mirror of
https://gitee.com/youlaitech/youlai-mall.git
synced 2024-12-23 05:00:25 +08:00
feat: JWT内容增加deptId,修复部门数据权限sql漏洞
JWT内容增加deptId,修复部门数据权限sql漏洞
This commit is contained in:
parent
3c052f57f2
commit
57b6759051
@ -38,6 +38,11 @@ public class UserAuthDTO {
|
||||
*/
|
||||
private List<String> roles;
|
||||
|
||||
/**
|
||||
* 部门ID
|
||||
*/
|
||||
private Long deptId;
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
@ -120,9 +120,8 @@ public class SysDeptServiceImpl extends ServiceImpl<SysDeptMapper, SysDept> impl
|
||||
.eq(SysDept::getStatus, GlobalConstants.STATUS_YES)
|
||||
.orderByAsc(SysDept::getSort)
|
||||
);
|
||||
Long userId = JwtUtils.getUserId();
|
||||
SysUser user = iSysUserService.getById(userId);
|
||||
List<TreeSelectVO> deptSelectList = recursionTreeSelectList(user.getDeptId(), deptList);
|
||||
|
||||
List<TreeSelectVO> deptSelectList = recursionTreeSelectList(JwtUtils.getJwtPayload().getLong("deptId"), deptList);
|
||||
return deptSelectList;
|
||||
}
|
||||
|
||||
|
@ -37,13 +37,14 @@
|
||||
<result property="username" column="username" jdbcType="VARCHAR"/>
|
||||
<result property="password" column="password" jdbcType="VARCHAR"/>
|
||||
<result property="status" column="status" jdbcType="BOOLEAN"/>
|
||||
<result property="deptId" column="deptId" jdbcType="BIGINT"></result>
|
||||
<collection property="roles" ofType="string" javaType="list">
|
||||
<result column="roleCode"></result>
|
||||
</collection>
|
||||
</resultMap>
|
||||
|
||||
<select id="getByUsername" resultMap="UserAuthMap">
|
||||
select t1.id userId, t1.username, t1.nickname, t1.password, t1.status, t3.code roleCode
|
||||
select t1.id userId, t1.username, t1.nickname, t1.password, t1.status, t1.dept_id deptId,t3.code roleCode
|
||||
from sys_user t1,
|
||||
sys_user_role t2,
|
||||
sys_role t3
|
||||
|
@ -173,6 +173,7 @@ public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdap
|
||||
SysUserDetails sysUserDetails = (SysUserDetails) principal;
|
||||
additionalInfo.put("userId", sysUserDetails.getUserId());
|
||||
additionalInfo.put("username", sysUserDetails.getUsername());
|
||||
additionalInfo.put("deptId",sysUserDetails.getDeptId());
|
||||
if (StrUtil.isNotBlank(sysUserDetails.getAuthenticationMethod())) {
|
||||
additionalInfo.put("authenticationMethod", sysUserDetails.getAuthenticationMethod());
|
||||
}
|
||||
|
@ -27,6 +27,7 @@ public class SysUserDetails implements UserDetails {
|
||||
*/
|
||||
private Long userId;
|
||||
private String authenticationMethod;
|
||||
private Long deptId;
|
||||
|
||||
/**
|
||||
* 默认字段
|
||||
@ -42,6 +43,7 @@ public class SysUserDetails implements UserDetails {
|
||||
public SysUserDetails(UserAuthDTO user) {
|
||||
this.setUserId(user.getUserId());
|
||||
this.setUsername(user.getUsername());
|
||||
this.setDeptId(user.getDeptId());
|
||||
this.setPassword(PasswordEncoderTypeEnum.BCRYPT.getPrefix() + user.getPassword());
|
||||
this.setEnabled(GlobalConstants.STATUS_YES.equals(user.getStatus()));
|
||||
if (CollectionUtil.isNotEmpty(user.getRoles())) {
|
||||
|
@ -50,14 +50,13 @@ public class DataPermissionHandlerImpl implements DataPermissionHandler {
|
||||
