漏洞修复

bonus-modules/bonus-system/src/main/resources/mapper/system/SysDeptMapper.xml

@@ -43,7 +43,7 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
 			AND status = #{status}
 		</if>
 		<!-- 数据范围过滤 -->
-		${params.dataScope}
+		<include refid="com.bonus.system.mapper.DataScopeMapper.dataScopeFilter"/>
 		order by d.parent_id, d.order_num
     </select>
 

bonus-modules/bonus-system/src/main/resources/mapper/system/SysUserMapper.xml

@@ -116,8 +116,8 @@
             AND (u.dept_id = #{deptId} OR u.dept_id IN ( SELECT t.dept_id FROM sys_dept t WHERE find_in_set(#{deptId},
             ancestors) ))
         </if>
-        <!-- 数据范围过滤 -->
+        <include refid="com.bonus.system.mapper.DataScopeMapper.dataScopeFilter"/>
-        ${params.dataScope}
+
     </select>
 
     <select id="selectAllocatedList" parameterType="SysUser" resultMap="SysUserResult">
@@ -134,7 +134,7 @@
             AND u.phonenumber like concat('%', #{phonenumber}, '%')
         </if>
         <!-- 数据范围过滤 -->
-        ${params.dataScope}
+        <include refid="com.bonus.system.mapper.DataScopeMapper.dataScopeFilter"/>
     </select>
 
     <select id="selectUnallocatedList" parameterType="SysUser" resultMap="SysUserResult">
@@ -153,7 +153,7 @@
             AND u.phonenumber like concat('%', #{phonenumber}, '%')
         </if>
         <!-- 数据范围过滤 -->
-        ${params.dataScope}
+        <include refid="com.bonus.system.mapper.DataScopeMapper.dataScopeFilter"/>
     </select>
 
     <select id="selectUserByUserName" parameterType="String" resultMap="SysUserResult">