yangjun
/
dbsd_kczx_java
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

2024年9月6日 将查询全部用户接口添加权限,减少更多的报错消息,添加sql过滤器,

This commit is contained in:
bai 2024-09-06 23:22:08 +08:00
parent 2f94427bd2
commit d7e9cead84
3 changed files with 24 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
jeecg-boot-base-core/src/main/java/org/jeecg/common/exception/JeecgBootExceptionHandler.java
View File

@ -89,7 +89,8 @@ public class JeecgBootExceptionHandler {
return Result.error(errorInfoEnum.getError());
}
//update-end---author:zyf ---date:20220411 for处理Sentinel限流自定义异常
return Result.error("操作失败,"+e.getMessage());
// return Result.error("操作失败"+e.getMessage());
return Result.error("操作失败");
}
/**

2
jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java
View File

@ -21,7 +21,7 @@ public class SqlInjectionUtil {
* 上线修改值 20200501同步修改前端的盐值
*/
private final static String TABLE_DICT_SIGN_SALT = "20200501";
private final static String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
private final static String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()|information_schema";
/**
* 正则 user() 匹配更严谨

40
jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserController.java
View File

@ -109,6 +109,7 @@ public class SysUserController {
* @param req
* @return
*/
@RequiresPermissions("system:user:listAll")
@PermissionData(pageComponent = "system/UserList")
@RequestMapping(value = "/list", method = RequestMethod.GET)
public Result<IPage<SysUser>> queryPageList(SysUser user,@RequestParam(name="pageNo", defaultValue="1") Integer pageNo,
@ -140,7 +141,7 @@ public class SysUserController {
* @param req
* @return
*/
//@RequiresPermissions("system:user:listAll")
@RequiresPermissions("system:user:listAll")
@RequestMapping(value = "/listAll", method = RequestMethod.GET)
public Result<IPage<SysUser>> queryAllPageList(SysUser user, @RequestParam(name = "pageNo", defaultValue = "1") Integer pageNo,
@RequestParam(name = "pageSize", defaultValue = "10") Integer pageSize, HttpServletRequest req) {
@ -148,7 +149,7 @@ public class SysUserController {
return sysUserService.queryPageList(req, queryWrapper, pageSize, pageNo);
}
//@RequiresPermissions("system:user:add")
@RequiresPermissions("system:user:add")
@RequestMapping(value = "/add", method = RequestMethod.POST)
public Result<SysUser> add(@RequestBody JSONObject jsonObject) {
Result<SysUser> result = new Result<SysUser>();
@ -178,7 +179,7 @@ public class SysUserController {
return result;
}
//@RequiresPermissions("system:user:edit")
@RequiresPermissions("system:user:edit")
@RequestMapping(value = "/edit", method = {RequestMethod.PUT,RequestMethod.POST})
public Result<SysUser> edit(@RequestBody JSONObject jsonObject) {
Result<SysUser> result = new Result<SysUser>();
@ -216,7 +217,7 @@ public class SysUserController {
/**
* 删除用户
*/
//@RequiresPermissions("system:user:delete")
@RequiresPermissions("system:user:delete")
@RequestMapping(value = "/delete", method = RequestMethod.DELETE)
public Result<?> delete(@RequestParam(name="id",required=true) String id) {
baseCommonService.addLog("删除用户id " +id ,CommonConstant.LOG_TYPE_2, 3);
@ -227,7 +228,7 @@ public class SysUserController {
/**
* 批量删除用户
*/
//@RequiresPermissions("system:user:deleteBatch")
@RequiresPermissions("system:user:deleteBatch")
@RequestMapping(value = "/deleteBatch", method = RequestMethod.DELETE)
public Result<?> deleteBatch(@RequestParam(name="ids",required=true) String ids) {
baseCommonService.addLog("批量删除用户, ids " +ids ,CommonConstant.LOG_TYPE_2, 3);
@ -240,7 +241,7 @@ public class SysUserController {
* @param jsonObject
* @return
*/
//@RequiresPermissions("system:user:frozenBatch")
@RequiresPermissions("system:user:frozenBatch")
@RequestMapping(value = "/frozenBatch", method = RequestMethod.PUT)
public Result<SysUser> frozenBatch(@RequestBody JSONObject jsonObject) {
Result<SysUser> result = new Result<SysUser>();
@ -263,7 +264,7 @@ public class SysUserController {
}
//@RequiresPermissions("system:user:queryById")
@RequiresPermissions("system:user:queryById")
@RequestMapping(value = "/queryById", method = RequestMethod.GET)
public Result<SysUser> queryById(@RequestParam(name = "id", required = true) String id) {
Result<SysUser> result = new Result<SysUser>();
@ -277,7 +278,7 @@ public class SysUserController {
return result;
}
//@RequiresPermissions("system:user:queryUserRole")
@RequiresPermissions("system:user:queryUserRole")
@RequestMapping(value = "/queryUserRole", method = RequestMethod.GET)
public Result<List<String>> queryUserRole(@RequestParam(name = "userid", required = true) String userid) {