for (Method method : methods) {
|
||||
InterceptorIgnore annotation = method.getAnnotation(InterceptorIgnore.class);
|
||||
if (ObjectUtils.isNotEmpty(annotation) && (method.getName().equals(methodName) || (method.getName() + "_COUNT").equals(methodName))) {
|
||||
// 获取当前的用户
|
||||
Long userId = JwtUtils.getUserId();
|
||||
// 获取当前的用户角色
|
||||
List<String> roles = JwtUtils.getRoles();
|
||||
if( !roles.isEmpty() && roles.contains(GlobalConstants.ROOT_ROLE_CODE)) {
|
||||
// 如果是超级管理员则放行
|
||||
return where;
|
||||
}else{
|
||||
return dataScopeFilter(userId, annotation.dataPermission(), where);
|
||||
return dataScopeFilter(annotation.dataPermission(), where);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -70,16 +69,15 @@ public class DataPermissionHandlerImpl implements DataPermissionHandler {
|
||||
/**
|
||||
* 构建过滤条件
|
||||
*
|
||||
* @param userId 当前登录用户id
|
||||
* @param where 当前查询条件
|
||||
* @return 构建后查询条件
|
||||
*/
|
||||
public static Expression dataScopeFilter(Long userId, String dataPermission, Expression where) {
|
||||
public static Expression dataScopeFilter(String dataPermission, Expression where) {
|
||||
Expression expression = null;
|
||||
if(dataPermission.equals("1")){
|
||||
return where;
|
||||
}else{
|
||||
EqualsTo equalsTo = new EqualsTo(new Column( "id"),getDeptId(userId));
|
||||
EqualsTo equalsTo = new EqualsTo(new Column( "id"),getDeptId());
|
||||
expression = ObjectUtils.isNotEmpty(expression) ? new AndExpression(expression, equalsTo) : equalsTo;
|
||||
LikeExpression likeExpression = new LikeExpression();
|
||||
Function left = new Function();
|
||||
@ -88,24 +86,19 @@ public class DataPermissionHandlerImpl implements DataPermissionHandler {
|
||||
likeExpression.setLeftExpression(left);
|
||||
Function right = new Function();
|
||||
right.setName("concat");
|
||||
right.setParameters(new ExpressionList().addExpressions(new StringValue("%"),getDeptId(userId),new StringValue("%")));
|
||||
right.setParameters(new ExpressionList().addExpressions(new StringValue("%,"),getDeptId(),new StringValue("%,")));
|
||||
likeExpression.setRightExpression(right);
|
||||
expression = ObjectUtils.isNotEmpty(expression) ? new OrExpression(expression, likeExpression) : expression;
|
||||
}
|
||||
return ObjectUtils.isNotEmpty(where) ? new AndExpression(where, new Parenthesis(expression)) : expression;
|
||||
}
|
||||
|
||||
private static Expression getDeptId(Long userId){
|
||||
SubSelect subSelect = new SubSelect();
|
||||
PlainSelect select = new PlainSelect();
|
||||
select.setSelectItems(Collections.singletonList(new SelectExpressionItem(new Column("dept_id"))));
|
||||
select.setFromItem(new Table("sys_user"));
|
||||
EqualsTo equalsTo = new EqualsTo();
|
||||
equalsTo.setLeftExpression(new Column("id"));
|
||||
equalsTo.setRightExpression(new LongValue(userId));
|
||||
select.setWhere(equalsTo);
|
||||
subSelect.setSelectBody(select);
|
||||
return subSelect;
|
||||
/**
|
||||
* 当前用户的部门id
|
||||
* @return
|
||||
*/
|
||||
private static Expression getDeptId(){
|
||||
return new LongValue(JwtUtils.getJwtPayload().getLong("deptId"));
|
||||
}
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user