用户访问控制时校验数据权限,防止越权
This commit is contained in:
parent
8007b22b85
commit
612c4293d1
|
@ -125,16 +125,17 @@ public class SysDeptController extends BaseController
|
|||
@PutMapping
|
||||
public AjaxResult edit(@Validated @RequestBody SysDept dept)
|
||||
{
|
||||
Long deptId = dept.getDeptId();
|
||||
deptService.checkDeptDataScope(deptId);
|
||||
if (UserConstants.NOT_UNIQUE.equals(deptService.checkDeptNameUnique(dept)))
|
||||
{
|
||||
return AjaxResult.error("修改部门'" + dept.getDeptName() + "'失败,部门名称已存在");
|
||||
}
|
||||
else if (dept.getParentId().equals(dept.getDeptId()))
|
||||
else if (dept.getParentId().equals(deptId))
|
||||
{
|
||||
return AjaxResult.error("修改部门'" + dept.getDeptName() + "'失败,上级部门不能是自己");
|
||||
}
|
||||
else if (StringUtils.equals(UserConstants.DEPT_DISABLE, dept.getStatus())
|
||||
&& deptService.selectNormalChildrenDeptById(dept.getDeptId()) > 0)
|
||||
else if (StringUtils.equals(UserConstants.DEPT_DISABLE, dept.getStatus()) && deptService.selectNormalChildrenDeptById(deptId) > 0)
|
||||
{
|
||||
return AjaxResult.error("该部门包含未停用的子部门!");
|
||||
}
|
||||
|
@ -158,6 +159,7 @@ public class SysDeptController extends BaseController
|
|||
{
|
||||
return AjaxResult.error("部门存在用户,不允许删除");
|
||||
}
|
||||
deptService.checkDeptDataScope(deptId);
|
||||
return toAjax(deptService.deleteDeptById(deptId));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -111,6 +111,7 @@ public class SysRoleController extends BaseController
|
|||
public AjaxResult edit(@Validated @RequestBody SysRole role)
|
||||
{
|
||||
roleService.checkRoleAllowed(role);
|
||||
roleService.checkRoleDataScope(role.getRoleId());
|
||||
if (UserConstants.NOT_UNIQUE.equals(roleService.checkRoleNameUnique(role)))
|
||||
{
|
||||
return AjaxResult.error("修改角色'" + role.getRoleName() + "'失败,角色名称已存在");
|
||||
|
@ -145,6 +146,7 @@ public class SysRoleController extends BaseController
|
|||
public AjaxResult dataScope(@RequestBody SysRole role)
|
||||
{
|
||||
roleService.checkRoleAllowed(role);
|
||||
roleService.checkRoleDataScope(role.getRoleId());
|
||||
return toAjax(roleService.authDataScope(role));
|
||||
}
|
||||
|
||||
|
@ -157,6 +159,7 @@ public class SysRoleController extends BaseController
|
|||
public AjaxResult changeStatus(@RequestBody SysRole role)
|
||||
{
|
||||
roleService.checkRoleAllowed(role);
|
||||
roleService.checkRoleDataScope(role.getRoleId());
|
||||
role.setUpdateBy(getUsername());
|
||||
return toAjax(roleService.updateRoleStatus(role));
|
||||
}
|
||||
|
@ -236,6 +239,7 @@ public class SysRoleController extends BaseController
|
|||
@PutMapping("/authUser/selectAll")
|
||||
public AjaxResult selectAuthUserAll(Long roleId, Long[] userIds)
|
||||
{
|
||||
roleService.checkRoleDataScope(roleId);
|
||||
return toAjax(roleService.insertAuthUsers(roleId, userIds));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -148,6 +148,7 @@ public class SysUserController extends BaseController
|
|||
public AjaxResult edit(@Validated @RequestBody SysUser user)
|
||||
{
|
||||
userService.checkUserAllowed(user);
|
||||
userService.checkUserDataScope(user.getUserId());
|
||||
if (StringUtils.isNotEmpty(user.getPhonenumber())
|
||||
&& UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
|
||||
{
|
||||
|
@ -186,6 +187,7 @@ public class SysUserController extends BaseController
|
|||
public AjaxResult resetPwd(@RequestBody SysUser user)
|
||||
{
|
||||
userService.checkUserAllowed(user);
|
||||
userService.checkUserDataScope(user.getUserId());
|
||||
user.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
|
||||
user.setUpdateBy(getUsername());
|
||||
return toAjax(userService.resetPwd(user));
|
||||
|
@ -200,6 +202,7 @@ public class SysUserController extends BaseController
|
|||
public AjaxResult changeStatus(@RequestBody SysUser user)
|
||||
{
|
||||
userService.checkUserAllowed(user);
|
||||
userService.checkUserDataScope(user.getUserId());
|
||||
user.setUpdateBy(getUsername());
|
||||
return toAjax(userService.updateUserStatus(user));
|
||||
}
|
||||
|
@ -227,6 +230,7 @@ public class SysUserController extends BaseController
|
|||
@PutMapping("/authRole")
|
||||
public AjaxResult insertAuthRole(Long userId, Long[] roleIds)
|
||||
{
|
||||
userService.checkUserDataScope(userId);
|
||||
userService.insertUserAuth(userId, roleIds);
|
||||
return success();
|
||||
}
|
||||
|
|
|
@ -361,6 +361,7 @@ public class SysRoleServiceImpl implements ISysRoleService
|
|||
for (Long roleId : roleIds)
|
||||
{
|
||||
checkRoleAllowed(new SysRole(roleId));
|
||||
checkRoleDataScope(roleId);
|
||||
SysRole role = selectRoleById(roleId);
|
||||
if (countUserRoleByRoleId(roleId) > 0)
|
||||
{
|
||||
|
|
|
@ -482,6 +482,7 @@ public class SysUserServiceImpl implements ISysUserService
|
|||
for (Long userId : userIds)
|
||||
{
|
||||
checkUserAllowed(new SysUser(userId));
|
||||
checkUserDataScope(userId);
|
||||
}
|
||||
// 删除用户与角色关联
|
||||
userRoleMapper.deleteUserRole(userIds);
|
||||
|
|
Loading…
Reference in New Issue