Merge branch '修复目录遍历和个人信息修改越权的问题' into 'develop'

修复目录遍历和个人信息修改越权的问题

See merge request o2oa/o2oa!869

o2server/x_organization_assemble_personal/src/main/java/com/x/organization/assemble/personal/jaxrs/person/ActionEdit.java

@@ -38,9 +38,7 @@ class ActionEdit extends BaseAction {
 			/** 从内存中pick出来的无法作为实体保存 */
 			person = emc.find(person.getId(), Person.class);
 			Wi.copier.copy(wi, person);
-			this.checkName(business, person.getName(), person.getId());
 			this.checkMobile(business, person.getMobile(), person.getId());
-			this.checkEmployee(business, person.getEmployee(), person.getId());
 			this.checkMail(business, person.getMail(), person.getId());
 			/** 不能更新person的superior 和 controllerList */
 			emc.beginTransaction(Person.class);
@@ -61,17 +59,13 @@ class ActionEdit extends BaseAction {
 
 		private static final long serialVersionUID = 1571810726944802231L;
 
-//		static WrapCopier<Wi, Person> copier = WrapCopierFactory.wi(Wi.class, Person.class, null,
-//				ListTools.toList(JpaObject.FieldsUnmodify, "icon", "iconMdpi", "iconLdpi", "pinyin", "pinyinInitial",
-//						"password", "passwordExpiredTime", "lastLoginTime", "lastLoginAddress", "lastLoginClient",
-//						"superior", "controllerList"));
-
 		static WrapCopier<Wi, Person> copier = WrapCopierFactory.wi(Wi.class, Person.class, null,
 				ListTools.toList(JpaObject.FieldsUnmodify, Person.icon_FIELDNAME, Person.iconMdpi_FIELDNAME,
 						Person.iconLdpi_FIELDNAME, Person.pinyin_FIELDNAME, Person.pinyinInitial_FIELDNAME,
 						Person.password_FIELDNAME, Person.passwordExpiredTime_FIELDNAME, Person.lastLoginTime_FIELDNAME,
 						Person.lastLoginAddress_FIELDNAME, Person.lastLoginClient_FIELDNAME, Person.superior_FIELDNAME,
-						Person.controllerList_FIELDNAME, Person.ipAddress_FIELDNAME));
+						Person.controllerList_FIELDNAME, Person.ipAddress_FIELDNAME, Person.name_FIELDNAME,
+						Person.unique_FIELDNAME, Person.employee_FIELDNAME));
 	}
 
 	public static class Wo extends WoId {

o2server/x_organization_assemble_personal/src/main/java/com/x/organization/assemble/personal/jaxrs/person/BaseAction.java

@@ -120,7 +120,7 @@ abstract class BaseAction extends StandardJaxrsAction {
 
 	protected void checkEmployee(Business business, String employee, String excludeId) throws Exception {
 		if (StringUtils.isNotEmpty(employee)) {
-			if (StringUtils.isEmpty(employee) || (!StringTools.isSimply(employee))) {
+			if (!StringTools.isSimply(employee)) {
 				throw new ExceptionInvalidEmployee(employee);
 			}
 			if (StringUtils.isNotEmpty(business.person().getWithEmployee(employee, excludeId))) {
@@ -140,4 +140,4 @@ abstract class BaseAction extends StandardJaxrsAction {
 		}
 	}
 
-}
\ No newline at end of file
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/config/ActionOpen.java

@@ -6,6 +6,7 @@ import java.util.Date;
 
 import javax.servlet.http.HttpServletRequest;
 
+import com.x.base.core.project.tools.StringTools;
 import org.apache.commons.io.FileUtils;
 
 import com.google.gson.JsonElement;
@@ -19,8 +20,12 @@ import com.x.base.core.project.logger.LoggerFactory;
 import com.x.base.core.project.tools.DefaultCharset;
 import org.apache.commons.lang3.StringUtils;
 
+/**
+ * 获取配置文件
+ * @author sword
+ */
 public class ActionOpen extends BaseAction {
-	private static Logger logger = LoggerFactory.getLogger(ActionOpen.class);
+	private static final Logger LOGGER = LoggerFactory.getLogger(ActionOpen.class);
 
 	ActionResult<Wo> execute(HttpServletRequest request, EffectivePerson effectivePerson,JsonElement jsonElement) throws Exception {
 		ActionResult<Wo> result = new ActionResult<>();
@@ -30,8 +35,8 @@ public class ActionOpen extends BaseAction {
 		if (StringUtils.isBlank(fileName)) {
 			throw new ExceptionNameEmpty();
 		}
-		if(fileName.indexOf(SLASH) > -1){
-			throw new Exception("名称不能包含'/'!");
+		if(!StringTools.isFileName(fileName)){
+			throw new ExceptionIllegalFileName(fileName);
 		}
 
 		File file = new File(Config.base(),"config/"+fileName);

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/config/ActionOpenRuntimeConfig.java

@@ -9,10 +9,10 @@ import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.logger.Logger;
 import com.x.base.core.project.logger.LoggerFactory;
 import com.x.base.core.project.tools.DefaultCharset;
+import com.x.base.core.project.tools.StringTools;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.StringUtils;
 
-import javax.servlet.http.HttpServletRequest;
 import java.io.File;
 
