漏洞修复

bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/web/domain/BaseEntity.java

@@ -4,13 +4,15 @@ import java.io.Serializable;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
+
 import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonInclude;
 
 /**
  * Entity基类
- * 
+ *
  * @author bonus
  */
 public class BaseEntity implements Serializable
@@ -38,10 +40,57 @@ public class BaseEntity implements Serializable
     /** 备注 */
     private String remark;
 
+    public Long getNewUserId() {
+        return newUserId;
+    }
+
+    public void setNewUserId(Long newUserId) {
+        this.newUserId = newUserId;
+    }
+
+    public String getMissionSource() {
+        return missionSource;
+    }
+
+    private Long newUserId;//新的用户id
+
+    private   Set<Long> newrole ;//数据权限加了角色id
+
+    private Long newdeptId;//数据权限加了部门id
+
+    private String missionSource;//权限字符
+
+
+
+    public String getMissionSource(String missionSource) {
+        return missionSource;
+    }
+
+    public void setMissionSource(String missionSource) {
+        this.missionSource = missionSource;
+    }
+
+    public Long getNewdeptId() {
+        return newdeptId;
+    }
+
+    public void setNewdeptId(Long newdeptId) {
+        this.newdeptId = newdeptId;
+    }
+
+    public Set<Long> getNewrole() {
+        return newrole;
+    }
+
+    public void setNewrole(Set<Long> newrole) {
+        this.newrole = newrole;
+    }
+
     /** 请求参数 */
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     private Map<String, Object> params;
 
+
     public String getSearchValue()
     {
         return searchValue;

bonus-modules/bonus-system/src/main/java/com/bonus/system/controller/SysLogController.java

@@ -1,7 +1,6 @@
 package com.bonus.system.controller;
 
 import com.bonus.common.core.domain.R;
-//import com.bonus.common.core.utils.WordUtils;
 import com.bonus.common.core.utils.WordUtils;
 import com.bonus.common.core.web.controller.BaseController;
 import com.bonus.common.core.web.domain.AjaxResult;

bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysDeptServiceImpl.java

@@ -4,6 +4,10 @@ import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 import java.util.stream.Collectors;
+
+import com.bonus.common.core.web.domain.BaseEntity;
+import com.bonus.system.utils.CommonDataPermissionInfo;
+import org.springframework.beans.BeanUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import com.bonus.common.core.constant.UserConstants;
@@ -23,7 +27,7 @@ import com.bonus.system.service.ISysDeptService;
 
 /**
  * 部门管理 服务实现
- * 
+ *
  * @author bonus
  */
 @Service
@@ -37,7 +41,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 查询部门管理数据
-     * 
+     *
      * @param dept 部门信息
      * @return 部门信息集合
      */
@@ -45,12 +49,18 @@ public class SysDeptServiceImpl implements ISysDeptService
     @DataScope(deptAlias = "d")
     public List<SysDept> selectDeptList(SysDept dept)
     {
+        try {
+            BaseEntity entity = CommonDataPermissionInfo.backMissionInfo(dept.getParams().get("dataScope").toString());
+            BeanUtils.copyProperties(entity, dept);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
         return deptMapper.selectDeptList(dept);
     }
 
     /**
      * 查询部门树结构信息
-     * 
+     *
      * @param dept 部门信息
      * @return 部门树信息集合
      */
@@ -63,7 +73,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 构建前端所需要树结构
-     * 
+     *
      * @param depts 部门列表
      * @return 树结构列表
      */
@@ -90,7 +100,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 构建前端所需要下拉树结构
-     * 
+     *
      * @param depts 部门列表
      * @return 下拉树结构列表
      */
@@ -103,7 +113,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 根据角色ID查询部门树信息
-     * 
+     *
      * @param roleId 角色ID
      * @return 选中部门列表
      */
@@ -116,7 +126,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 根据部门ID查询信息
-     * 
+     *
      * @param deptId 部门ID
      * @return 部门信息
      */
@@ -128,7 +138,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 根据ID查询所有子部门（正常状态）
-     * 
+     *
      * @param deptId 部门ID
      * @return 子部门数
      */
@@ -140,7 +150,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 是否存在子节点
-     * 
+     *
      * @param deptId 部门ID
      * @return 结果
      */
@@ -153,7 +163,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 查询部门是否存在用户
-     * 
+     *
      * @param deptId 部门ID
      * @return 结果 true 存在 false 不存在
      */
@@ -166,7 +176,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 校验部门名称是否唯一
-     * 
+     *
      * @param dept 部门信息
      * @return 结果
      */
@@ -184,7 +194,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 校验部门是否有数据权限
-     * 
+     *
      * @param deptId 部门id
      */
     @Override
@@ -204,7 +214,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 新增保存部门信息
-     * 
+     *
      * @param dept 部门信息
      * @return 结果
      */
@@ -223,7 +233,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 修改保存部门信息
-     * 
+     *
      * @param dept 部门信息
      * @return 结果
      */
@@ -251,7 +261,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 修改该部门的父级部门状态
-     * 
+     *
      * @param dept 当前部门
      */
     private void updateParentDeptStatusNormal(SysDept dept)
@@ -263,7 +273,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 修改子元素关系
-     * 
+     *
      * @param deptId 被修改的部门ID
      * @param newAncestors 新的父ID集合
      * @param oldAncestors 旧的父ID集合
@@ -283,7 +293,7 @@ public class SysDeptServiceImpl implements ISysDeptService
 
