漏洞修复
This commit is contained in:
parent
2173dbfb42
commit
68662e56e1
|
|
@ -1,4 +1,4 @@
|
|||
package com.bonus.system.utils;
|
||||
package com.bonus.common.datascope.utils;
|
||||
|
||||
import com.bonus.common.core.web.domain.BaseEntity;
|
||||
import com.bonus.common.security.utils.SecurityUtils;
|
||||
|
|
@ -15,7 +15,7 @@ import org.springframework.stereotype.Component;
|
|||
|
||||
/**
|
||||
* spring redis 工具类
|
||||
*
|
||||
*
|
||||
* @author bonus
|
||||
**/
|
||||
@SuppressWarnings(value = { "unchecked", "rawtypes" })
|
||||
|
|
@ -267,4 +267,10 @@ public class RedisService
|
|||
{
|
||||
return redisTemplate.keys(pattern);
|
||||
}
|
||||
|
||||
//添加分布式锁
|
||||
public <T> Boolean setNxCacheObject(final String key, final T value,long lt,TimeUnit tu)
|
||||
{
|
||||
return redisTemplate.opsForValue().setIfAbsent(key,value,lt,tu);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ import java.lang.annotation.*;
|
|||
/**
|
||||
* 自定义注解防止表单重复提交
|
||||
*
|
||||
* @author 10752
|
||||
*/
|
||||
@Inherited
|
||||
@Target({ElementType.METHOD, ElementType.TYPE})
|
||||
|
|
|
|||
|
|
@ -14,3 +14,4 @@ public @interface RequiresPermissionsOrInnerAuth {
|
|||
InnerAuth innerAuth() default @InnerAuth();
|
||||
RequiresPermissions requiresPermissions() default @RequiresPermissions();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,11 +1,13 @@
|
|||
package com.bonus.common.security.aspect;
|
||||
|
||||
import com.alibaba.fastjson2.JSON;
|
||||
import com.bonus.common.core.exception.RepeatCommitException;
|
||||
import com.bonus.common.redis.service.RedisService;
|
||||
import com.bonus.common.security.annotation.PreventRepeatSubmit;
|
||||
import com.bonus.common.security.enums.HttpCodeEnum;
|
||||
import com.bonus.common.security.exception.BusinessException;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.aspectj.lang.ProceedingJoinPoint;
|
||||
import org.aspectj.lang.annotation.Around;
|
||||
import org.aspectj.lang.annotation.Aspect;
|
||||
import org.aspectj.lang.annotation.Pointcut;
|
||||
import org.aspectj.lang.reflect.MethodSignature;
|
||||
|
|
@ -30,9 +32,9 @@ public class PreventRepeatSubmitAspect {
|
|||
// 定义一个切入点,待测试使用
|
||||
@Pointcut("@annotation(com.bonus.common.security.annotation.PreventRepeatSubmit)")
|
||||
public void preventRepeatSubmit() {
|
||||
|
||||
log.debug("进入preventRepeatSubmit切面");
|
||||
}
|
||||
|
||||
@Around("preventRepeatSubmit()")
|
||||
public Object checkPrs(ProceedingJoinPoint pjp) throws Throwable {
|
||||
log.debug("进入preventRepeatSubmit切面");
|
||||
//得到request对象
|
||||
|
|
@ -56,10 +58,12 @@ public class PreventRepeatSubmitAspect {
|
|||
int interval = preventRepeatSubmit.interval();
|
||||
log.debug("获取到preventRepeatSubmit的有效期时间"+interval);
|
||||
//redis分布式锁
|
||||
Boolean aBoolean = redisCache.setCacheObject(cacheRepeatKey, 1, (long) preventRepeatSubmit.interval(), TimeUnit.SECONDS);
|
||||
// Boolean aBoolean = redisCache.setCacheObject(cacheRepeatKey, 1, preventRepeatSubmit.interval(), TimeUnit.SECONDS);
|
||||
Boolean aBoolean = redisCache.setNxCacheObject(cacheRepeatKey, 1, preventRepeatSubmit.interval(), TimeUnit.SECONDS);
|
||||
//aBoolean为true则证明没有重复提交
|
||||
if(!aBoolean){
|
||||
throw new RepeatCommitException("重复提交,请稍后重试");
|
||||
log.debug("重复提交,请稍后重试");
|
||||
throw new BusinessException(HttpCodeEnum.REPEATE_ERROR);
|
||||
}
|
||||
return pjp.proceed();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,26 @@
|
|||
package com.bonus.common.security.enums;
|
||||
|
||||
import lombok.Getter;
|
||||
|
||||
/**
|
||||
* @author : 阮世耀
|
||||
* @version : 1.0
|
||||
* @PackagePath: com.bonus.common.biz.enums
