漏洞修复

2024-10-28 10:55:53 +08:00 · 2024-10-28 10:55:53 +08:00 · 68662e56e1
parent 2173dbfb42
commit 68662e56e1
13 changed files with 119 additions and 19 deletions
--- a/bonus-common/bonus-common-datascope/src/main/java/com/bonus/common/datascope/utils/CommonDataPermissionInfo.java
+++ b/bonus-common/bonus-common-datascope/src/main/java/com/bonus/common/datascope/utils/CommonDataPermissionInfo.java
@ -1,4 +1,4 @@
-package com.bonus.system.utils;
+package com.bonus.common.datascope.utils;
 import com.bonus.common.core.web.domain.BaseEntity;
 import com.bonus.common.security.utils.SecurityUtils;
--- a/bonus-common/bonus-common-redis/src/main/java/com/bonus/common/redis/service/RedisService.java
+++ b/bonus-common/bonus-common-redis/src/main/java/com/bonus/common/redis/service/RedisService.java
@ -267,4 +267,10 @@ public class RedisService
    {
        return redisTemplate.keys(pattern);
    }
    //添加分布式锁
    public <T> Boolean setNxCacheObject(final String key, final T value,long lt,TimeUnit tu)
    {
        return redisTemplate.opsForValue().setIfAbsent(key,value,lt,tu);
    }
 }
--- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/annotation/PreventRepeatSubmit.java
+++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/annotation/PreventRepeatSubmit.java
@ -5,6 +5,7 @@ import java.lang.annotation.*;
 /**
 * 自定义注解防止表单重复提交
 *
 * @author 10752
 */
@Inherited
@Target({ElementType.METHOD, ElementType.TYPE})
--- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/annotation/RequiresPermissionsOrInnerAuth.java
+++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/annotation/RequiresPermissionsOrInnerAuth.java
@ -14,3 +14,4 @@ public @interface RequiresPermissionsOrInnerAuth {
    InnerAuth innerAuth() default @InnerAuth();
    RequiresPermissions requiresPermissions() default @RequiresPermissions();
 }
--- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/aspect/PreventRepeatSubmitAspect.java
+++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/aspect/PreventRepeatSubmitAspect.java
@ -1,11 +1,13 @@
 package com.bonus.common.security.aspect;
 import com.alibaba.fastjson2.JSON;
 import com.bonus.common.core.exception.RepeatCommitException;
 import com.bonus.common.redis.service.RedisService;
 import com.bonus.common.security.annotation.PreventRepeatSubmit;
 import com.bonus.common.security.enums.HttpCodeEnum;
 import com.bonus.common.security.exception.BusinessException;
 import lombok.extern.slf4j.Slf4j;
 import org.aspectj.lang.ProceedingJoinPoint;
 import org.aspectj.lang.annotation.Around;
 import org.aspectj.lang.annotation.Aspect;
 import org.aspectj.lang.annotation.Pointcut;
 import org.aspectj.lang.reflect.MethodSignature;
@ -30,9 +32,9 @@ public class PreventRepeatSubmitAspect {
    // 定义一个切入点，待测试使用
    @Pointcut("@annotation(com.bonus.common.security.annotation.PreventRepeatSubmit)")
    public void preventRepeatSubmit() {
-
+        log.debug("进入preventRepeatSubmit切面");
    }
-
+    @Around("preventRepeatSubmit()")
    public Object checkPrs(ProceedingJoinPoint pjp) throws Throwable {
        log.debug("进入preventRepeatSubmit切面");
        //得到request对象
@ -56,10 +58,12 @@ public class PreventRepeatSubmitAspect {
        int interval = preventRepeatSubmit.interval();
        log.debug("获取到preventRepeatSubmit的有效期时间"+interval);
        //redis分布式锁
-        Boolean aBoolean = redisCache.setCacheObject(cacheRepeatKey, 1, (long) preventRepeatSubmit.interval(), TimeUnit.SECONDS);
+       // Boolean aBoolean = redisCache.setCacheObject(cacheRepeatKey, 1, preventRepeatSubmit.interval(), TimeUnit.SECONDS);
        Boolean aBoolean = redisCache.setNxCacheObject(cacheRepeatKey, 1, preventRepeatSubmit.interval(), TimeUnit.SECONDS);
        //aBoolean为true则证明没有重复提交
        if(!aBoolean){
-            throw new RepeatCommitException("重复提交，请稍后重试");
