Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
有来技术
youlai-mall
提交
57b67590
Y
youlai-mall
项目概览
有来技术
/
youlai-mall
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
Y
youlai-mall
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
57b67590
编写于
12月 11, 2021
作者:
Z
zc
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
feat: JWT内容增加deptId,修复部门数据权限sql漏洞
JWT内容增加deptId,修复部门数据权限sql漏洞
上级
3c052f57
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
23 addition
and
22 deletion
+23
-22
youlai-admin/admin-api/src/main/java/com/youlai/admin/dto/UserAuthDTO.java
...n-api/src/main/java/com/youlai/admin/dto/UserAuthDTO.java
+5
-0
youlai-admin/admin-boot/src/main/java/com/youlai/admin/service/impl/SysDeptServiceImpl.java
...ava/com/youlai/admin/service/impl/SysDeptServiceImpl.java
+2
-3
youlai-admin/admin-boot/src/main/resources/mapper/SysUserMapper.xml
...in/admin-boot/src/main/resources/mapper/SysUserMapper.xml
+2
-1
youlai-auth/src/main/java/com/youlai/auth/security/config/AuthorizationServerConfig.java
...oulai/auth/security/config/AuthorizationServerConfig.java
+1
-0
youlai-auth/src/main/java/com/youlai/auth/security/core/userdetails/user/SysUserDetails.java
...i/auth/security/core/userdetails/user/SysUserDetails.java
+2
-0
youlai-common/common-mybatis/src/main/java/com/youlai/common/mybatis/handler/DataPermissionHandlerImpl.java
...lai/common/mybatis/handler/DataPermissionHandlerImpl.java
+11
-18
未找到文件。
youlai-admin/admin-api/src/main/java/com/youlai/admin/dto/UserAuthDTO.java
浏览文件 @
57b67590
...
...
@@ -38,6 +38,11 @@ public class UserAuthDTO {
*/
private
List
<
String
>
roles
;
/**
* 部门ID
*/
private
Long
deptId
;
}
youlai-admin/admin-boot/src/main/java/com/youlai/admin/service/impl/SysDeptServiceImpl.java
浏览文件 @
57b67590
...
...
@@ -120,9 +120,8 @@ public class SysDeptServiceImpl extends ServiceImpl<SysDeptMapper, SysDept> impl
.
eq
(
SysDept:
:
getStatus
,
GlobalConstants
.
STATUS_YES
)
.
orderByAsc
(
SysDept:
:
getSort
)
);
Long
userId
=
JwtUtils
.
getUserId
();
SysUser
user
=
iSysUserService
.
getById
(
userId
);
List
<
TreeSelectVO
>
deptSelectList
=
recursionTreeSelectList
(
user
.
getDeptId
(),
deptList
);
List
<
TreeSelectVO
>
deptSelectList
=
recursionTreeSelectList
(
JwtUtils
.
getJwtPayload
().
getLong
(
"deptId"
),
deptList
);
return
deptSelectList
;
}
...
...
youlai-admin/admin-boot/src/main/resources/mapper/SysUserMapper.xml
浏览文件 @
57b67590
...
...
@@ -37,13 +37,14 @@
<result
property=
"username"
column=
"username"
jdbcType=
"VARCHAR"
/>
<result
property=
"password"
column=
"password"
jdbcType=
"VARCHAR"
/>
<result
property=
"status"
column=
"status"
jdbcType=
"BOOLEAN"
/>
<result
property=
"deptId"
column=
"deptId"
jdbcType=
"BIGINT"
></result>
<collection
property=
"roles"
ofType=
"string"
javaType=
"list"
>
<result
column=
"roleCode"
></result>
</collection>
</resultMap>
<select
id=
"getByUsername"
resultMap=
"UserAuthMap"
>
select t1.id userId, t1.username, t1.nickname, t1.password, t1.status, t3.code roleCode
select t1.id userId, t1.username, t1.nickname, t1.password, t1.status, t
1.dept_id deptId,t
3.code roleCode
from sys_user t1,
sys_user_role t2,
sys_role t3
...
...
youlai-auth/src/main/java/com/youlai/auth/security/config/AuthorizationServerConfig.java
浏览文件 @
57b67590
...
...
@@ -173,6 +173,7 @@ public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdap
SysUserDetails
sysUserDetails
=
(
SysUserDetails
)
principal
;
additionalInfo
.
put
(
"userId"
,
sysUserDetails
.
getUserId
());
additionalInfo
.
put
(
"username"
,
sysUserDetails
.
getUsername
());
additionalInfo
.
put
(
"deptId"
,
sysUserDetails
.
getDeptId
());
if
(
StrUtil
.
isNotBlank
(
sysUserDetails
.
getAuthenticationMethod
()))
{
additionalInfo
.
put
(
"authenticationMethod"
,
sysUserDetails
.
getAuthenticationMethod
());
}
...
...
youlai-auth/src/main/java/com/youlai/auth/security/core/userdetails/user/SysUserDetails.java
浏览文件 @
57b67590
...
...
@@ -27,6 +27,7 @@ public class SysUserDetails implements UserDetails {
*/
private
Long
userId
;
private
String
authenticationMethod
;
private
Long
deptId
;
/**
* 默认字段
...
