abu/wzj-boot
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix 修复 用户篡改管理员角色标识符越权问题

Browse Source
This commit is contained in:
疯狂的狮子Li 2023-06-17 22:38:22 +08:00
parent 45eec24b7f
commit 1e69726d77
2 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ruoyi-common/src/main/java/com/ruoyi/common/constant/UserConstants.java
View File

@ -129,4 +129,9 @@ public interface UserConstants {
*/ */
Long ADMIN_ID = 1L; Long ADMIN_ID = 1L;
/**
* 管理员角色key
*/
String ADMIN_ROLE_KEY = "admin";
} }

18
ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java
View File

@ -186,6 +186,20 @@ public class SysRoleServiceImpl implements ISysRoleService {
if (ObjectUtil.isNotNull(role.getRoleId()) && role.isAdmin()) { if (ObjectUtil.isNotNull(role.getRoleId()) && role.isAdmin()) {
throw new ServiceException("不允许操作超级管理员角色"); throw new ServiceException("不允许操作超级管理员角色");
} }
// 新增不允许使用 管理员标识符
if (ObjectUtil.isNull(role.getRoleId())
&& StringUtils.equals(role.getRoleKey(), UserConstants.ADMIN_ROLE_KEY)) {
throw new ServiceException("不允许使用系统内置管理员角色标识符!");
}
// 修改不允许修改 管理员标识符
if (ObjectUtil.isNotNull(role.getRoleId())) {
SysRole sysRole = baseMapper.selectById(role.getRoleId());
// 如果标识符不相等 判断为修改了管理员标识符
if (!StringUtils.equals(sysRole.getRoleKey(), role.getRoleKey())
&& StringUtils.equals(sysRole.getRoleKey(), UserConstants.ADMIN_ROLE_KEY)) {
throw new ServiceException("不允许修改系统内置管理员角色标识符!");
}
}
} }
/** /**
@ -342,9 +356,9 @@ public class SysRoleServiceImpl implements ISysRoleService {
@Transactional(rollbackFor = Exception.class) @Transactional(rollbackFor = Exception.class)
public int deleteRoleByIds(Long[] roleIds) { public int deleteRoleByIds(Long[] roleIds) {
for (Long roleId : roleIds) { for (Long roleId : roleIds) {
checkRoleAllowed(new SysRole(roleId));
checkRoleDataScope(roleId);
SysRole role = selectRoleById(roleId); SysRole role = selectRoleById(roleId);
checkRoleAllowed(role);
checkRoleDataScope(roleId);
if (countUserRoleByRoleId(roleId) > 0) { if (countUserRoleByRoleId(roleId) > 0) {
throw new ServiceException(String.format("%1$s已分配,不能删除", role.getRoleName())); throw new ServiceException(String.format("%1$s已分配,不能删除", role.getRoleName()));
} }