diff --git a/jeecg-boot-base-core/src/main/java/org/jeecg/common/exception/JeecgBootExceptionHandler.java b/jeecg-boot-base-core/src/main/java/org/jeecg/common/exception/JeecgBootExceptionHandler.java index 8dfc6831..6dd57b95 100644 --- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/exception/JeecgBootExceptionHandler.java +++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/exception/JeecgBootExceptionHandler.java @@ -89,7 +89,8 @@ public class JeecgBootExceptionHandler { return Result.error(errorInfoEnum.getError()); } //update-end---author:zyf ---date:20220411 for:处理Sentinel限流自定义异常 - return Result.error("操作失败,"+e.getMessage()); +// return Result.error("操作失败"+e.getMessage()); + return Result.error("操作失败"); } /** diff --git a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java index 604c6de4..500d3516 100644 --- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java +++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java @@ -21,7 +21,7 @@ public class SqlInjectionUtil { * (上线修改值 20200501,同步修改前端的盐值) */ private final static String TABLE_DICT_SIGN_SALT = "20200501"; - private final static String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()"; + private final static String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()|information_schema"; /** * 正则 user() 匹配更严谨 diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserController.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserController.java index a1abee74..1fd6f437 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserController.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserController.java @@ -109,6 +109,7 @@ public class SysUserController { * @param req * @return */ + @RequiresPermissions("system:user:listAll") @PermissionData(pageComponent = "system/UserList") @RequestMapping(value = "/list", method = RequestMethod.GET) public Result> queryPageList(SysUser user,@RequestParam(name="pageNo", defaultValue="1") Integer pageNo, @@ -140,7 +141,7 @@ public class SysUserController { * @param req * @return */ - //@RequiresPermissions("system:user:listAll") + @RequiresPermissions("system:user:listAll") @RequestMapping(value = "/listAll", method = RequestMethod.GET) public Result> queryAllPageList(SysUser user, @RequestParam(name = "pageNo", defaultValue = "1") Integer pageNo, @RequestParam(name = "pageSize", defaultValue = "10") Integer pageSize, HttpServletRequest req) { @@ -148,7 +149,7 @@ public class SysUserController { return sysUserService.queryPageList(req, queryWrapper, pageSize, pageNo); } - //@RequiresPermissions("system:user:add") + @RequiresPermissions("system:user:add") @RequestMapping(value = "/add", method = RequestMethod.POST) public Result add(@RequestBody JSONObject jsonObject) { Result result = new Result(); @@ -178,7 +179,7 @@ public class SysUserController { return result; } - //@RequiresPermissions("system:user:edit") + @RequiresPermissions("system:user:edit") @RequestMapping(value = "/edit", method = {RequestMethod.PUT,RequestMethod.POST}) public Result edit(@RequestBody JSONObject jsonObject) { Result result = new Result(); @@ -216,7 +217,7 @@ public class SysUserController { /** * 删除用户 */ - //@RequiresPermissions("system:user:delete") + @RequiresPermissions("system:user:delete") @RequestMapping(value = "/delete", method = RequestMethod.DELETE) public Result delete(@RequestParam(name="id",required=true) String id) { baseCommonService.addLog("删除用户,id: " +id ,CommonConstant.LOG_TYPE_2, 3); @@ -227,7 +228,7 @@ public class SysUserController { /** * 批量删除用户 */ - //@RequiresPermissions("system:user:deleteBatch") + @RequiresPermissions("system:user:deleteBatch") @RequestMapping(value = "/deleteBatch", method = RequestMethod.DELETE) public Result deleteBatch(@RequestParam(name="ids",required=true) String ids) { baseCommonService.addLog("批量删除用户, ids: " +ids ,CommonConstant.LOG_TYPE_2, 3); @@ -240,7 +241,7 @@ public class SysUserController { * @param jsonObject * @return */ - //@RequiresPermissions("system:user:frozenBatch") + @RequiresPermissions("system:user:frozenBatch") @RequestMapping(value = "/frozenBatch", method = RequestMethod.PUT) public Result frozenBatch(@RequestBody JSONObject jsonObject) { Result result = new Result(); @@ -263,7 +264,7 @@ public class SysUserController { } - //@RequiresPermissions("system:user:queryById") + @RequiresPermissions("system:user:queryById") @RequestMapping(value = "/queryById", method = RequestMethod.GET) public Result queryById(@RequestParam(name = "id", required = true) String id) { Result result = new Result(); @@ -277,7 +278,7 @@ public class SysUserController { return result; } - //@RequiresPermissions("system:user:queryUserRole") + @RequiresPermissions("system:user:queryUserRole") @RequestMapping(value = "/queryUserRole", method = RequestMethod.GET) public Result> queryUserRole(@RequestParam(name = "userid", required = true) String userid) { Result> result = new Result<>(); @@ -326,6 +327,7 @@ public class SysUserController { * @param sysUser * @return */ + @RequiresPermissions("system:user:checkOnlyUser") @RequestMapping(value = "/checkOnlyUser", method = RequestMethod.GET) public Result checkOnlyUser(SysUser sysUser) { Result result = new Result<>(); @@ -353,7 +355,7 @@ public class SysUserController { /** * 修改密码 */ - //@RequiresPermissions("system:user:changepwd") + @RequiresPermissions("system:user:changepwd") @RequestMapping(value = "/changePassword", method = RequestMethod.PUT) public Result changePassword(@RequestBody SysUser sysUser) { SysUser u = this.sysUserService.getOne(new LambdaQueryWrapper().eq(SysUser::getUsername, sysUser.getUsername())); @@ -476,7 +478,7 @@ public class SysUserController { * @param request * @param sysUser */ - //@RequiresPermissions("system:user:export") + @RequiresPermissions("system:user:export") @RequestMapping(value = "/exportXls") public ModelAndView exportXls(SysUser sysUser,HttpServletRequest request) { // Step.1 组装查询条件 @@ -509,7 +511,7 @@ public class SysUserController { * @param response * @return */ - //@RequiresPermissions("system:user:import") + @RequiresPermissions("system:user:import") @RequestMapping(value = "/importExcel", method = RequestMethod.POST) public Result importExcel(HttpServletRequest request, HttpServletResponse response)throws IOException { MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request; @@ -664,7 +666,7 @@ public class SysUserController { * @param * @return */ - //@RequiresPermissions("system:user:addUserRole") + @RequiresPermissions("system:user:addUserRole") @RequestMapping(value = "/addSysUserRole", method = RequestMethod.POST) public Result addSysUserRole(@RequestBody SysUserRoleVO sysUserRoleVO) { Result result = new Result(); @@ -695,7 +697,7 @@ public class SysUserController { * @param * @return */ - //@RequiresPermissions("system:user:deleteRole") + @RequiresPermissions("system:user:deleteRole") @RequestMapping(value = "/deleteUserRole", method = RequestMethod.DELETE) public Result deleteUserRole(@RequestParam(name="roleId") String roleId, @RequestParam(name="userId",required=true) String userId @@ -719,7 +721,7 @@ public class SysUserController { * @param * @return */ - //@RequiresPermissions("system:user:deleteRoleBatch") + @RequiresPermissions("system:user:deleteRoleBatch") @RequestMapping(value = "/deleteUserRoleBatch", method = RequestMethod.DELETE) public Result deleteUserRoleBatch( @RequestParam(name="roleId") String roleId, @@ -850,7 +852,7 @@ public class SysUserController { /** * 给指定部门添加对应的用户 */ - //@RequiresPermissions("system:user:editDepartWithUser") + @RequiresPermissions("system:user:editDepartWithUser") @RequestMapping(value = "/editSysDepartWithUser", method = RequestMethod.POST) public Result editSysDepartWithUser(@RequestBody SysDepartUsersVO sysDepartUsersVO) { Result result = new Result(); @@ -879,7 +881,7 @@ public class SysUserController { /** * 删除指定机构的用户关系 */ - //@RequiresPermissions("system:user:deleteUserInDepart") + @RequiresPermissions("system:user:deleteUserInDepart") @RequestMapping(value = "/deleteUserInDepart", method = RequestMethod.DELETE) public Result deleteUserInDepart(@RequestParam(name="depId") String depId, @RequestParam(name="userId",required=true) String userId @@ -911,7 +913,7 @@ public class SysUserController { /** * 批量删除指定机构的用户关系 */ - //@RequiresPermissions("system:user:deleteUserInDepartBatch") + @RequiresPermissions("system:user:deleteUserInDepartBatch") @RequestMapping(value = "/deleteUserInDepartBatch", method = RequestMethod.DELETE) public Result deleteUserInDepartBatch( @RequestParam(name="depId") String depId, @@ -1286,7 +1288,7 @@ public class SysUserController { * @param userIds 被删除的用户ID,多个id用半角逗号分割 * @return */ - //@RequiresPermissions("system:user:deleteRecycleBin") + @RequiresPermissions("system:user:deleteRecycleBin") @RequestMapping(value = "/deleteRecycleBin", method = RequestMethod.DELETE) public Result deleteRecycleBin(@RequestParam("userIds") String userIds) { if (StringUtils.isNotBlank(userIds)) { @@ -1663,7 +1665,7 @@ public class SysUserController { * @return */ @PostMapping("/login/setting/userEdit") - //@RequiresPermissions("system:user:setting:edit") + @RequiresPermissions("system:user:setting:edit") public Result userEdit(@RequestBody SysUser sysUser, HttpServletRequest request) { String username = JwtUtil.getUserNameByToken(request); SysUser user = sysUserService.getById(sysUser.getId());