = new Function();
            right.setName("concat");
-            right.setParameters(new ExpressionList().addExpressions(new StringValue("%"),getDeptId(userId),new StringValue("%")));
+            right.setParameters(new ExpressionList().addExpressions(new StringValue("%,"),getDeptId(),new StringValue("%,")));
            likeExpression.setRightExpression(right);
             expression = ObjectUtils.isNotEmpty(expression) ? new OrExpression(expression, likeExpression) : expression;
        }
        return ObjectUtils.isNotEmpty(where) ? new AndExpression(where, new Parenthesis(expression)) : expression;
    }

-    private static Expression getDeptId(Long userId){
-        SubSelect subSelect = new SubSelect();
-        PlainSelect select = new PlainSelect();
-        select.setSelectItems(Collections.singletonList(new SelectExpressionItem(new Column("dept_id"))));
-        select.setFromItem(new Table("sys_user"));
-        EqualsTo equalsTo = new EqualsTo();
-        equalsTo.setLeftExpression(new Column("id"));
-        equalsTo.setRightExpression(new LongValue(userId));
-        select.setWhere(equalsTo);
-        subSelect.setSelectBody(select);
-        return subSelect;
+    /**
+     * 当前用户的部门id
+     * @return
+     */
+    private static Expression getDeptId(){
+            return new LongValue(JwtUtils.getJwtPayload().getLong("deptId"));
    }