修正rolechangeUser漏洞,新增获取推荐用户接口
This commit is contained in:
xiangZr-hhh
parent
2d9c974fa7
commit
07cf979b42
|
|
@ -93,3 +93,21 @@ id为主键(不管),团队成员信息定义value:organize_user_info,
|
|||
6. `created_at`: 创建时间
|
||||
7. `updated_at`: 修改时间
|
||||
8. `autohr`: 填写作者
|
||||
|
||||
|
||||
## 新闻信息展示
|
||||
1. `order`: 展示顺序,可选值[asc|desc]
|
||||
2. `data`: 数据内容
|
||||
1. `display_order`:展示顺序
|
||||
2. `title`: 新闻标题
|
||||
3. `content`: 新闻内容
|
||||
4. `tags`: 标签
|
||||
5. `likes`: 点赞数
|
||||
6. `comments`: 评论数
|
||||
7. `status`: 新闻状态
|
||||
8. `is_active`: 是否展示[true|false]
|
||||
9. `created_at` : 创建时间
|
||||
10. `updated_at` : 更新时间
|
||||
11. `author`: 作者名称
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -44,4 +44,6 @@ public class MailConfiguration {
|
|||
|
||||
return mailSender;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -73,4 +73,10 @@ public class InfoController {
|
|||
log.info("请求接口[PUT]: /info/header-image/edit-setting");
|
||||
return infoService.editSettingHeaderImage(request, showType);
|
||||
}
|
||||
|
||||
@GetMapping("info/header-user/get")
|
||||
public BaseResponse infoGetHeaderUser(@RequestParam String order,@RequestParam String orderBy,HttpServletRequest request){
|
||||
log.info("请求接口[GET]: /info/header-user/get");
|
||||
return infoService.getHeaderUser(request,order,orderBy);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -31,4 +31,9 @@ public class PermissionController {
|
|||
} else return permissionService.permissionUser(request,uid);
|
||||
}
|
||||
|
||||
@GetMapping("/permission/get")
|
||||
public BaseResponse permissionGet(HttpServletRequest request){
|
||||
return permissionService.permissionGet(request);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -142,6 +142,13 @@ public class RoleController {
|
|||
}
|
||||
|
||||
|
||||
/**
|
||||
* @Description: TODO 改变用户角色权限信息
|
||||
* @Date: 2024/1/20
|
||||
* @Param request:
|
||||
* @Param uid: 用户id
|
||||
* @Param rid: 角色id
|
||||
**/
|
||||
@PutMapping("role/user/change")
|
||||
public BaseResponse roleChangeUser(HttpServletRequest request, @RequestParam Long uid, @RequestParam Long rid) {
|
||||
log.info("请求接口[POST]: /role/user/change");
|
||||
|
|
@ -151,4 +158,10 @@ public class RoleController {
|
|||
}
|
||||
return roleService.roleChangeUser(request, uid, rid);
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -178,4 +178,7 @@ public class UserController {
|
|||
public BaseResponse userProfileGet(HttpServletRequest request) {
|
||||
return userService.userProfileGet(request);
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -236,4 +236,9 @@ public class UserDAO {
|
|||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
public List<UserDO> getRecommendUser(){
|
||||
return userMapper.getRecommendUser();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
package com.jsl.oa.mapper;
|
||||
|
||||
import com.jsl.oa.model.doData.PermissionDO;
|
||||
import org.apache.ibatis.annotations.Insert;
|
||||
import org.apache.ibatis.annotations.Mapper;
|
||||
import org.apache.ibatis.annotations.Select;
|
||||
|
|
@ -16,4 +17,7 @@ public interface PermissionMapper {
|
|||
"from organize_oa.oa_role_permissions where rid=" +
|
||||
"(select rid from organize_oa.oa_role_user where uid=#{uid}) )")
|
||||
List<String> permissionUser(Long uid);
|
||||
|
||||
@Select("SELECT * FROM organize_oa.oa_permissions where id=#{id}")
|
||||
PermissionDO permissionGetById(Long id);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
package com.jsl.oa.mapper;
|
||||
|
||||
