From 4095a1b6ee3ed943a228bca40304fe8dd6afb0ad Mon Sep 17 00:00:00 2001
From: Ricky <hk_ricky@163.com>
Date: 星期二, 27 七月 2021 10:08:04 +0800
Subject: [PATCH] !275 fix Issue #I42GRW 任意账户越权漏洞 Merge pull request !275 from lagXkjy/master
---
ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java | 41 ++++++++++++++++++++++++++++++++++++-----
1 files changed, 36 insertions(+), 5 deletions(-)
diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java
index 946df4d..692bd5c 100644
--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java
@@ -127,11 +127,13 @@
{
return AjaxResult.error("新增用户'" + user.getUserName() + "'失败,登录账号已存在");
}
- else if (UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
+ else if (StringUtils.isNotEmpty(user.getPhonenumber())
+ && UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
{
return AjaxResult.error("新增用户'" + user.getUserName() + "'失败,手机号码已存在");
}
- else if (UserConstants.NOT_UNIQUE.equals(userService.checkEmailUnique(user)))
+ else if (StringUtils.isNotEmpty(user.getEmail())
+ && UserConstants.NOT_UNIQUE.equals(userService.checkEmailUnique(user)))
{
return AjaxResult.error("新增用户'" + user.getUserName() + "'失败,邮箱账号已存在");
}
@@ -149,11 +151,13 @@
public AjaxResult edit(@Validated @RequestBody SysUser user)
{
userService.checkUserAllowed(user);
- if (UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
+ if (StringUtils.isNotEmpty(user.getPhonenumber())
+ && UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
{
return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,手机号码已存在");
}
- else if (UserConstants.NOT_UNIQUE.equals(userService.checkEmailUnique(user)))
+ else if (StringUtils.isNotEmpty(user.getEmail())
+ && UserConstants.NOT_UNIQUE.equals(userService.checkEmailUnique(user)))
{
return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在");
}
@@ -175,7 +179,7 @@
/**
* 重置密码
*/
- @PreAuthorize("@ss.hasPermi('system:user:edit')")
+ @PreAuthorize("@ss.hasPermi('system:user:resetPwd')")
@Log(title = "用户管理", businessType = BusinessType.UPDATE)
@PutMapping("/resetPwd")
public AjaxResult resetPwd(@RequestBody SysUser user)
@@ -198,4 +202,31 @@
user.setUpdateBy(SecurityUtils.getUsername());
return toAjax(userService.updateUserStatus(user));
}
+
+ /**
+ * 根据用户编号获取授权角色
+ */
+ @PreAuthorize("@ss.hasPermi('system:user:query')")
+ @GetMapping("/authRole/{userId}")
+ public AjaxResult authRole(@PathVariable("userId") Long userId)
+ {
+ AjaxResult ajax = AjaxResult.success();
+ SysUser user = userService.selectUserById(userId);
+ List<SysRole> roles = roleService.selectRolesByUserId(userId);
+ ajax.put("user", user);
+ ajax.put("roles", SysUser.isAdmin(userId) ? roles : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList()));
+ return ajax;
+ }
+
+ /**
+ * 用户授权角色
+ */
+ @PreAuthorize("@ss.hasPermi('system:user:edit')")
+ @Log(title = "用户管理", businessType = BusinessType.GRANT)
+ @PutMapping("/authRole")
+ public AjaxResult insertAuthRole(Long userId, Long[] roleIds)
+ {
+ userService.insertUserAuth(userId, roleIds);
+ return success();
+ }
}
--
Gitblit v1.9.2