Startsida Utforska Hjälp
Registrera dig Logga in
wenhongquan
/
FileManager
1
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Bläddra i källkod

fix 修复 用户篡改管理员角色标识符越权问题

疯狂的狮子Li 2 år sedan
förälder
77a849992e
incheckning
c8d94da4fb
3 ändrade filer med 31 tillägg och 20 borttagningar
Delad Vy Visa Diff Statistik
  1. 5 12
      ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java
  2. 2 2
      ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/ISysRoleService.java
  3. 24 6
      ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java

+ 5 - 12
ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/controller/system/SysRoleController.java
Visa fil 

@@ -1,19 +1,14 @@
 
 package org.dromara.system.controller.system;
 
 
 import cn.dev33.satoken.annotation.SaCheckPermission;
 
-import cn.dev33.satoken.exception.NotLoginException;
 
-import cn.dev33.satoken.stp.StpUtil;
 
-import cn.hutool.core.collection.CollUtil;
 
-import org.dromara.common.core.constant.GlobalConstants;
 
+import jakarta.servlet.http.HttpServletResponse;
 
+import lombok.RequiredArgsConstructor;
 
 import org.dromara.common.core.domain.R;
 
-import org.dromara.common.core.domain.model.LoginUser;
 
-import org.dromara.common.core.utils.StringUtils;
 
 import org.dromara.common.excel.utils.ExcelUtil;
 
 import org.dromara.common.log.annotation.Log;
 
 import org.dromara.common.log.enums.BusinessType;
 
 import org.dromara.common.mybatis.core.page.PageQuery;
 
 import org.dromara.common.mybatis.core.page.TableDataInfo;
 
-import org.dromara.common.satoken.utils.LoginHelper;
 
 import org.dromara.common.web.core.BaseController;
 
 import org.dromara.system.domain.SysUserRole;
 
 import org.dromara.system.domain.bo.SysDeptBo;
 
@@ -25,8 +20,6 @@ import org.dromara.system.domain.vo.SysUserVo;
 
 import org.dromara.system.service.ISysDeptService;
 
 import org.dromara.system.service.ISysRoleService;
 
 import org.dromara.system.service.ISysUserService;
 
-import jakarta.servlet.http.HttpServletResponse;
 
-import lombok.RequiredArgsConstructor;
 
 import org.springframework.validation.annotation.Validated;
 
 import org.springframework.web.bind.annotation.*;
 
 
@@ -102,7 +95,7 @@ public class SysRoleController extends BaseController {
 
     @Log(title = "角色管理", businessType = BusinessType.UPDATE)
 
     @PutMapping
 
     public R<Void> edit(@Validated @RequestBody SysRoleBo role) {
 
-        roleService.checkRoleAllowed(role.getRoleId());
 
+        roleService.checkRoleAllowed(role);
 
         roleService.checkRoleDataScope(role.getRoleId());
 
         if (!roleService.checkRoleNameUnique(role)) {
 
             return R.fail("修改角色'" + role.getRoleName() + "'失败,角色名称已存在");
 
@@ -124,7 +117,7 @@ public class SysRoleController extends BaseController {
 
     @Log(title = "角色管理", businessType = BusinessType.UPDATE)
 
     @PutMapping("/dataScope")
 
     public R<Void> dataScope(@RequestBody SysRoleBo role) {
 
-        roleService.checkRoleAllowed(role.getRoleId());
 
+        roleService.checkRoleAllowed(role);
 
         roleService.checkRoleDataScope(role.getRoleId());
 
         return toAjax(roleService.authDataScope(role));
 
     }
 
@@ -136,7 +129,7 @@ public class SysRoleController extends BaseController {
 
     @Log(title = "角色管理", businessType = BusinessType.UPDATE)
 
     @PutMapping("/changeStatus")
 
     public R<Void> changeStatus(@RequestBody SysRoleBo role) {
 
-        roleService.checkRoleAllowed(role.getRoleId());
 
+        roleService.checkRoleAllowed(role);
 
         roleService.checkRoleDataScope(role.getRoleId());
 
         return toAjax(roleService.updateRoleStatus(role.getRoleId(), role.getStatus()));
 
     }

+ 2 - 2
ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/ISysRoleService.java
Visa fil 

@@ -85,9 +85,9 @@ public interface ISysRoleService {
 
     /**
 
      * 校验角色是否允许操作
 
      *
 
-     * @param roleId 角色ID
 
+     * @param role 角色信息
 
      */
 
-    void checkRoleAllowed(Long roleId);
 