     /**
      * 删除部门管理信息
-     * 
+     *
      * @param deptId 部门ID
      * @return 结果
      */

bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysRoleServiceImpl.java

@@ -5,6 +5,10 @@ import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+
+import com.bonus.common.core.web.domain.BaseEntity;
+import com.bonus.system.utils.CommonDataPermissionInfo;
+import org.springframework.beans.BeanUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -27,7 +31,7 @@ import com.bonus.system.service.ISysRoleService;
 
 /**
  * 角色 业务层处理
- * 
+ *
  * @author bonus
  */
 @Service
@@ -47,7 +51,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 根据条件分页查询角色数据
-     * 
+     *
      * @param role 角色信息
      * @return 角色数据集合信息
      */
@@ -55,12 +59,18 @@ public class SysRoleServiceImpl implements ISysRoleService
     @DataScope(deptAlias = "d")
     public List<SysRole> selectRoleList(SysRole role)
     {
+        try {
+            BaseEntity entity = CommonDataPermissionInfo.backMissionInfo(role.getParams().get("dataScope").toString());
+            BeanUtils.copyProperties(entity, role);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
         return roleMapper.selectRoleList(role);
     }
 
     /**
      * 根据用户ID查询角色
-     * 
+     *
      * @param userId 用户ID
      * @return 角色列表
      */
@@ -85,7 +95,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 根据用户ID查询权限
-     * 
+     *
      * @param userId 用户ID
      * @return 权限列表
      */
@@ -106,7 +116,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 查询所有角色
-     * 
+     *
      * @return 角色列表
      */
     @Override
@@ -117,7 +127,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 根据用户ID获取角色选择框列表
-     * 
+     *
      * @param userId 用户ID
      * @return 选中角色ID列表
      */
@@ -129,7 +139,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 通过角色ID查询角色
-     * 
+     *
      * @param roleId 角色ID
      * @return 角色对象信息
      */
@@ -141,7 +151,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 校验角色名称是否唯一
-     * 
+     *
      * @param role 角色信息
      * @return 结果
      */
@@ -159,7 +169,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 校验角色权限是否唯一
-     * 
+     *
      * @param role 角色信息
      * @return 结果
      */
@@ -177,7 +187,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 校验角色是否允许操作
-     * 
+     *
      * @param role 角色信息
      */
     @Override
@@ -191,7 +201,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 校验角色是否有数据权限
-     * 
+     *
      * @param roleIds 角色id
      */
     @Override
@@ -214,7 +224,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 通过角色ID查询角色使用数量
-     * 
+     *
      * @param roleId 角色ID
      * @return 结果
      */
@@ -226,7 +236,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 新增保存角色信息
-     * 
+     *
      * @param role 角色信息
      * @return 结果
      */
@@ -241,7 +251,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 修改保存角色信息
-     * 
+     *
      * @param role 角色信息
      * @return 结果
      */
@@ -258,7 +268,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 修改角色状态
-     * 
+     *
      * @param role 角色信息
      * @return 结果
      */
@@ -270,7 +280,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 修改数据权限信息
-     * 
+     *
      * @param role 角色信息
      * @return 结果
      */
@@ -288,7 +298,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 新增角色菜单信息
-     * 
+     *
      * @param role 角色对象
      */
     public int insertRoleMenu(SysRole role)
@@ -336,7 +346,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 通过角色ID删除角色
-     * 
+     *
      * @param roleId 角色ID
      * @return 结果
      */
@@ -353,7 +363,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 批量删除角色信息
-     * 
+     *
      * @param roleIds 需要删除的角色ID
      * @return 结果
      */
@@ -380,7 +390,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 取消授权用户角色
-     * 
+     *
      * @param userRole 用户和角色关联信息
      * @return 结果
      */
@@ -392,7 +402,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 批量取消授权用户角色
-     * 
+     *
      * @param roleId 角色ID
      * @param userIds 需要取消授权的用户数据ID
      * @return 结果
@@ -405,7 +415,7 @@ public class SysRoleServiceImpl implements ISysRoleService
 
