fix&todo: ClassCopyException补丁优化，张：roleChangeUser部分存在漏洞

2024-01-20 00:38:12 +08:00 · 2024-01-20 00:38:12 +08:00 · 92e6c2b0a7
commit 92e6c2b0a7
parent 23e888138d
6 changed files with 16 additions and 18 deletions
--- a/src/main/java/com/jsl/oa/controllers/UserController.java
+++ b/src/main/java/com/jsl/oa/controllers/UserController.java
@ -1,6 +1,5 @@
 package com.jsl.oa.controllers;

-import com.jsl.oa.exception.ClassCopyException;
 import com.jsl.oa.model.voData.UserAddVo;
 import com.jsl.oa.model.voData.UserAllCurrentVO;
 import com.jsl.oa.model.voData.UserEditProfileVO;
@ -166,7 +165,7 @@ public class UserController {


    @PutMapping("/user/edit")
-    public BaseResponse userEdit(@RequestBody @Validated UserEditVo userEditVo, BindingResult bindingResult, HttpServletRequest request) throws ClassCopyException {
+    public BaseResponse userEdit(@RequestBody @Validated UserEditVo userEditVo, BindingResult bindingResult, HttpServletRequest request) {
        // 判断是否有参数错误
        if (bindingResult.hasErrors()) {
            return ResultUtil.error(ErrorCode.REQUEST_BODY_ERROR, Processing.getValidatedErrorList(bindingResult));
@ -176,7 +175,7 @@ public class UserController {


    @GetMapping("/user/profile/get")
-    public BaseResponse userProfileGet(HttpServletRequest request) throws ClassCopyException {
+    public BaseResponse userProfileGet(HttpServletRequest request) {
        return userService.userProfileGet(request);
    }
 }
--- a/src/main/java/com/jsl/oa/exception/ClassCopyException.java
+++ b/src/main/java/com/jsl/oa/exception/ClassCopyException.java
@ -1,10 +1,9 @@
 package com.jsl.oa.exception;

 import com.jsl.oa.utils.ErrorCode;
-import org.jetbrains.annotations.NotNull;

-public class ClassCopyException extends IllegalAccessException {
-    public ClassCopyException(@NotNull ErrorCode errorCode) {
-        super(errorCode.getOutput() + "|" + errorCode.getMessage());
+public class ClassCopyException extends BusinessException {
+    public ClassCopyException() {
+        super(ErrorCode.CLASS_COPY_EXCEPTION);
    }
 }
--- a/src/main/java/com/jsl/oa/services/UserService.java
+++ b/src/main/java/com/jsl/oa/services/UserService.java
@ -1,6 +1,5 @@
 package com.jsl.oa.services;

-import com.jsl.oa.exception.ClassCopyException;
 import com.jsl.oa.model.doData.UserDO;
 import com.jsl.oa.model.voData.UserAddVo;
 import com.jsl.oa.model.voData.UserAllCurrentVO;
@ -87,10 +86,10 @@ public interface UserService {

    BaseResponse userAdd(UserAddVo userAddVo, HttpServletRequest request);

-    BaseResponse userEdit(UserEditVo userEditVo, HttpServletRequest request) throws ClassCopyException;
+    BaseResponse userEdit(UserEditVo userEditVo, HttpServletRequest request);


-    BaseResponse userProfileGet(HttpServletRequest request) throws ClassCopyException;
+    BaseResponse userProfileGet(HttpServletRequest request);


 }
--- a/src/main/java/com/jsl/oa/services/impl/RoleServiceImpl.java
+++ b/src/main/java/com/jsl/oa/services/impl/RoleServiceImpl.java
@ -42,7 +42,10 @@ public class RoleServiceImpl implements RoleService {
    @Override
    public BaseResponse roleChangeUser(HttpServletRequest request, Long uid, Long rid) {
        if (Processing.checkUserIsAdmin(request, roleDAO.roleMapper)) {
-            if(!roleDAO.roleChangeUser(uid, rid)){
+            // TODO: 2023-01-20|List:10002-未判断用户是否存在
+            // TODO: 2023-01-20|List:10003-保险起见，默认用户主键为 1 的用户为超级管理员
+            //  （不可以修改自己权限组，避免修改后不存在管理员，无管理组）
+            if (!roleDAO.roleChangeUser(uid, rid)) {
                return ResultUtil.error(ErrorCode.DATABASE_UPDATE_ERROR);
            }
            return ResultUtil.success();
@ -84,8 +87,7 @@ public class RoleServiceImpl implements RoleService {
        // 判断是否存在该 Role
        if (getRole != null) {
            // 替换 Role 信息
-            getRole.setRoleName(roleEditVO.getName())
-                    .setDisplayName(roleEditVO.getDisplayName());
+            getRole.setRoleName(roleEditVO.getName()).setDisplayName(roleEditVO.getDisplayName());
            // 更新 Role 信息
            if (roleDAO.roleEdit(getRole)) {
                return ResultUtil.success();
--- a/src/main/java/com/jsl/oa/services/impl/UserServiceImpl.java
+++ b/src/main/java/com/jsl/oa/services/impl/UserServiceImpl.java
@ -1,7 +1,6 @@
 package com.jsl.oa.services.impl;

 import com.jsl.oa.dao.UserDAO;
-import com.jsl.oa.exception.ClassCopyException;
 import com.jsl.oa.mapper.RoleMapper;
 import com.jsl.oa.model.doData.RoleUserDO;
 import com.jsl.oa.model.doData.UserCurrentDO;
@ -165,7 +164,7 @@ public class UserServiceImpl implements UserService {


    @Override
-    public BaseResponse userEdit(UserEditVo userEditVo, HttpServletRequest request) throws ClassCopyException {
+    public BaseResponse userEdit(UserEditVo userEditVo, HttpServletRequest request)  {
        //检测用户是否为管理员
        BaseResponse checkManagerResult = isManager(request);
        if (checkManagerResult.getCode() != 200) {
@ -188,7 +187,7 @@ public class UserServiceImpl implements UserService {
    }

    @Override
-    public BaseResponse userProfileGet(HttpServletRequest request) throws ClassCopyException {
+    public BaseResponse userProfileGet(HttpServletRequest request) {
        // 获取用户Id
        UserDO userDO = userDAO.getUserById(Processing.getAuthHeaderToUserId(request));
        UserProfile userProfile = new UserProfile();
--- a/src/main/java/com/jsl/oa/utils/Processing.java
+++ b/src/main/java/com/jsl/oa/utils/Processing.java
@ -219,8 +219,8 @@ public class Processing {

                targetField.set(target, value);
            }
-        } catch (IllegalAccessException e) {
-            throw new ClassCopyException(ErrorCode.CLASS_COPY_EXCEPTION);
+        } catch (IllegalAccessException ignored) {
+            throw new ClassCopyException();
        }
        return null;
    }