|
||||
* @CreateTime: 2024-10-15 10:28
|
||||
* @Description: 数据状态枚举类
|
||||
*/
|
||||
@Getter
|
||||
public enum DataCodeEnum {
|
||||
|
||||
NORMAL(0, "正常"),
|
||||
DELETED(2, "已删除");
|
||||
|
||||
private final int code;
|
||||
private final String msg;
|
||||
|
||||
DataCodeEnum(int code, String msg) {
|
||||
this.code = code;
|
||||
this.msg = msg;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
package com.bonus.common.security.enums;
|
||||
|
||||
import lombok.Getter;
|
||||
|
||||
/**
|
||||
* @author bonus
|
||||
*/
|
||||
|
||||
@Getter
|
||||
public enum HttpCodeEnum {
|
||||
// 成功
|
||||
SUCCESS(200, "操作成功"),
|
||||
// 登录
|
||||
NEED_LOGIN(401, "需要登录后操作"),
|
||||
NO_OPERATOR_AUTH(403, "无权限操作"),
|
||||
SYSTEM_ERROR(500, "出现错误"),
|
||||
USERNAME_EXIST(501, "用户名已存在"),
|
||||
PHONENUMBER_EXIST(502, "手机号已存在"),
|
||||
EMAIL_EXIST(503, "邮箱已存在"),
|
||||
REQUIRE_USERNAME(504, "必需填写用户名"),
|
||||
CONTENT_NOT_NULL(506, "评论内容不能为空"),
|
||||
FILE_TYPE_ERROR(507, "文件类型错误"),
|
||||
USERNAME_NOT_NULL(508, "用户名不能为空"),
|
||||
NICKNAME_NOT_NULL(509, "昵称不能为空"),
|
||||
PASSWORD_NOT_NULL(510, "密码不能为空"),
|
||||
EMAIL_NOT_NULL(511, "邮箱不能为空"),
|
||||
NICKNAME_EXIST(512, "昵称已存在"),
|
||||
LOGIN_ERROR(505, "用户名或密码错误"),
|
||||
REPEATE_ERROR(600, "不允许重复提交,请稍候再试");
|
||||
|
||||
private final int code;
|
||||
private final String msg;
|
||||
|
||||
HttpCodeEnum(int code, String errorMessage) {
|
||||
this.code = code;
|
||||
this.msg = errorMessage;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
package com.bonus.common.security.exception;
|
||||
|
||||
|
||||
import com.bonus.common.security.enums.HttpCodeEnum;
|
||||
|
||||
public class BusinessException extends RuntimeException {
|
||||
|
||||
private int code;
|
||||
//使用枚举构造
|
||||
public BusinessException(HttpCodeEnum httpCodeEnum){
|
||||
super(httpCodeEnum.getMsg());
|
||||
this.code=httpCodeEnum.getCode();
|
||||
}
|
||||
//使用自定义消息体
|
||||
public BusinessException(HttpCodeEnum httpCodeEnum, String msg){
|
||||
super(msg);
|
||||
this.code=httpCodeEnum.getCode();
|
||||
}
|
||||
|
||||
//根据异常构造
|
||||
public BusinessException(HttpCodeEnum httpCodeEnum, Throwable msg){
|
||||
super(msg);
|
||||
this.code=httpCodeEnum.getCode();
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -30,7 +30,7 @@ import com.bonus.system.service.ISysDeptService;
|
|||
|
||||
/**
|
||||
* 部门信息
|
||||
*
|
||||
*
|
||||
* @author bonus
|
||||
*/
|
||||
@RestController
|
||||
|
|
|
|||
|
|
@ -8,19 +8,14 @@ import com.bonus.common.core.web.domain.AjaxResult;
|
|||
import com.bonus.common.core.web.page.TableDataInfo;
|
||||
import com.bonus.common.log.annotation.SysLog;
|
||||
import com.bonus.common.log.enums.OperaType;
|
||||
import com.bonus.common.security.annotation.InnerAuth;
|
||||
import com.bonus.common.security.annotation.RequiresPermissions;
|
||||
import com.bonus.common.security.annotation.RequiresPermissionsOrInnerAuth;
|
||||
import com.bonus.common.security.annotation.*;
|
||||
import com.bonus.common.security.utils.SecurityUtils;
|
||||
import com.bonus.system.api.RemoteFileService;
|
||||
import com.bonus.system.api.domain.SysDept;
|
||||
import com.bonus.system.api.domain.SysFile;
|
||||
import com.bonus.system.api.domain.SysRole;
|
||||
import com.bonus.system.api.domain.SysUser;
|
||||
import com.bonus.system.api.model.LoginUser;
|
||||
import com.bonus.system.domain.UserPasswordHistory;
|
||||
import com.bonus.system.service.*;
|
||||
import io.swagger.annotations.ApiOperation;
|
||||
import org.apache.commons.lang3.ArrayUtils;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.validation.annotation.Validated;
