update ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java.

addSave， editSave， insertAuthRole后台方法对用户的deptId 和roleId没有DataScope检查。当限制数据范围的角色使用用户管理模块，构造超越数据范围的deptId和roleId参数的话会越权设置。 Signed-off-by: zablo <zhiqiang-ge@163.com>
2024-01-23 07:04:29 +00:00 · 2024-01-23 07:04:29 +00:00 · 90b91ea737
parent 0ce40fc039
commit 90b91ea737
1 changed files with 16 additions and 0 deletions
--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java
@ -130,6 +130,12 @@ public class SysUserController extends BaseController
    @ResponseBody
    public AjaxResult addSave(@Validated SysUser user)
    {
         //检查部门数据权限，检测角色权限
        deptService.checkDeptDataScope(user.getDeptId());
        for (Long roleId :user.getRoleIds()){
            roleService.checkRoleDataScope(roleId); 
        }
        if (!userService.checkLoginNameUnique(user))
        {
            return error("新增用户'" + user.getLoginName() + "'失败，登录账号已存在");
@ -189,6 +195,13 @@ public class SysUserController extends BaseController
    {
        userService.checkUserAllowed(user);
        userService.checkUserDataScope(user.getUserId());
        //检查部门数据权限，检测角色权限
        deptService.checkDeptDataScope(user.getDeptId());
        for (Long roleId :user.getRoleIds()){
            roleService.checkRoleDataScope(roleId); 
        }
        if (!userService.checkLoginNameUnique(user))
        {
            return error("修改用户'" + user.getLoginName() + "'失败，登录账号已存在");
@ -259,6 +272,9 @@ public class SysUserController extends BaseController
    public AjaxResult insertAuthRole(Long userId, Long[] roleIds)
    {
        userService.checkUserDataScope(userId);
        for (Long roleId :roleIds){
            roleService.checkRoleDataScope(roleId);
        }
        userService.insertUserAuth(userId, roleIds);
        AuthorizationUtils.clearAllCachedAuthorizationInfo();
        return success();