2024年9月6日 将查询全部用户接口添加权限,减少更多的报错消息,添加sql过滤器,

This commit is contained in:
bai 2024-09-06 23:22:08 +08:00
parent 2f94427bd2
commit d7e9cead84
3 changed files with 24 additions and 21 deletions

View File

@ -89,7 +89,8 @@ public class JeecgBootExceptionHandler {
return Result.error(errorInfoEnum.getError()); return Result.error(errorInfoEnum.getError());
} }
//update-end---author:zyf ---date:20220411 for处理Sentinel限流自定义异常 //update-end---author:zyf ---date:20220411 for处理Sentinel限流自定义异常
return Result.error("操作失败,"+e.getMessage()); // return Result.error("操作失败"+e.getMessage());
return Result.error("操作失败");
} }
/** /**

View File

@ -21,7 +21,7 @@ public class SqlInjectionUtil {
* 上线修改值 20200501同步修改前端的盐值 * 上线修改值 20200501同步修改前端的盐值
*/ */
private final static String TABLE_DICT_SIGN_SALT = "20200501"; private final static String TABLE_DICT_SIGN_SALT = "20200501";
private final static String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()"; private final static String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()|information_schema";
/** /**
* 正则 user() 匹配更严谨 * 正则 user() 匹配更严谨