Result<List<String>> result = new Result<>();
@ -326,6 +327,7 @@ public class SysUserController {
* @param sysUser
* @return
*/
@RequiresPermissions("system:user:checkOnlyUser")
@RequestMapping(value = "/checkOnlyUser", method = RequestMethod.GET)
public Result<Boolean> checkOnlyUser(SysUser sysUser) {
Result<Boolean> result = new Result<>();
@ -353,7 +355,7 @@ public class SysUserController {
/**
* 修改密码
*/
//@RequiresPermissions("system:user:changepwd")
@RequiresPermissions("system:user:changepwd")
@RequestMapping(value = "/changePassword", method = RequestMethod.PUT)
public Result<?> changePassword(@RequestBody SysUser sysUser) {
SysUser u = this.sysUserService.getOne(new LambdaQueryWrapper<SysUser>().eq(SysUser::getUsername, sysUser.getUsername()));
@ -476,7 +478,7 @@ public class SysUserController {
* @param request
* @param sysUser
*/
//@RequiresPermissions("system:user:export")
@RequiresPermissions("system:user:export")
@RequestMapping(value = "/exportXls")
public ModelAndView exportXls(SysUser sysUser,HttpServletRequest request) {
// Step.1 组装查询条件
@ -509,7 +511,7 @@ public class SysUserController {
* @param response
* @return
*/
//@RequiresPermissions("system:user:import")
@RequiresPermissions("system:user:import")
@RequestMapping(value = "/importExcel", method = RequestMethod.POST)
public Result<?> importExcel(HttpServletRequest request, HttpServletResponse response)throws IOException {
MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
@ -664,7 +666,7 @@ public class SysUserController {
* @param
* @return
*/
//@RequiresPermissions("system:user:addUserRole")
@RequiresPermissions("system:user:addUserRole")
@RequestMapping(value = "/addSysUserRole", method = RequestMethod.POST)
public Result<String> addSysUserRole(@RequestBody SysUserRoleVO sysUserRoleVO) {
Result<String> result = new Result<String>();
@ -695,7 +697,7 @@ public class SysUserController {
* @param
* @return
*/
//@RequiresPermissions("system:user:deleteRole")
@RequiresPermissions("system:user:deleteRole")
@RequestMapping(value = "/deleteUserRole", method = RequestMethod.DELETE)
public Result<SysUserRole> deleteUserRole(@RequestParam(name="roleId") String roleId,
@RequestParam(name="userId",required=true) String userId
@ -719,7 +721,7 @@ public class SysUserController {
* @param
* @return
*/
//@RequiresPermissions("system:user:deleteRoleBatch")
@RequiresPermissions("system:user:deleteRoleBatch")
@RequestMapping(value = "/deleteUserRoleBatch", method = RequestMethod.DELETE)
public Result<SysUserRole> deleteUserRoleBatch(
@RequestParam(name="roleId") String roleId,
@ -850,7 +852,7 @@ public class SysUserController {
/**
* 给指定部门添加对应的用户
*/
//@RequiresPermissions("system:user:editDepartWithUser")
@RequiresPermissions("system:user:editDepartWithUser")
@RequestMapping(value = "/editSysDepartWithUser", method = RequestMethod.POST)
public Result<String> editSysDepartWithUser(@RequestBody SysDepartUsersVO sysDepartUsersVO) {
Result<String> result = new Result<String>();
@ -879,7 +881,7 @@ public class SysUserController {
/**
* 删除指定机构的用户关系
*/
//@RequiresPermissions("system:user:deleteUserInDepart")
@RequiresPermissions("system:user:deleteUserInDepart")
@RequestMapping(value = "/deleteUserInDepart", method = RequestMethod.DELETE)
public Result<SysUserDepart> deleteUserInDepart(@RequestParam(name="depId") String depId,
@RequestParam(name="userId",required=true) String userId
@ -911,7 +913,7 @@ public class SysUserController {
/**
* 批量删除指定机构的用户关系
*/
//@RequiresPermissions("system:user:deleteUserInDepartBatch")
@RequiresPermissions("system:user:deleteUserInDepartBatch")
@RequestMapping(value = "/deleteUserInDepartBatch", method = RequestMethod.DELETE)
public Result<SysUserDepart> deleteUserInDepartBatch(
@RequestParam(name="depId") String depId,
@ -1286,7 +1288,7 @@ public class SysUserController {
* @param userIds 被删除的用户ID多个id用半角逗号分割
* @return
*/
//@RequiresPermissions("system:user:deleteRecycleBin")
@RequiresPermissions("system:user:deleteRecycleBin")
@RequestMapping(value = "/deleteRecycleBin", method = RequestMethod.DELETE)
public Result deleteRecycleBin(@RequestParam("userIds") String userIds) {
if (StringUtils.isNotBlank(userIds)) {
@ -1663,7 +1665,7 @@ public class SysUserController {
* @return
*/
@PostMapping("/login/setting/userEdit")
//@RequiresPermissions("system:user:setting:edit")
@RequiresPermissions("system:user:setting:edit")
public Result<String> userEdit(@RequestBody SysUser sysUser, HttpServletRequest request) {
String username = JwtUtil.getUserNameByToken(request);
SysUser user = sysUserService.getById(sysUser.getId());