import com.jsl.oa.dao.UserDAO;
|
||||
import com.jsl.oa.model.doData.RoleDO;
|
||||
import com.jsl.oa.model.doData.RoleUserDO;
|
||||
import com.jsl.oa.model.doData.UserCurrentDO;
|
||||
|
|
@ -79,6 +80,8 @@ public interface UserMapper {
|
|||
@Select("SELECT * FROM organize_oa.oa_role WHERE id = #{roleId}")
|
||||
RoleDO getRoleById(Long roleId);
|
||||
|
||||
@Select("SELECT * FROM organize_oa.oa_user WHERE recommend = 1")
|
||||
List<UserDO> getRecommendUser();
|
||||
|
||||
|
||||
@Update("UPDATE organize_oa.oa_user " +
|
||||
|
|
@ -86,6 +89,7 @@ public interface UserMapper {
|
|||
"signature = #{signature}, sex = #{sex}, avatar = #{avatar}, nickname = #{nickname}, " +
|
||||
"description = #{description} " +
|
||||
"WHERE id = #{id}")
|
||||
|
||||
void updateUser(UserDO userDO);
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,18 @@
|
|||
package com.jsl.oa.model.voData;
|
||||
|
||||
import lombok.Data;
|
||||
import java.util.List;
|
||||
|
||||
@Data
|
||||
public class PermissionContentVo {
|
||||
|
||||
private Long id;
|
||||
private Long pid;
|
||||
private String name;
|
||||
private String code;
|
||||
private Short type;
|
||||
private List<PermissionContentVo> children;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1,14 +1,12 @@
|
|||
package com.jsl.oa.model.voData;
|
||||
|
||||
import com.fasterxml.jackson.annotation.JsonInclude;
|
||||
import lombok.Data;
|
||||
import lombok.Value;
|
||||
import org.springframework.boot.context.properties.bind.DefaultValue;
|
||||
|
||||
|
||||
@Data
|
||||
public class UserProfile {
|
||||
public class UserProfileVo {
|
||||
|
||||
private Long id;
|
||||
private String username;
|
||||
private String address;
|
||||
private String phone;
|
||||
|
|
@ -67,4 +67,6 @@ public interface InfoService {
|
|||
* @return {@link BaseResponse}
|
||||
*/
|
||||
BaseResponse editSettingHeaderImage(HttpServletRequest request, Boolean showType);
|
||||
|
||||
BaseResponse getHeaderUser(HttpServletRequest request, String order, String orderBy);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,4 +9,6 @@ public interface PermissionService {
|
|||
BaseResponse permissionAdd(HttpServletRequest request, Long rid, Long pid);
|
||||
|
||||
BaseResponse permissionUser(HttpServletRequest request, Long uid);
|
||||
|
||||
BaseResponse permissionGet(HttpServletRequest request);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,8 +3,10 @@ package com.jsl.oa.services.impl;
|
|||
import com.jsl.oa.dao.InfoDAO;
|
||||
import com.jsl.oa.dao.UserDAO;
|
||||
import com.jsl.oa.mapper.RoleMapper;
|
||||
import com.jsl.oa.model.doData.UserCurrentDO;
|
||||
import com.jsl.oa.model.doData.UserDO;
|
||||
import com.jsl.oa.model.doData.info.CarouselDO;
|
||||
import com.jsl.oa.model.voData.UserProfileVo;
|
||||
import com.jsl.oa.model.voData.business.info.CarouselVO;
|
||||
import com.jsl.oa.services.InfoService;
|
||||
import com.jsl.oa.utils.BaseResponse;
|
||||
|
|
@ -18,6 +20,7 @@ import org.springframework.stereotype.Service;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.sql.Timestamp;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
@Slf4j
|
||||
@Service
|
||||
|
|
@ -138,4 +141,34 @@ public class InfoServiceImpl implements InfoService {
|
|||
return ResultUtil.error(ErrorCode.DATABASE_UPDATE_ERROR);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public BaseResponse getHeaderUser(HttpServletRequest request, String order, String orderBy) {
|
||||
// 用户权限校验
|
||||
if (!Processing.checkUserIsAdmin(request, roleMapper)) {