...
@@ -42,6 +43,7 @@ public class SysUserDetails implements UserDetails {
public
SysUserDetails
(
UserAuthDTO
user
)
{
this
.
setUserId
(
user
.
getUserId
());
this
.
setUsername
(
user
.
getUsername
());
this
.
setDeptId
(
user
.
getDeptId
());
this
.
setPassword
(
PasswordEncoderTypeEnum
.
BCRYPT
.
getPrefix
()
+
user
.
getPassword
());
this
.
setEnabled
(
GlobalConstants
.
STATUS_YES
.
equals
(
user
.
getStatus
()));
if
(
CollectionUtil
.
isNotEmpty
(
user
.
getRoles
()))
{
...
...
youlai-common/common-mybatis/src/main/java/com/youlai/common/mybatis/handler/DataPermissionHandlerImpl.java
浏览文件 @
57b67590
...
...
@@ -50,14 +50,13 @@ public class DataPermissionHandlerImpl implements DataPermissionHandler {
for
(
Method
method
:
methods
)
{
InterceptorIgnore
annotation
=
method
.
getAnnotation
(
InterceptorIgnore
.
class
);
if
(
ObjectUtils
.
isNotEmpty
(
annotation
)
&&
(
method
.
getName
().
equals
(
methodName
)
||
(
method
.
getName
()
+
"_COUNT"
).
equals
(
methodName
)))
{
// 获取当前的用户
Long
userId
=
JwtUtils
.
getUserId
();
// 获取当前的用户角色
List
<
String
>
roles
=
JwtUtils
.
getRoles
();
if
(
!
roles
.
isEmpty
()
&&
roles
.
contains
(
GlobalConstants
.
ROOT_ROLE_CODE
))
{
// 如果是超级管理员则放行
return
where
;
}
else
{
return
dataScopeFilter
(
userId
,
annotation
.
dataPermission
(),
where
);
return
dataScopeFilter
(
annotation
.
dataPermission
(),
where
);
}
}
}
...
...
@@ -70,16 +69,15 @@ public class DataPermissionHandlerImpl implements DataPermissionHandler {
/**
* 构建过滤条件
*
* @param userId 当前登录用户id
* @param where 当前查询条件
* @return 构建后查询条件
*/
public
static
Expression
dataScopeFilter
(
Long
userId
,
String
dataPermission
,
Expression
where
)
{
public
static
Expression
dataScopeFilter
(
String
dataPermission
,
Expression
where
)
{
Expression
expression
=
null
;
if
(
dataPermission
.
equals
(
"1"
)){
return
where
;
}
else
{
EqualsTo
equalsTo
=
new
EqualsTo
(
new
Column
(
"id"
),
getDeptId
(
userId
));
EqualsTo
equalsTo
=
new
EqualsTo
(
new
Column
(
"id"
),
getDeptId
());
expression
=
ObjectUtils
.
isNotEmpty
(
expression
)
?
new
AndExpression
(
expression
,
equalsTo
)
:
equalsTo
;
LikeExpression
likeExpression
=
new
LikeExpression
();
Function
left
=
new
Function
();
...
...
@@ -88,24 +86,19 @@ public class DataPermissionHandlerImpl implements DataPermissionHandler {
likeExpression
.
setLeftExpression
(
left
);
Function
right
=
new
Function
();
right
.
setName
(
"concat"
);
right
.
setParameters
(
new
ExpressionList
().
addExpressions
(
new
StringValue
(
"%
"
),
getDeptId
(
userId
),
new
StringValue
(
"%
"
)));
right
.
setParameters
(
new
ExpressionList
().
addExpressions
(
new
StringValue
(
"%
,"
),
getDeptId
(),
new
StringValue
(
"%,
"
)));
likeExpression
.
setRightExpression
(
right
);
expression
=
ObjectUtils
.
isNotEmpty
(
expression
)
?
new
OrExpression
(
expression
,
likeExpression
)
:
expression
;
}
return
ObjectUtils
.
isNotEmpty
(
where
)
?
new
AndExpression
(
where
,
new
Parenthesis
(
expression
))
:
expression
;
}
private
static
Expression
getDeptId
(
Long
userId
){
SubSelect
subSelect
=
new
SubSelect
();
PlainSelect
select
=
new
PlainSelect
();
select
.
setSelectItems
(
Collections
.
singletonList
(
new
SelectExpressionItem
(
new
Column
(
"dept_id"
))));
select
.
setFromItem
(
new
Table
(
"sys_user"
));
EqualsTo
equalsTo
=
new
EqualsTo
();
equalsTo
.
setLeftExpression
(
new
Column
(
"id"
));
equalsTo
.
setRightExpression
(
new
LongValue
(
userId
));
select
.
setWhere
(
equalsTo
);
subSelect
.
setSelectBody
(
select
);
return
subSelect
;
/**
* 当前用户的部门id
* @return
*/
private
static
Expression
getDeptId
(){
return
new
LongValue
(
JwtUtils
.
getJwtPayload
().
getLong
(
"deptId"
));
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录