     /**
      * 批量选择授权用户角色
-     * 
+     *
      * @param roleId 角色ID
      * @param userIds 需要授权的用户数据ID
      * @return 结果

bonus-modules/bonus-system/src/main/java/com/bonus/system/service/impl/SysUserServiceImpl.java

@@ -2,20 +2,17 @@ package com.bonus.system.service.impl;
 
 import java.util.ArrayList;
 import java.util.List;
-import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
-import javax.annotation.Resource;
 import javax.validation.Validator;
 
-import com.bonus.common.core.constant.CacheConstants;
-import com.bonus.common.core.constant.Constants;
 import com.bonus.common.core.domain.R;
-import com.bonus.common.core.utils.VerificationCodeUtils;
 import com.bonus.common.core.utils.sms.SmsUtils;
-import com.bonus.common.redis.service.RedisService;
+import com.bonus.common.core.web.domain.BaseEntity;
+import com.bonus.system.utils.CommonDataPermissionInfo;
 import org.apache.poi.ss.formula.functions.T;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.BeanUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.mail.SimpleMailMessage;
@@ -95,7 +92,14 @@ public class SysUserServiceImpl implements ISysUserService {
     @Override
     @DataScope(deptAlias = "d", userAlias = "u")
     public List<SysUser> selectUserList(SysUser user) {
-        return userMapper.selectUserList(user);
+        try {
+            BaseEntity entity = CommonDataPermissionInfo.backMissionInfo(user.getParams().get("dataScope").toString());
+            BeanUtils.copyProperties(entity, user);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        List<SysUser> sysUsers = userMapper.selectUserList(user);
+        return sysUsers;
     }
 
     /**
@@ -107,6 +111,12 @@ public class SysUserServiceImpl implements ISysUserService {
     @Override
     @DataScope(deptAlias = "d", userAlias = "u")
     public List<SysUser> selectAllocatedList(SysUser user) {
+        try {
+            BaseEntity entity = CommonDataPermissionInfo.backMissionInfo(user.getParams().get("dataScope").toString());
+            BeanUtils.copyProperties(entity, user);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
         return userMapper.selectAllocatedList(user);
     }
 
@@ -119,6 +129,12 @@ public class SysUserServiceImpl implements ISysUserService {
     @Override
     @DataScope(deptAlias = "d", userAlias = "u")
     public List<SysUser> selectUnallocatedList(SysUser user) {
+        try {
+            BaseEntity entity = CommonDataPermissionInfo.backMissionInfo(user.getParams().get("dataScope").toString());
+            BeanUtils.copyProperties(entity, user);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
         return userMapper.selectUnallocatedList(user);
     }
 

bonus-modules/bonus-system/src/main/java/com/bonus/system/utils/CommonDataPermissionInfo.java

@@ -0,0 +1,50 @@
+package com.bonus.system.utils;
+
+import com.bonus.common.core.web.domain.BaseEntity;
+import com.bonus.common.security.utils.SecurityUtils;
+import com.bonus.system.api.domain.SysRole;
+import com.bonus.system.api.domain.SysUser;
+import com.bonus.system.api.model.LoginUser;
+
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+public class CommonDataPermissionInfo {
+
+    public static BaseEntity backMissionInfo(String dataScope){
+        BaseEntity entity = new BaseEntity();
+        Set<Long> roleIds = new HashSet<>();
+        LoginUser loginUser = SecurityUtils.getLoginUser();
+        if (loginUser != null) {
+            SysUser sysUser = loginUser.getSysUser();
+            if (sysUser != null) {
+                Long deptId = sysUser.getDeptId();
+                entity.setNewUserId(sysUser.getUserId());
+                List<SysRole> roles = sysUser.getRoles();
+                if (roles != null) {
+                    entity.setNewdeptId(deptId);
+                    // 如果需要记录多个角色ID，可以使用Set或List
+                    for (SysRole role : roles) {
+                        roleIds.add(role.getRoleId());
+                        entity.setMissionSource(role.getDataScope());
+                        // 只在第一次迭代时设置dataScope，且dataScope不为空的情况下
+                        if (dataScope.isEmpty() && !"".equals(role.getDataScope())) {
+                            entity.setMissionSource(dataScope);
+                            break;
+                        }else if(roles.size()>1){
+                            entity.setMissionSource(4+"");
+                        }
+
+                        // 设置角色ID集合
+                        entity.setNewrole(roleIds);
+                    }
+
+                }
+            }
+        }
+
+        return entity;
+
+    }
+}