+            log.debug("重复提交，请稍后重试");
            throw new BusinessException(HttpCodeEnum.REPEATE_ERROR);
        }
        return pjp.proceed();
    }
--- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/enums/DataCodeEnum.java
+++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/enums/DataCodeEnum.java
@ -0,0 +1,26 @@
 package com.bonus.common.security.enums;
 import lombok.Getter;
 /**
 * @author : 阮世耀
 * @version : 1.0
 * @PackagePath: com.bonus.common.biz.enums
 * @CreateTime: 2024-10-15  10:28
 * @Description: 数据状态枚举类
 */
@Getter
 public enum DataCodeEnum {
    NORMAL(0, "正常"),
    DELETED(2, "已删除");
    private final int code;
    private final String msg;
    DataCodeEnum(int code, String msg) {
        this.code = code;
        this.msg = msg;
    }
 }
--- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/enums/HttpCodeEnum.java
+++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/enums/HttpCodeEnum.java
@ -0,0 +1,39 @@
 package com.bonus.common.security.enums;
 import lombok.Getter;
 /**
 * @author bonus
 */
@Getter
 public enum HttpCodeEnum {
    // 成功
    SUCCESS(200, "操作成功"),
    // 登录
    NEED_LOGIN(401, "需要登录后操作"),
    NO_OPERATOR_AUTH(403, "无权限操作"),
    SYSTEM_ERROR(500, "出现错误"),
    USERNAME_EXIST(501, "用户名已存在"),
    PHONENUMBER_EXIST(502, "手机号已存在"),
    EMAIL_EXIST(503, "邮箱已存在"),
    REQUIRE_USERNAME(504, "必需填写用户名"),
    CONTENT_NOT_NULL(506, "评论内容不能为空"),
    FILE_TYPE_ERROR(507, "文件类型错误"),
    USERNAME_NOT_NULL(508, "用户名不能为空"),
    NICKNAME_NOT_NULL(509, "昵称不能为空"),
    PASSWORD_NOT_NULL(510, "密码不能为空"),
    EMAIL_NOT_NULL(511, "邮箱不能为空"),
    NICKNAME_EXIST(512, "昵称已存在"),
    LOGIN_ERROR(505, "用户名或密码错误"),
    REPEATE_ERROR(600, "不允许重复提交，请稍候再试");
    private final int code;
    private final String msg;
    HttpCodeEnum(int code, String errorMessage) {
        this.code = code;
        this.msg = errorMessage;
    }
 }
--- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/exception/BusinessException.java
+++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/exception/BusinessException.java
@ -0,0 +1,26 @@
 package com.bonus.common.security.exception;
 import com.bonus.common.security.enums.HttpCodeEnum;
 public class BusinessException extends RuntimeException {
    private int code;
    //使用枚举构造
    public BusinessException(HttpCodeEnum httpCodeEnum){
        super(httpCodeEnum.getMsg());
        this.code=httpCodeEnum.getCode();
    }
    //使用自定义消息体
    public BusinessException(HttpCodeEnum httpCodeEnum, String msg){
        super(msg);
        this.code=httpCodeEnum.getCode();
    }
    //根据异常构造
    public BusinessException(HttpCodeEnum httpCodeEnum, Throwable msg){
        super(msg);
        this.code=httpCodeEnum.getCode();
    }
 }
--- a/bonus-modules/bonus-system/src/main/java/com/bonus/system/controller/SysUserController.java
+++ b/bonus-modules/bonus-system/src/main/java/com/bonus/system/controller/SysUserController.java
@ -8,19 +8,14 @@ import com.bonus.common.core.web.domain.AjaxResult;
 import com.bonus.common.core.web.page.TableDataInfo;
 import com.bonus.common.log.annotation.SysLog;
 import com.bonus.common.log.enums.OperaType;
-import com.bonus.common.security.annotation.InnerAuth;
+import com.bonus.common.security.annotation.*;
 import com.bonus.common.security.annotation.RequiresPermissions;
 import com.bonus.common.security.annotation.RequiresPermissionsOrInnerAuth;
 import com.bonus.common.security.utils.SecurityUtils;
 import com.bonus.system.api.RemoteFileService;
 import com.bonus.system.api.domain.SysDept;
 import com.bonus.system.api.domain.SysFile;
 import com.bonus.system.api.domain.SysRole;
 import com.bonus.system.api.domain.SysUser;
 import com.bonus.system.api.model.LoginUser;
 import com.bonus.system.domain.UserPasswordHistory;
 import com.bonus.system.service.*;
 import io.swagger.annotations.ApiOperation;