View File

@ -109,6 +109,7 @@ public class SysUserController {
* @param req * @param req
* @return * @return
*/ */
@RequiresPermissions("system:user:listAll")
@PermissionData(pageComponent = "system/UserList") @PermissionData(pageComponent = "system/UserList")
@RequestMapping(value = "/list", method = RequestMethod.GET) @RequestMapping(value = "/list", method = RequestMethod.GET)
public Result<IPage<SysUser>> queryPageList(SysUser user,@RequestParam(name="pageNo", defaultValue="1") Integer pageNo, public Result<IPage<SysUser>> queryPageList(SysUser user,@RequestParam(name="pageNo", defaultValue="1") Integer pageNo,
@ -140,7 +141,7 @@ public class SysUserController {
* @param req * @param req
* @return * @return
*/ */
//@RequiresPermissions("system:user:listAll") @RequiresPermissions("system:user:listAll")
@RequestMapping(value = "/listAll", method = RequestMethod.GET) @RequestMapping(value = "/listAll", method = RequestMethod.GET)
public Result<IPage<SysUser>> queryAllPageList(SysUser user, @RequestParam(name = "pageNo", defaultValue = "1") Integer pageNo, public Result<IPage<SysUser>> queryAllPageList(SysUser user, @RequestParam(name = "pageNo", defaultValue = "1") Integer pageNo,
@RequestParam(name = "pageSize", defaultValue = "10") Integer pageSize, HttpServletRequest req) { @RequestParam(name = "pageSize", defaultValue = "10") Integer pageSize, HttpServletRequest req) {
@ -148,7 +149,7 @@ public class SysUserController {
return sysUserService.queryPageList(req, queryWrapper, pageSize, pageNo); return sysUserService.queryPageList(req, queryWrapper, pageSize, pageNo);
} }
//@RequiresPermissions("system:user:add") @RequiresPermissions("system:user:add")
@RequestMapping(value = "/add", method = RequestMethod.POST) @RequestMapping(value = "/add", method = RequestMethod.POST)
public Result<SysUser> add(@RequestBody JSONObject jsonObject) { public Result<SysUser> add(@RequestBody JSONObject jsonObject) {
Result<SysUser> result = new Result<SysUser>(); Result<SysUser> result = new Result<SysUser>();
@ -178,7 +179,7 @@ public class SysUserController {
return result; return result;
} }
//@RequiresPermissions("system:user:edit") @RequiresPermissions("system:user:edit")
@RequestMapping(value = "/edit", method = {RequestMethod.PUT,RequestMethod.POST}) @RequestMapping(value = "/edit", method = {RequestMethod.PUT,RequestMethod.POST})
public Result<SysUser> edit(@RequestBody JSONObject jsonObject) { public Result<SysUser> edit(@RequestBody JSONObject jsonObject) {
Result<SysUser> result = new Result<SysUser>(); Result<SysUser> result = new Result<SysUser>();
@ -216,7 +217,7 @@ public class SysUserController {
/** /**
* 删除用户 * 删除用户
*/ */
//@RequiresPermissions("system:user:delete") @RequiresPermissions("system:user:delete")
@RequestMapping(value = "/delete", method = RequestMethod.DELETE) @RequestMapping(value = "/delete", method = RequestMethod.DELETE)
public Result<?> delete(@RequestParam(name="id",required=true) String id) { public Result<?> delete(@RequestParam(name="id",required=true) String id) {
baseCommonService.addLog("删除用户id " +id ,CommonConstant.LOG_TYPE_2, 3); baseCommonService.addLog("删除用户id " +id ,CommonConstant.LOG_TYPE_2, 3);
@ -227,7 +228,7 @@ public class SysUserController {
/** /**
* 批量删除用户 * 批量删除用户
*/ */
//@RequiresPermissions("system:user:deleteBatch") @RequiresPermissions("system:user:deleteBatch")
@RequestMapping(value = "/deleteBatch", method = RequestMethod.DELETE) @RequestMapping(value = "/deleteBatch", method = RequestMethod.DELETE)
public Result<?> deleteBatch(@RequestParam(name="ids",required=true) String ids) { public Result<?> deleteBatch(@RequestParam(name="ids",required=true) String ids) {
baseCommonService.addLog("批量删除用户, ids " +ids ,CommonConstant.LOG_TYPE_2, 3); baseCommonService.addLog("批量删除用户, ids " +ids ,CommonConstant.LOG_TYPE_2, 3);
@ -240,7 +241,7 @@ public class SysUserController {
* @param jsonObject * @param jsonObject
* @return * @return
*/ */
//@RequiresPermissions("system:user:frozenBatch") @RequiresPermissions("system:user:frozenBatch")
@RequestMapping(value = "/frozenBatch", method = RequestMethod.PUT) @RequestMapping(value = "/frozenBatch", method = RequestMethod.PUT)
public Result<SysUser> frozenBatch(@RequestBody JSONObject jsonObject) { public Result<SysUser> frozenBatch(@RequestBody JSONObject jsonObject) {