+    void checkRoleAllowed(SysRoleBo role);
 
 
     /**
 
      * 校验角色是否有数据权限

+ 24 - 6
ruoyi-modules/ruoyi-system/src/main/java/org/dromara/system/service/impl/SysRoleServiceImpl.java
Visa fil 

@@ -2,6 +2,7 @@ package org.dromara.system.service.impl;
 
 
 import cn.dev33.satoken.exception.NotLoginException;
 
 import cn.dev33.satoken.stp.StpUtil;
 
+import cn.hutool.core.bean.BeanUtil;
 
 import cn.hutool.core.collection.CollUtil;
 
 import cn.hutool.core.util.ObjectUtil;
 
 import com.baomidou.mybatisplus.core.conditions.Wrapper;
 
@@ -10,6 +11,8 @@ import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 
 import com.baomidou.mybatisplus.core.conditions.update.LambdaUpdateWrapper;
 
 import com.baomidou.mybatisplus.core.toolkit.Wrappers;
 
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
 
+import lombok.RequiredArgsConstructor;
 
+import org.dromara.common.core.constant.TenantConstants;
 
 import org.dromara.common.core.constant.UserConstants;
 
 import org.dromara.common.core.domain.model.LoginUser;
 
 import org.dromara.common.core.exception.ServiceException;
 
@@ -30,7 +33,6 @@ import org.dromara.system.mapper.SysRoleMapper;
 
 import org.dromara.system.mapper.SysRoleMenuMapper;
 
 import org.dromara.system.mapper.SysUserRoleMapper;
 
 import org.dromara.system.service.ISysRoleService;
 
-import lombok.RequiredArgsConstructor;
 
 import org.springframework.stereotype.Service;
 
 import org.springframework.transaction.annotation.Transactional;
 
 
@@ -183,13 +185,29 @@ public class SysRoleServiceImpl implements ISysRoleService {
 
     /**
 
      * 校验角色是否允许操作
 
      *
 
-     * @param roleId 角色ID
 
+     * @param role 角色信息
 
      */
 
     @Override
 
-    public void checkRoleAllowed(Long roleId) {
 
-        if (ObjectUtil.isNotNull(roleId) && LoginHelper.isSuperAdmin(roleId)) {
 
+    public void checkRoleAllowed(SysRoleBo role) {
 
+        if (ObjectUtil.isNotNull(role.getRoleId()) && LoginHelper.isSuperAdmin(role.getRoleId())) {
 
             throw new ServiceException("不允许操作超级管理员角色");
 
         }
 
+        // 新增不允许使用 管理员标识符
 
+        if (ObjectUtil.isNull(role.getRoleId())
 
+            && StringUtils.equalsAny(role.getRoleKey(),
 
+            TenantConstants.SUPER_ADMIN_ROLE_KEY, TenantConstants.TENANT_ADMIN_ROLE_KEY)) {
 
+            throw new ServiceException("不允许使用系统内置管理员角色标识符!");
 
+        }
 
+        // 修改不允许修改 管理员标识符
 
+        if (ObjectUtil.isNotNull(role.getRoleId())) {
 
+            SysRole sysRole = baseMapper.selectById(role.getRoleId());
 
+            // 如果标识符不相等 判断为修改了管理员标识符
 
+            if (!StringUtils.equals(sysRole.getRoleKey(), role.getRoleKey())
 
+                && StringUtils.equalsAny(sysRole.getRoleKey(),
 
+                TenantConstants.SUPER_ADMIN_ROLE_KEY, TenantConstants.TENANT_ADMIN_ROLE_KEY)) {
 
+                throw new ServiceException("不允许修改系统内置管理员角色标识符!");
 
+            }
 
+        }
 
     }
 
 
     /**
 
@@ -357,9 +375,9 @@ public class SysRoleServiceImpl implements ISysRoleService {
 
     @Transactional(rollbackFor = Exception.class)
 
     public int deleteRoleByIds(Long[] roleIds) {
 
         for (Long roleId : roleIds) {
 
-            checkRoleAllowed(roleId);
 
-            checkRoleDataScope(roleId);
 
             SysRole role = baseMapper.selectById(roleId);
 
+            checkRoleAllowed(BeanUtil.toBean(role, SysRoleBo.class));
 
+            checkRoleDataScope(roleId);
 
             if (countUserRoleByRoleId(roleId) > 0) {
 
                 throw new ServiceException(String.format("%1$s已分配,不能删除", role.getRoleName()));
 
             }