 import org.apache.commons.lang3.ArrayUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.validation.annotation.Validated;
@ -30,7 +25,6 @@ import org.springframework.web.multipart.MultipartFile;
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.rmi.Remote;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
@ -76,7 +70,8 @@ public class SysUserController extends BaseController {
     */
    @RequiresPermissionsOrInnerAuth(innerAuth = @InnerAuth, requiresPermissions = @RequiresPermissions("system:user:list"))
    @GetMapping("/list")
-    @SysLog(title = "用户管理", businessType = OperaType.QUERY, logType = 0, module = "系统管理->用户管理", details = "查询用户列表")
+    @PreventRepeatSubmit
    //  @SysLog(title = "用户管理", businessType = OperaType.QUERY, logType = 0, module = "系统管理->用户管理", details = "查询用户列表")
    public TableDataInfo list(SysUser user) {
        try {
            startPage();
@ -178,6 +173,7 @@ public class SysUserController extends BaseController {
    public AjaxResult getInfo() {
        try {
            SysUser user = userService.selectUserById(SecurityUtils.getUserId());
            user.setPassword(null);
            // 角色集合
            Set<String> roles = permissionService.getRolePermission(user);
            // 权限集合
@ -207,6 +203,7 @@ public class SysUserController extends BaseController {
            ajax.put("posts", postService.selectPostAll());
            if (StringUtils.isNotNull(userId)) {
                SysUser sysUser = userService.selectUserById(userId);
                sysUser.setPassword(null);
                ajax.put(AjaxResult.DATA_TAG, sysUser);
                ajax.put("postIds", postService.selectPostListByUserId(userId));
                ajax.put("roleIds", sysUser.getRoles().stream().map(SysRole::getRoleId).collect(Collectors.toList()));
--- a/bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysDeptServiceImpl.java
+++ b/bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysDeptServiceImpl.java
@ -6,7 +6,7 @@ import java.util.List;
 import java.util.stream.Collectors;
 import com.bonus.common.core.web.domain.BaseEntity;
-import com.bonus.system.utils.CommonDataPermissionInfo;
+import com.bonus.common.datascope.utils.CommonDataPermissionInfo;
 import org.springframework.beans.BeanUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
--- a/bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysRoleServiceImpl.java
+++ b/bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysRoleServiceImpl.java
@ -7,8 +7,8 @@ import java.util.List;
 import java.util.Set;
 import com.bonus.common.core.web.domain.BaseEntity;
 import com.bonus.common.datascope.utils.CommonDataPermissionInfo;
 import com.bonus.system.api.domain.SysUserRole;
 import com.bonus.system.utils.CommonDataPermissionInfo;
 import org.springframework.beans.BeanUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
--- a/bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysUserServiceImpl.java
+++ b/bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysUserServiceImpl.java
@ -9,6 +9,7 @@ import com.bonus.common.core.utils.bean.BeanValidators;
 import com.bonus.common.core.utils.sms.SmsUtils;
 import com.bonus.common.core.web.domain.BaseEntity;
 import com.bonus.common.datascope.annotation.DataScope;
 import com.bonus.common.datascope.utils.CommonDataPermissionInfo;
 import com.bonus.common.security.config.VerificationCodeConfig;
 import com.bonus.common.security.utils.SecurityUtils;
 import com.bonus.system.api.domain.SysPost;
@ -20,7 +21,6 @@ import com.bonus.system.mapper.*;
 import com.bonus.system.service.ISysConfigService;
 import com.bonus.system.service.ISysDeptService;
 import com.bonus.system.service.ISysUserService;
 import com.bonus.system.utils.CommonDataPermissionInfo;
 import org.apache.poi.ss.formula.functions.T;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;