Result<SysUser> result = new Result<SysUser>(); Result<SysUser> result = new Result<SysUser>();
@ -263,7 +264,7 @@ public class SysUserController {
} }
//@RequiresPermissions("system:user:queryById") @RequiresPermissions("system:user:queryById")
@RequestMapping(value = "/queryById", method = RequestMethod.GET) @RequestMapping(value = "/queryById", method = RequestMethod.GET)
public Result<SysUser> queryById(@RequestParam(name = "id", required = true) String id) { public Result<SysUser> queryById(@RequestParam(name = "id", required = true) String id) {
Result<SysUser> result = new Result<SysUser>(); Result<SysUser> result = new Result<SysUser>();
@ -277,7 +278,7 @@ public class SysUserController {
return result; return result;
} }
//@RequiresPermissions("system:user:queryUserRole") @RequiresPermissions("system:user:queryUserRole")
@RequestMapping(value = "/queryUserRole", method = RequestMethod.GET) @RequestMapping(value = "/queryUserRole", method = RequestMethod.GET)
public Result<List<String>> queryUserRole(@RequestParam(name = "userid", required = true) String userid) { public Result<List<String>> queryUserRole(@RequestParam(name = "userid", required = true) String userid) {
Result<List<String>> result = new Result<>(); Result<List<String>> result = new Result<>();
@ -326,6 +327,7 @@ public class SysUserController {
* @param sysUser * @param sysUser
* @return * @return
*/ */
@RequiresPermissions("system:user:checkOnlyUser")
@RequestMapping(value = "/checkOnlyUser", method = RequestMethod.GET) @RequestMapping(value = "/checkOnlyUser", method = RequestMethod.GET)
public Result<Boolean> checkOnlyUser(SysUser sysUser) { public Result<Boolean> checkOnlyUser(SysUser sysUser) {
Result<Boolean> result = new Result<>(); Result<Boolean> result = new Result<>();
@ -353,7 +355,7 @@ public class SysUserController {
/** /**
* 修改密码 * 修改密码
*/ */
//@RequiresPermissions("system:user:changepwd") @RequiresPermissions("system:user:changepwd")
@RequestMapping(value = "/changePassword", method = RequestMethod.PUT) @RequestMapping(value = "/changePassword", method = RequestMethod.PUT)
public Result<?> changePassword(@RequestBody SysUser sysUser) { public Result<?> changePassword(@RequestBody SysUser sysUser) {
SysUser u = this.sysUserService.getOne(new LambdaQueryWrapper<SysUser>().eq(SysUser::getUsername, sysUser.getUsername())); SysUser u = this.sysUserService.getOne(new LambdaQueryWrapper<SysUser>().eq(SysUser::getUsername, sysUser.getUsername()));
@ -476,7 +478,7 @@ public class SysUserController {
* @param request * @param request
* @param sysUser * @param sysUser
*/ */
//@RequiresPermissions("system:user:export") @RequiresPermissions("system:user:export")
@RequestMapping(value = "/exportXls") @RequestMapping(value = "/exportXls")
public ModelAndView exportXls(SysUser sysUser,HttpServletRequest request) { public ModelAndView exportXls(SysUser sysUser,HttpServletRequest request) {
// Step.1 组装查询条件 // Step.1 组装查询条件
@ -509,7 +511,7 @@ public class SysUserController {
* @param response * @param response
* @return * @return
*/ */
//@RequiresPermissions("system:user:import") @RequiresPermissions("system:user:import")
@RequestMapping(value = "/importExcel", method = RequestMethod.POST) @RequestMapping(value = "/importExcel", method = RequestMethod.POST)
public Result<?> importExcel(HttpServletRequest request, HttpServletResponse response)throws IOException { public Result<?> importExcel(HttpServletRequest request, HttpServletResponse response)throws IOException {
MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request; MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
@ -664,7 +666,7 @@ public class SysUserController {
* @param * @param
* @return * @return
*/ */
//@RequiresPermissions("system:user:addUserRole") @RequiresPermissions("system:user:addUserRole")
@RequestMapping(value = "/addSysUserRole", method = RequestMethod.POST) @RequestMapping(value = "/addSysUserRole", method = RequestMethod.POST)
public Result<String> addSysUserRole(@RequestBody SysUserRoleVO sysUserRoleVO) { public Result<String> addSysUserRole(@RequestBody SysUserRoleVO sysUserRoleVO) {
Result<String> result = new Result<String>(); Result<String> result = new Result<String>();
@ -695,7 +697,7 @@ public class SysUserController {