|
||||
return ResultUtil.error(ErrorCode.NOT_ADMIN);
|
||||
}
|
||||
// 检查参数是否错误
|
||||
if( !(order.equals("asc")||order.equals("desc")) || !(orderBy.equals("userName")||orderBy.equals("userId")) ){
|
||||
return ResultUtil.error(ErrorCode.PARAMETER_ERROR);
|
||||
}
|
||||
//获取用户信息
|
||||
List<UserDO> userDOS = userDAO.getRecommendUser();
|
||||
//进行排序
|
||||
userDOS = Processing.orderUser(userDOS,order,orderBy);
|
||||
//封装VO类
|
||||
List<UserProfileVo> userProfileVos = new ArrayList<>();
|
||||
for(UserDO userDO :userDOS){
|
||||
UserProfileVo userProfileVo = new UserProfileVo();
|
||||
Processing.copyProperties(userDO,userProfileVo);
|
||||
userProfileVo.setSex(Processing.getSex(userDO.getSex()));
|
||||
userProfileVos.add(userProfileVo);
|
||||
}
|
||||
|
||||
|
||||
return ResultUtil.success(userProfileVos);
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,4 +39,15 @@ public class PermissionServiceImpl implements PermissionService {
|
|||
}
|
||||
return ResultUtil.error(ErrorCode.USER_NOT_EXIST);
|
||||
}
|
||||
|
||||
// 开发中
|
||||
@Override
|
||||
public BaseResponse permissionGet(HttpServletRequest request) {
|
||||
if(!Processing.checkUserIsAdmin(request,roleMapper)){
|
||||
return ResultUtil.error(ErrorCode.NOT_ADMIN);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,15 +1,13 @@
|
|||
package com.jsl.oa.services.impl;
|
||||
|
||||
import com.jsl.oa.dao.RoleDAO;
|
||||
import com.jsl.oa.dao.UserDAO;
|
||||
import com.jsl.oa.exception.ClassCopyException;
|
||||
import com.jsl.oa.model.doData.RoleDO;
|
||||
import com.jsl.oa.model.voData.RoleAddVo;
|
||||
import com.jsl.oa.model.voData.RoleEditVO;
|
||||
import com.jsl.oa.services.RoleService;
|
||||
import com.jsl.oa.utils.BaseResponse;
|
||||
import com.jsl.oa.utils.ErrorCode;
|
||||
import com.jsl.oa.utils.Processing;
|
||||
import com.jsl.oa.utils.ResultUtil;
|
||||
import com.jsl.oa.utils.*;
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import org.springframework.stereotype.Service;
|
||||
|
||||
|
|
@ -22,6 +20,7 @@ import java.util.regex.Pattern;
|
|||
public class RoleServiceImpl implements RoleService {
|
||||
|
||||
private final RoleDAO roleDAO;
|
||||
private final UserDAO userDAO;
|
||||
|
||||
@Override
|
||||
public BaseResponse roleAddUser(HttpServletRequest request, Long uid, Long rid) {
|
||||
|
|
@ -41,10 +40,18 @@ public class RoleServiceImpl implements RoleService {
|
|||
|
||||
@Override
|
||||
public BaseResponse roleChangeUser(HttpServletRequest request, Long uid, Long rid) {
|
||||
|
||||
//检测用户是否存在
|
||||
if(!userDAO.isExistUser(uid)){
|
||||
return ResultUtil.error(ErrorCode.USER_NOT_EXIST);
|
||||
}
|
||||
//检测要改变的用户权限是否为自己
|
||||
String token = request.getHeader("Authorization").replace("Bearer ", "");
|
||||
if(uid == JwtUtil.getUserId(token)){
|
||||
return ResultUtil.error(ErrorCode.USER_NOT_CHANGE_TO_THEMSELVES);
|
||||
}
|
||||
//检测用户权限是否为管理员
|
||||
if (Processing.checkUserIsAdmin(request, roleDAO.roleMapper)) {
|
||||
// TODO: 2023-01-20|List:10002-未判断用户是否存在
|
||||
// TODO: 2023-01-20|List:10003-保险起见,默认用户主键为 1 的用户为超级管理员
|
||||
// (不可以修改自己权限组,避免修改后不存在管理员,无管理组)
|
||||
if (!roleDAO.roleChangeUser(uid, rid)) {
|
||||
return ResultUtil.error(ErrorCode.DATABASE_UPDATE_ERROR);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -190,10 +190,10 @@ public class UserServiceImpl implements UserService {
|
|||
public BaseResponse userProfileGet(HttpServletRequest request) {
|
||||
// 获取用户Id
|
||||
UserDO userDO = userDAO.getUserById(Processing.getAuthHeaderToUserId(request));