 /**
@@ -20,7 +20,7 @@ import java.io.File;
  * @author sword
  */
 public class ActionOpenRuntimeConfig extends BaseAction {
-	private static Logger logger = LoggerFactory.getLogger(ActionOpenRuntimeConfig.class);
+	private static final Logger LOGGER = LoggerFactory.getLogger(ActionOpenRuntimeConfig.class);
 
 	ActionResult<Wo> execute(EffectivePerson effectivePerson,JsonElement jsonElement) throws Exception {
 		ActionResult<Wo> result = new ActionResult<>();
@@ -30,8 +30,8 @@ public class ActionOpenRuntimeConfig extends BaseAction {
 		if (StringUtils.isBlank(fileName)) {
 			throw new ExceptionNameEmpty();
 		}
-		if(fileName.indexOf(SLASH) > -1){
-			throw new Exception("名称不能包含'/'!");
+		if(!StringTools.isFileName(fileName)){
+			throw new ExceptionIllegalFileName(fileName);
 		}
 
 		File file = new File(Config.base(),"config/"+fileName);

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/config/ActionSave.java

@@ -13,6 +13,7 @@ import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
 
+import com.x.base.core.project.tools.StringTools;
 import org.apache.commons.lang3.BooleanUtils;
 
 import com.google.gson.Gson;
@@ -35,9 +36,9 @@ import org.apache.commons.lang3.StringUtils;
  * @author sword
  */
 public class ActionSave extends BaseAction {
-	private static Logger logger = LoggerFactory.getLogger(ActionSave.class);
+	private static final Logger LOGGER = LoggerFactory.getLogger(ActionSave.class);
 
-	ActionResult<Wo> execute(HttpServletRequest request, EffectivePerson effectivePerson, JsonElement jsonElement)
+	ActionResult<Wo> execute(EffectivePerson effectivePerson, JsonElement jsonElement)
 			throws Exception {
 		ActionResult<Wo> result = new ActionResult<>();
 		Wi wi = this.convertToWrapIn(jsonElement, Wi.class);
@@ -48,8 +49,8 @@ public class ActionSave extends BaseAction {
 		if (StringUtils.isBlank(fileName)) {
 			throw new ExceptionNameEmpty();
 		}
-		if(fileName.indexOf(SLASH) > -1){
-			throw new IllegalAccessException("名称不能包含'/'!");
+		if(!StringTools.isFileName(fileName)){
+			throw new ExceptionIllegalFileName(fileName);
 		}
 
 		String data = wi.getFileContent();
@@ -80,7 +81,7 @@ public class ActionSave extends BaseAction {
 		try {
 			Thread.sleep(1000);
 		} catch (InterruptedException e) {
-			logger.error(e);
+			LOGGER.error(e);
 		}
 		this.configFlush(effectivePerson);
 
@@ -124,11 +125,11 @@ public class ActionSave extends BaseAction {
 					dos.write(bytes, 0, length);
 					dos.flush();
 				}
-				logger.info("同步文件{}到节点{}完成.......", syncFilePath, nodeName);
+				LOGGER.info("同步文件{}到节点{}完成.......", syncFilePath, nodeName);
 			}
 			syncFileFlag = true;
 		} catch (Exception ex) {
-			logger.warn("同步文件{}到节点{}异常：{}", syncFilePath, nodeName, ex.getMessage());
+			LOGGER.warn("同步文件{}到节点{}异常：{}", syncFilePath, nodeName, ex.getMessage());
 			syncFileFlag = false;
 		}
 		return syncFileFlag;

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/config/ConfigAction.java

@@ -318,7 +318,7 @@ public class ConfigAction extends StandardJaxrsAction {
 		ActionResult<ActionSave.Wo> result = new ActionResult<>();
 		EffectivePerson effectivePerson = this.effectivePerson(request);
 		try {
-			result = new ActionSave().execute(request, effectivePerson, jsonElement);
+			result = new ActionSave().execute(effectivePerson, jsonElement);
 		} catch (Exception e) {
 			LOGGER.error(e, effectivePerson, request, null);
 			result.error(e);

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/config/ExceptionIllegalFileName.java

+package com.x.program.center.jaxrs.config;
+
+import com.x.base.core.project.exception.LanguagePromptException;
+
+class ExceptionIllegalFileName extends LanguagePromptException {
+
+	private static final long serialVersionUID = -8324509965998709044L;
+
+	public ExceptionIllegalFileName(String name) {
+		super("无效的文件名称:{}.", name);
+	}
+
+}

o2server/x_program_center/src/main/java/com/x/program/center/jaxrs/module/ActionDispatchResource.java

@@ -2,6 +2,7 @@ package com.x.program.center.jaxrs.module;
 
 import java.io.File;
 
+import com.x.base.core.project.tools.StringTools;
 import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
@@ -34,8 +35,9 @@ class ActionDispatchResource extends BaseAction {
 		if (StringUtils.isEmpty(file)) {
 			file = this.fileName(disposition);
 		}
-		if ((file.indexOf("/") > -1) || (!file.toLowerCase().endsWith(".zip") && StringUtils.isEmpty(filePath))
-				|| (bytes == null || bytes.length == 0)) {
+		boolean flag = (!StringTools.isFileName(file)) || (!file.toLowerCase().endsWith(".zip") && StringUtils.isEmpty(filePath))
+				|| (bytes == null || bytes.length == 0);
+		if (flag) {
 			throw new ExceptionIllegalFile(file);
 		}
 		if (StringUtils.isNotEmpty(filePath)) {