* @param * @param
* @return * @return
*/ */
//@RequiresPermissions("system:user:deleteRole") @RequiresPermissions("system:user:deleteRole")
@RequestMapping(value = "/deleteUserRole", method = RequestMethod.DELETE) @RequestMapping(value = "/deleteUserRole", method = RequestMethod.DELETE)
public Result<SysUserRole> deleteUserRole(@RequestParam(name="roleId") String roleId, public Result<SysUserRole> deleteUserRole(@RequestParam(name="roleId") String roleId,
@RequestParam(name="userId",required=true) String userId @RequestParam(name="userId",required=true) String userId
@ -719,7 +721,7 @@ public class SysUserController {
* @param * @param
* @return * @return
*/ */
//@RequiresPermissions("system:user:deleteRoleBatch") @RequiresPermissions("system:user:deleteRoleBatch")
@RequestMapping(value = "/deleteUserRoleBatch", method = RequestMethod.DELETE) @RequestMapping(value = "/deleteUserRoleBatch", method = RequestMethod.DELETE)
public Result<SysUserRole> deleteUserRoleBatch( public Result<SysUserRole> deleteUserRoleBatch(
@RequestParam(name="roleId") String roleId, @RequestParam(name="roleId") String roleId,
@ -850,7 +852,7 @@ public class SysUserController {
/** /**
* 给指定部门添加对应的用户 * 给指定部门添加对应的用户
*/ */
//@RequiresPermissions("system:user:editDepartWithUser") @RequiresPermissions("system:user:editDepartWithUser")
@RequestMapping(value = "/editSysDepartWithUser", method = RequestMethod.POST) @RequestMapping(value = "/editSysDepartWithUser", method = RequestMethod.POST)
public Result<String> editSysDepartWithUser(@RequestBody SysDepartUsersVO sysDepartUsersVO) { public Result<String> editSysDepartWithUser(@RequestBody SysDepartUsersVO sysDepartUsersVO) {
Result<String> result = new Result<String>(); Result<String> result = new Result<String>();
@ -879,7 +881,7 @@ public class SysUserController {
/** /**
* 删除指定机构的用户关系 * 删除指定机构的用户关系
*/ */
//@RequiresPermissions("system:user:deleteUserInDepart") @RequiresPermissions("system:user:deleteUserInDepart")
@RequestMapping(value = "/deleteUserInDepart", method = RequestMethod.DELETE) @RequestMapping(value = "/deleteUserInDepart", method = RequestMethod.DELETE)
public Result<SysUserDepart> deleteUserInDepart(@RequestParam(name="depId") String depId, public Result<SysUserDepart> deleteUserInDepart(@RequestParam(name="depId") String depId,
@RequestParam(name="userId",required=true) String userId @RequestParam(name="userId",required=true) String userId
@ -911,7 +913,7 @@ public class SysUserController {
/** /**
* 批量删除指定机构的用户关系 * 批量删除指定机构的用户关系
*/ */
//@RequiresPermissions("system:user:deleteUserInDepartBatch") @RequiresPermissions("system:user:deleteUserInDepartBatch")
@RequestMapping(value = "/deleteUserInDepartBatch", method = RequestMethod.DELETE) @RequestMapping(value = "/deleteUserInDepartBatch", method = RequestMethod.DELETE)
public Result<SysUserDepart> deleteUserInDepartBatch( public Result<SysUserDepart> deleteUserInDepartBatch(
@RequestParam(name="depId") String depId, @RequestParam(name="depId") String depId,
@ -1286,7 +1288,7 @@ public class SysUserController {
* @param userIds 被删除的用户ID多个id用半角逗号分割 * @param userIds 被删除的用户ID多个id用半角逗号分割
* @return * @return
*/ */
//@RequiresPermissions("system:user:deleteRecycleBin") @RequiresPermissions("system:user:deleteRecycleBin")
@RequestMapping(value = "/deleteRecycleBin", method = RequestMethod.DELETE) @RequestMapping(value = "/deleteRecycleBin", method = RequestMethod.DELETE)
public Result deleteRecycleBin(@RequestParam("userIds") String userIds) { public Result deleteRecycleBin(@RequestParam("userIds") String userIds) {
if (StringUtils.isNotBlank(userIds)) { if (StringUtils.isNotBlank(userIds)) {
@ -1663,7 +1665,7 @@ public class SysUserController {
* @return * @return
*/ */
@PostMapping("/login/setting/userEdit") @PostMapping("/login/setting/userEdit")
//@RequiresPermissions("system:user:setting:edit") @RequiresPermissions("system:user:setting:edit")
public Result<String> userEdit(@RequestBody SysUser sysUser, HttpServletRequest request) { public Result<String> userEdit(@RequestBody SysUser sysUser, HttpServletRequest request) {
String username = JwtUtil.getUserNameByToken(request); String username = JwtUtil.getUserNameByToken(request);
SysUser user = sysUserService.getById(sysUser.getId()); SysUser user = sysUserService.getById(sysUser.getId());