fix 修复用户相关更新操作会越权的问题

2025-11-04 16:23:42 +08:00 · 2023-03-10 21:15:54 +08:00
parent f8c98a1f48
commit cdb509a4fa
5 changed files with 84 additions and 43 deletions
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java
@@ -83,7 +83,6 @@ public class SysProfileController extends BaseController {
    @PutMapping("/updatePwd")
    public R<Void> updatePwd(String oldPassword, String newPassword) {
        SysUserVo user = userService.selectUserById(LoginHelper.getUserId());
-        String userName = user.getUserName();
        String password = user.getPassword();
        if (!BCrypt.checkpw(oldPassword, password)) {
            return R.fail("修改密码失败，旧密码错误");
@@ -92,7 +91,7 @@ public class SysProfileController extends BaseController {
            return R.fail("新密码不能与旧密码相同");
        }

-        if (userService.resetUserPwd(userName, BCrypt.hashpw(newPassword)) > 0) {
+        if (userService.resetUserPwd(user.getUserId(), BCrypt.hashpw(newPassword)) > 0) {
            return R.ok();
        }
        return R.fail("修改密码异常，请联系管理员");
@@ -113,7 +112,7 @@ public class SysProfileController extends BaseController {
            }
            SysOssVo oss = sysOssService.upload(avatarfile);
            String avatar = oss.getUrl();
-            if (userService.updateUserAvatar(LoginHelper.getUsername(), oss.getOssId())) {
+            if (userService.updateUserAvatar(LoginHelper.getUserId(), oss.getOssId())) {
                AvatarVo avatarVo = new AvatarVo();
                avatarVo.setImgUrl(avatar);
                return R.ok(avatarVo);
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java
@@ -182,7 +182,7 @@ public class SysUserController extends BaseController {
        userService.checkUserAllowed(user);
        userService.checkUserDataScope(user.getUserId());
        user.setPassword(BCrypt.hashpw(user.getPassword()));
-        return toAjax(userService.resetPwd(user));
+        return toAjax(userService.resetUserPwd(user.getUserId(),user.getPassword()));
    }

    /**
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java
@@ -106,4 +106,18 @@ public interface SysUserMapper extends BaseMapperPlus<SysUserMapper, SysUser, Sy
     */
    SysUserVo selectUserById(Long userId);

+    @Override
+    @DataPermission({
+        @DataColumn(key = "deptName", value = "dept_id"),
+        @DataColumn(key = "userName", value = "user_id")
+    })
+    int update(@Param(Constants.ENTITY) SysUser user,@Param(Constants.WRAPPER) Wrapper<SysUser> updateWrapper);
+
+    @Override
+    @DataPermission({
+        @DataColumn(key = "deptName", value = "dept_id"),
+        @DataColumn(key = "userName", value = "user_id")
+    })
+    int updateById(@Param(Constants.ENTITY) SysUser user);
+
 }
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java
@@ -170,28 +170,20 @@ public interface ISysUserService {
    /**
     * 修改用户头像
     *
-     * @param userName 用户名
+     * @param userId 用户ID
     * @param avatar   头像地址
     * @return 结果
     */
-    boolean updateUserAvatar(String userName, Long avatar);
+    boolean updateUserAvatar(Long userId, Long avatar);

    /**
     * 重置用户密码
     *
-     * @param user 用户信息
-     * @return 结果
-     */
-    int resetPwd(SysUserBo user);
-
-    /**
-     * 重置用户密码
-     *
-     * @param userName 用户名
+     * @param userId 用户ID
     * @param password 密码
     * @return 结果
     */
-    int resetUserPwd(String userName, String password);
+    int resetUserPwd(Long userId, String password);

    /**
     * 通过用户ID删除用户
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
@@ -36,8 +36,10 @@ import org.springframework.cache.annotation.Cacheable;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;

+import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
+import java.util.stream.Collectors;

 /**
 * 用户 业务层处理
@@ -317,7 +319,12 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
        // 新增用户与岗位管理
        insertUserPost(user);
        SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
-        return baseMapper.updateById(sysUser);
+        //防止错误更新后导致的数据误删除
+        int flag = baseMapper.updateById(sysUser);
+        if (flag <= 0){
+            throw new ServiceException("修改用户"+user.getUserName()+"信息失败");
+        }
+        return flag;
    }

    /**
@@ -342,8 +349,10 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
     */
    @Override
    public int updateUserStatus(SysUserBo user) {
-        SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
-        return baseMapper.updateById(sysUser);
+        return baseMapper.update(null,
+            new LambdaUpdateWrapper<SysUser>()
+                .set(SysUser::getStatus, user.getStatus())
+                .eq(SysUser::getUserId, user.getUserId()));
    }