bonus-modules/bonus-system/src/main/resources/mapper/system/SysRoleMapper.xml

@@ -20,16 +20,16 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
 		<result property="updateTime"         column="update_time"           />
 		<result property="remark"             column="remark"                />
 	</resultMap>
-	
+
 	<sql id="selectRoleVo">
 	    select distinct r.role_id, r.role_name, r.role_key, r.role_sort, r.data_scope, r.menu_check_strictly, r.dept_check_strictly,
-            r.status, r.del_flag, r.create_time, r.remark 
+            r.status, r.del_flag, r.create_time, r.remark
         from sys_role r
 	        left join sys_user_role ur on ur.role_id = r.role_id
 	        left join sys_user u on u.user_id = ur.user_id
 	        left join sys_dept d on u.dept_id = d.dept_id
     </sql>
-    
+
     <select id="selectRoleList" parameterType="SysRole" resultMap="SysRoleResult">
 		<include refid="selectRoleVo"/>
 		where r.del_flag = '0'
@@ -52,19 +52,19 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
 			and date_format(r.create_time,'%y%m%d') &lt;= date_format(#{params.endTime},'%y%m%d')
 		</if>
 		<!-- 数据范围过滤 -->
-		${params.dataScope}
+		<include refid="com.bonus.system.mapper.DataScopeMapper.dataScopeFilter"/>
 		order by r.role_sort
 	</select>
-    
+
 	<select id="selectRolePermissionByUserId" parameterType="Long" resultMap="SysRoleResult">
 		<include refid="selectRoleVo"/>
 		WHERE r.del_flag = '0' and ur.user_id = #{userId}
 	</select>
-	
+
 	<select id="selectRoleAll" resultMap="SysRoleResult">
 		<include refid="selectRoleVo"/>
 	</select>
-	
+
 	<select id="selectRoleListByUserId" parameterType="Long" resultType="Long">
 		select r.role_id
         from sys_role r
@@ -72,27 +72,27 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
 	        left join sys_user u on u.user_id = ur.user_id
 	    where u.user_id = #{userId}
 	</select>
-	
+
 	<select id="selectRoleById" parameterType="Long" resultMap="SysRoleResult">
 		<include refid="selectRoleVo"/>
 		where r.role_id = #{roleId}
 	</select>
-	
+
 	<select id="selectRolesByUserName" parameterType="String" resultMap="SysRoleResult">
 		<include refid="selectRoleVo"/>
 		WHERE r.del_flag = '0' and u.user_name = #{userName}
 	</select>
-	
+
 	<select id="checkRoleNameUnique" parameterType="String" resultMap="SysRoleResult">
 		<include refid="selectRoleVo"/>
 		 where r.role_name=#{roleName} and r.del_flag = '0' limit 1
 	</select>
-	
+
 	<select id="checkRoleKeyUnique" parameterType="String" resultMap="SysRoleResult">
 		<include refid="selectRoleVo"/>
 		 where r.role_key=#{roleKey} and r.del_flag = '0' limit 1
 	</select>
-	
+
  	<insert id="insertRole" parameterType="SysRole" useGeneratedKeys="true" keyProperty="roleId">
  		insert into sys_role(
  			<if test="roleId != null and roleId != 0">role_id,</if>
@@ -120,7 +120,7 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
  			sysdate()
  		)
 	</insert>
-	
+
 	<update id="updateRole" parameterType="SysRole">
  		update sys_role
  		<set>
@@ -137,16 +137,16 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
  		</set>
  		where role_id = #{roleId}
 	</update>
-	
+
 	<delete id="deleteRoleById" parameterType="Long">
  		update sys_role set del_flag = '2' where role_id = #{roleId}
  	</delete>
- 	
+
  	<delete id="deleteRoleByIds" parameterType="Long">
  	    update sys_role set del_flag = '2' where role_id in
  		<foreach collection="array" item="roleId" open="(" separator="," close=")">
  			#{roleId}
-        </foreach> 
+        </foreach>
  	</delete>
- 	
+
-</mapper> 
+</mapper>