|
||||
|
|
@ -30,7 +25,6 @@ import org.springframework.web.multipart.MultipartFile;
|
|||
import javax.annotation.Resource;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.io.IOException;
|
||||
import java.rmi.Remote;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
|
@ -76,7 +70,8 @@ public class SysUserController extends BaseController {
|
|||
*/
|
||||
@RequiresPermissionsOrInnerAuth(innerAuth = @InnerAuth, requiresPermissions = @RequiresPermissions("system:user:list"))
|
||||
@GetMapping("/list")
|
||||
@SysLog(title = "用户管理", businessType = OperaType.QUERY, logType = 0, module = "系统管理->用户管理", details = "查询用户列表")
|
||||
@PreventRepeatSubmit
|
||||
// @SysLog(title = "用户管理", businessType = OperaType.QUERY, logType = 0, module = "系统管理->用户管理", details = "查询用户列表")
|
||||
public TableDataInfo list(SysUser user) {
|
||||
try {
|
||||
startPage();
|
||||
|
|
@ -178,6 +173,7 @@ public class SysUserController extends BaseController {
|
|||
public AjaxResult getInfo() {
|
||||
try {
|
||||
SysUser user = userService.selectUserById(SecurityUtils.getUserId());
|
||||
user.setPassword(null);
|
||||
// 角色集合
|
||||
Set<String> roles = permissionService.getRolePermission(user);
|
||||
// 权限集合
|
||||
|
|
@ -207,6 +203,7 @@ public class SysUserController extends BaseController {
|
|||
ajax.put("posts", postService.selectPostAll());
|
||||
if (StringUtils.isNotNull(userId)) {
|
||||
SysUser sysUser = userService.selectUserById(userId);
|
||||
sysUser.setPassword(null);
|
||||
ajax.put(AjaxResult.DATA_TAG, sysUser);
|
||||
ajax.put("postIds", postService.selectPostListByUserId(userId));
|
||||
ajax.put("roleIds", sysUser.getRoles().stream().map(SysRole::getRoleId).collect(Collectors.toList()));
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import java.util.List;
|
|||
import java.util.stream.Collectors;
|
||||
|
||||
import com.bonus.common.core.web.domain.BaseEntity;
|
||||
import com.bonus.system.utils.CommonDataPermissionInfo;
|
||||
import com.bonus.common.datascope.utils.CommonDataPermissionInfo;
|
||||
import org.springframework.beans.BeanUtils;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.stereotype.Service;
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ import java.util.List;
|
|||
import java.util.Set;
|
||||
|
||||
import com.bonus.common.core.web.domain.BaseEntity;
|
||||
import com.bonus.common.datascope.utils.CommonDataPermissionInfo;
|
||||
import com.bonus.system.api.domain.SysUserRole;
|
||||
import com.bonus.system.utils.CommonDataPermissionInfo;
|
||||
import org.springframework.beans.BeanUtils;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.stereotype.Service;
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import com.bonus.common.core.utils.bean.BeanValidators;
|
|||
import com.bonus.common.core.utils.sms.SmsUtils;
|
||||
import com.bonus.common.core.web.domain.BaseEntity;
|
||||
import com.bonus.common.datascope.annotation.DataScope;
|
||||
import com.bonus.common.datascope.utils.CommonDataPermissionInfo;
|
||||
import com.bonus.common.security.config.VerificationCodeConfig;
|
||||
import com.bonus.common.security.utils.SecurityUtils;
|
||||
import com.bonus.system.api.domain.SysPost;
|
||||
|
|
@ -20,7 +21,6 @@ import com.bonus.system.mapper.*;
|
|||
import com.bonus.system.service.ISysConfigService;
|
||||
import com.bonus.system.service.ISysDeptService;
|
||||
import com.bonus.system.service.ISysUserService;
|
||||
import com.bonus.system.utils.CommonDataPermissionInfo;
|
||||
import org.apache.poi.ss.formula.functions.T;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
|
|
|||
Loading…
Reference in New Issue