|
||||
UserProfile userProfile = new UserProfile();
|
||||
Processing.copyProperties(userDO, userProfile);
|
||||
userProfile.setSex(Processing.getSex(userDO.getSex()));
|
||||
return ResultUtil.success(userProfile);
|
||||
UserProfileVo userProfileVo = new UserProfileVo();
|
||||
Processing.copyProperties(userDO, userProfileVo);
|
||||
userProfileVo.setSex(Processing.getSex(userDO.getSex()));
|
||||
return ResultUtil.success(userProfileVo);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ public enum ErrorCode {
|
|||
USER_NOT_EXIST("UserNotExist", 40015, "用户不存在"),
|
||||
USER_ROLE_NOT_EXIST("UserRoleNotExist", 40016, "用户权限不存在"),
|
||||
USER_ROLE_NOT_MANAGER("UserRoleNotExist", 40017, "用户权限非管理员权限"),
|
||||
USER_NOT_CHANGE_TO_THEMSELVES("UserNotChangeToThemselves", 40018, "用户不能改变自己的权限"),
|
||||
UNAUTHORIZED("Unauthorized", 40100, "未授权"),
|
||||
TOKEN_EXPIRED("TokenExpired", 40101, "Token已过期"),
|
||||
VERIFICATION_INVALID("VerificationInvalid", 40102, "验证码无效"),
|
||||
|
|
|
|||
|
|
@ -4,6 +4,8 @@ import com.jsl.oa.exception.ClassCopyException;
|
|||
import com.jsl.oa.mapper.RoleMapper;
|
||||
import com.jsl.oa.model.doData.RoleDO;
|
||||
import com.jsl.oa.model.doData.RoleUserDO;
|
||||
import com.jsl.oa.model.doData.UserDO;
|
||||
import com.jsl.oa.model.voData.UserProfileVo;
|
||||
import org.jetbrains.annotations.NotNull;
|
||||
import org.jetbrains.annotations.Nullable;
|
||||
import org.springframework.validation.BindingResult;
|
||||
|
|
@ -12,6 +14,8 @@ import org.springframework.validation.ObjectError;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.lang.reflect.Field;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Comparator;
|
||||
import java.util.List;
|
||||
import java.util.Random;
|
||||
|
||||
/**
|
||||
|
|
@ -163,7 +167,8 @@ public class Processing {
|
|||
public static @NotNull Boolean checkUserIsAdmin(HttpServletRequest request, @NotNull RoleMapper roleMapper) {
|
||||
RoleUserDO roleUserDO = roleMapper.getRoleUserByUid(Processing.getAuthHeaderToUserId(request));
|
||||
if (roleUserDO != null) {
|
||||
RoleDO roleDO = roleMapper.getRoleByRoleName("admin");
|
||||
//默认主键为1的用户为管理员
|
||||
RoleDO roleDO = roleMapper.getRoleById(Long.valueOf(1));
|
||||
return roleUserDO.getRid().equals(roleDO.getId());
|
||||
} else {
|
||||
return false;
|
||||
|
|
@ -225,10 +230,10 @@ public class Processing {
|
|||
return null;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @Description: TODO 将性别转为字符形式
|
||||
* @Date: 2024/1/18
|
||||
|
||||
**/
|
||||
public static String getSex(short sex){
|
||||
if(sex == 0){
|
||||
|
|
@ -244,4 +249,27 @@ public class Processing {
|
|||
}
|
||||
|
||||
|
||||
public static List<UserDO> orderUser(List<UserDO> userDOS,String order,String orderBy){
|
||||
|
||||
Comparator<UserDO> comparator = null;
|
||||
|
||||
if (order.equals("asc")) {
|
||||
if (orderBy.equals("userName")) {
|
||||
comparator = Comparator.comparing(UserDO::getUsername);
|
||||
} else if (orderBy.equals("userId")) {
|
||||
comparator = Comparator.comparingLong(UserDO::getId);
|
||||
}
|
||||
} else if (order.equals("desc")) {
|
||||
if (orderBy.equals("userName")) {
|
||||
comparator = Comparator.comparing(UserDO::getUsername).reversed();
|
||||
} else if (orderBy.equals("userId")) {
|
||||
comparator = Comparator.comparingLong(UserDO::getId).reversed();
|
||||
}
|
||||
}
|
||||
|
||||
userDOS.sort(comparator);
|
||||
return userDOS;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user