    /**
@@ -354,50 +363,43 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
     */
    @Override
    public int updateUserProfile(SysUserBo user) {
-        SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
-        return baseMapper.updateById(sysUser);
+        return baseMapper.update(null,
+            new LambdaUpdateWrapper<SysUser>()
+                .set(ObjectUtil.isNotNull(user.getNickName()), SysUser::getNickName, user.getNickName())
+                .set(SysUser::getPhonenumber, user.getPhonenumber())
+                .set(SysUser::getEmail, user.getEmail())
+                .set(SysUser::getSex, user.getSex())
+                .eq(SysUser::getUserId, user.getUserId()));
    }

    /**
     * 修改用户头像
     *
-     * @param userName 用户名
+     * @param userId 用户ID
     * @param avatar   头像地址
     * @return 结果
     */
    @Override
-    public boolean updateUserAvatar(String userName, Long avatar) {
+    public boolean updateUserAvatar(Long userId, Long avatar) {
        return baseMapper.update(null,
            new LambdaUpdateWrapper<SysUser>()
                .set(SysUser::getAvatar, avatar)
-                .eq(SysUser::getUserName, userName)) > 0;
+                .eq(SysUser::getUserId, userId)) > 0;
    }

    /**
     * 重置用户密码
     *
-     * @param user 用户信息
-     * @return 结果
-     */
-    @Override
-    public int resetPwd(SysUserBo user) {
-        SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
-        return baseMapper.updateById(sysUser);
-    }
-
-    /**
-     * 重置用户密码
-     *
-     * @param userName 用户名
+     * @param userId 用户ID
     * @param password 密码
     * @return 结果
     */
    @Override
-    public int resetUserPwd(String userName, String password) {
+    public int resetUserPwd(Long userId, String password) {
        return baseMapper.update(null,
            new LambdaUpdateWrapper<SysUser>()
                .set(SysUser::getPassword, password)
-                .eq(SysUser::getUserName, userName));
+                .eq(SysUser::getUserId, userId));
    }

    /**
@@ -417,8 +419,20 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
    public void insertUserPost(SysUserBo user) {
        Long[] posts = user.getPostIds();
        if (ArrayUtil.isNotEmpty(posts)) {
+            //判断是否具有此角色的岗位权限
+            List<Long> postList = postMapper.selectPostListByUserId(LoginHelper.getUserId());
+            if (postList.isEmpty()){
+                throw new ServiceException("您不具有操作岗位的权限");
+            }
+            List<Long> postIdList = Arrays.asList(posts);
+            List<Long> canDoPostList = postIdList.stream()
+                .filter(postList::contains)
+                .collect(Collectors.toList());
+            if (canDoPostList.isEmpty()){
+                throw new ServiceException("您不具有操作当前岗位的权限");
+            }
            // 新增用户与岗位管理
-            List<SysUserPost> list = StreamUtils.toList(List.of(posts), postId -> {
+            List<SysUserPost> list = StreamUtils.toList(canDoPostList, postId -> {
                SysUserPost up = new SysUserPost();
                up.setUserId(user.getUserId());
                up.setPostId(postId);
@@ -436,8 +450,20 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
     */
    public void insertUserRole(Long userId, Long[] roleIds) {
        if (ArrayUtil.isNotEmpty(roleIds)) {
+            //判断是否具有此角色的操作权限
+            List<Long> roleList = roleMapper.selectRoleListByUserId(LoginHelper.getUserId());
+            if (roleList.isEmpty()){
+                throw new ServiceException("您不具有操作角色的权限");
+            }
+            List<Long> roleIdList = Arrays.asList(roleIds);
+            List<Long> canDoRoleList = roleIdList.stream()
+                .filter(roleList::contains)
+                .collect(Collectors.toList());
+            if (canDoRoleList.isEmpty()){
+                throw new ServiceException("您不具有操作当前角色的权限");
+            }
            // 新增用户与角色管理
-            List<SysUserRole> list = StreamUtils.toList(List.of(roleIds), roleId -> {
+            List<SysUserRole> list = StreamUtils.toList(canDoRoleList, roleId -> {
                SysUserRole ur = new SysUserRole();
                ur.setUserId(userId);
                ur.setRoleId(roleId);
@@ -460,7 +486,12 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
        userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
        // 删除用户与岗位表
        userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
-        return baseMapper.deleteById(userId);
+        // 防止更新失败导致的数据删除
+        int flag = baseMapper.deleteById(userId);
+        if (flag <= 0){
+            throw new ServiceException("删除用户发生异常");
+        }
+        return flag;
    }

    /**
@@ -481,7 +512,12 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
        userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().in(SysUserRole::getUserId, ids));
        // 删除用户与岗位表
        userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().in(SysUserPost::getUserId, ids));
-        return baseMapper.deleteBatchIds(ids);
+        // 防止更新失败导致的数据删除
+        int flag = baseMapper.deleteBatchIds(ids);
+        if (flag <= 0){
+            throw new ServiceException("删除用户发生异常");
+        }
+        return flag;
    }

    @Cacheable(cacheNames = CacheNames.SYS_USER_NAME, key = "#userId")