fix(总体、控制层): 修复错误内容

- 对权限登出的 Redis 进行处理 - 修复接口漏洞
2024-04-17 11:10:15 +08:00 · 2024-04-17 11:10:15 +08:00 · 3e67b5b94c
commit 3e67b5b94c
parent 0a788005a6
6 changed files with 22 additions and 5 deletions
--- a/src/main/java/com/jsl/oa/aspect/CheckUserPermissionAspect.java
+++ b/src/main/java/com/jsl/oa/aspect/CheckUserPermissionAspect.java
@ -3,11 +3,14 @@ package com.jsl.oa.aspect;
 import com.google.gson.Gson;
 import com.google.gson.reflect.TypeToken;
 import com.jsl.oa.annotations.NeedPermission;
+import com.jsl.oa.common.constant.BusinessConstants;
 import com.jsl.oa.dao.RoleDAO;
 import com.jsl.oa.exception.library.NotLoginException;
 import com.jsl.oa.exception.library.PermissionDeniedException;
+import com.jsl.oa.exception.library.TokenNotFoundedException;
 import com.jsl.oa.model.dodata.RoleDO;
 import com.jsl.oa.utils.Processing;
+import com.jsl.oa.utils.redis.TokenRedisUtil;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.aspectj.lang.ProceedingJoinPoint;
@ -37,6 +40,7 @@ public class CheckUserPermissionAspect {

    private final RoleDAO roleDAO;
    private final Gson gson;
+    private final TokenRedisUtil<String> tokenRedisUtil;

    /**
     * 检查权限
@ -58,6 +62,9 @@ public class CheckUserPermissionAspect {
            if (getUserId == null) {
                throw new NotLoginException("用户信息不存在");
            }
+            if (tokenRedisUtil.getData(BusinessConstants.BUSINESS_LOGIN, getUserId.toString()) == null) {
+                throw new TokenNotFoundedException("用户未登录");
+            }
            // 获取方法签名
            MethodSignature signature = (MethodSignature) pjp.getSignature();
            NeedPermission checkAccountPermission = signature.getMethod().getAnnotation(NeedPermission.class);
--- a/src/main/java/com/jsl/oa/config/startup/PermissionList.java
+++ b/src/main/java/com/jsl/oa/config/startup/PermissionList.java
@ -19,19 +19,16 @@ public class PermissionList {


    public PermissionList() {
-        permissionList.add(new PermissionVO("auth:logout", "账户登出"));
        permissionList.add(new PermissionVO("auth:change_password", "修改密码"));
        permissionList.add(new PermissionVO("info:get_header_image", "获取头部图片"));
        permissionList.add(new PermissionVO("info:edit_header_image", "编辑头部图片"));
        permissionList.add(new PermissionVO("info:delete_header_image", "删除头部图片"));

-        permissionPrincipal.add(new PermissionVO("auth:logout", "账户登出"));
        permissionPrincipal.add(new PermissionVO("auth:change_password", "修改密码"));
        permissionPrincipal.add(new PermissionVO("info:get_header_image", "获取头部图片"));
        permissionPrincipal.add(new PermissionVO("info:edit_header_image", "编辑头部图片"));
        permissionPrincipal.add(new PermissionVO("info:delete_header_image", "删除头部图片"));

-        permissionDeveloper.add(new PermissionVO("auth:logout", "账户登出"));
        permissionDeveloper.add(new PermissionVO("auth:change_password", "修改密码"));
        permissionDeveloper.add(new PermissionVO("info:get_header_image", "获取头部图片"));
        permissionDeveloper.add(new PermissionVO("info:edit_header_image", "编辑头部图片"));
--- a/src/main/java/com/jsl/oa/controllers/AuthController.java
+++ b/src/main/java/com/jsl/oa/controllers/AuthController.java
@ -147,7 +147,6 @@ public class AuthController {
     * @since v1.1.0
     */
    @GetMapping("/auth/logout")
-    @NeedPermission("auth:logout")
    public BaseResponse authLogout(HttpServletRequest request) {
        return authService.authLogout(request);
    }
--- a/src/main/java/com/jsl/oa/exception/ProcessException.java
+++ b/src/main/java/com/jsl/oa/exception/ProcessException.java
@ -1,6 +1,7 @@
 package com.jsl.oa.exception;

 import com.jsl.oa.exception.library.PermissionDeniedException;
+import com.jsl.oa.exception.library.TokenNotFoundedException;
 import com.jsl.oa.utils.BaseResponse;
 import com.jsl.oa.utils.ErrorCode;
 import com.jsl.oa.utils.ResultUtil;
@ -110,4 +111,10 @@ public class ProcessException {
        log.warn("[EXCEPTION] 无权限操作，需要权限: {}", e.getNeedPermission());
        return ResultUtil.error("需要权限: " + e.getNeedPermission(), ErrorCode.PERMISSION_NOT_EXIST);
    }
+
+    @ExceptionHandler(value = TokenNotFoundedException.class)
+    public BaseResponse businessTokenNotFoundedException(TokenNotFoundedException e) {
+        log.warn("[EXCEPTION] {}", e.getMessage());
+        return ResultUtil.error(e.getMessage(), ErrorCode.TOKEN_NOT_EXIST);
+    }
 }
--- a/src/main/java/com/jsl/oa/exception/library/TokenNotFoundedException.java
+++ b/src/main/java/com/jsl/oa/exception/library/TokenNotFoundedException.java
@ -0,0 +1,7 @@
+package com.jsl.oa.exception.library;
+
+public class TokenNotFoundedException extends RuntimeException {
+    public TokenNotFoundedException(String message) {
+        super(message);
+    }
+}
--- a/src/main/java/com/jsl/oa/services/impl/AuthServiceImpl.java
+++ b/src/main/java/com/jsl/oa/services/impl/AuthServiceImpl.java
@ -213,7 +213,7 @@ public class AuthServiceImpl implements AuthService {
        if (tokenRedisUtil.delData(BusinessConstants.BUSINESS_LOGIN, userDO.getId().toString())) {
            return ResultUtil.success("登出成功");
        } else {
-            return ResultUtil.error(ErrorCode.DATABASE_DELETE_ERROR);
+            return ResultUtil.error(ErrorCode.TOKEN_NOT_EXIST);
        }
    }