caojiahao/dev_caojiahao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improved Broken Access Control check of goods

Browse Source
This commit is contained in:
paulGao 2021-09-16 17:02:20 +08:00
parent 31a16b77df
commit 6ef7a98d81
1 changed files with 56 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
framework/src/main/java/cn/lili/modules/goods/serviceimpl/GoodsServiceImpl.java
View File

@ -2,6 +2,7 @@ package cn.lili.modules.goods.serviceimpl;
import cn.hutool.core.date.DateTime; import cn.hutool.core.date.DateTime;
import cn.hutool.core.date.DateUtil; import cn.hutool.core.date.DateUtil;
import cn.hutool.core.text.CharSequenceUtil;
import cn.hutool.core.util.NumberUtil; import cn.hutool.core.util.NumberUtil;
import cn.hutool.json.JSONUtil; import cn.hutool.json.JSONUtil;
import cn.lili.cache.Cache; import cn.lili.cache.Cache;
@ -264,8 +265,9 @@ public class GoodsServiceImpl extends ServiceImpl<GoodsMapper, Goods> implements
if (goodsAuthEnum != null) { if (goodsAuthEnum != null) {
queryWrapper.eq(Goods::getIsAuth, goodsAuthEnum.name()); queryWrapper.eq(Goods::getIsAuth, goodsAuthEnum.name());
} }
queryWrapper.eq(StringUtils.equals(UserContext.getCurrentUser().getRole().name(), UserEnums.STORE.name()), AuthUser currentUser = Objects.requireNonNull(UserContext.getCurrentUser());
Goods::getStoreId, UserContext.getCurrentUser().getStoreId()); queryWrapper.eq(CharSequenceUtil.equals(currentUser.getRole().name(), UserEnums.STORE.name()),
Goods::getStoreId, currentUser.getStoreId());
return this.count(queryWrapper); return this.count(queryWrapper);
} }
@ -287,21 +289,15 @@ public class GoodsServiceImpl extends ServiceImpl<GoodsMapper, Goods> implements
return true; return true;
} }
LambdaUpdateWrapper<Goods> updateWrapper = Wrappers.lambdaUpdate(); LambdaUpdateWrapper<Goods> updateWrapper = this.getUpdateWrapperByStoreAuthority();
LambdaQueryWrapper<Goods> queryWrapper = new LambdaQueryWrapper<Goods>().in(Goods::getId, goodsIds);
updateWrapper.set(Goods::getMarketEnable, goodsStatusEnum.name()); updateWrapper.set(Goods::getMarketEnable, goodsStatusEnum.name());
updateWrapper.set(Goods::getUnderMessage, underReason); updateWrapper.set(Goods::getUnderMessage, underReason);
AuthUser currentUser = UserContext.getCurrentUser();
if (currentUser == null || (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() == null)) {
throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR);
} else if (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() != null) {
updateWrapper.eq(Goods::getStoreId, currentUser.getStoreId());
queryWrapper.eq(Goods::getStoreId, currentUser.getStoreId());
}
updateWrapper.in(Goods::getId, goodsIds); updateWrapper.in(Goods::getId, goodsIds);
result = this.update(updateWrapper); result = this.update(updateWrapper);
//修改规格商品 //修改规格商品
LambdaQueryWrapper<Goods> queryWrapper = this.getQueryWrapperByStoreAuthority();
queryWrapper.in(Goods::getId, goodsIds);
List<Goods> goodsList = this.list(queryWrapper); List<Goods> goodsList = this.list(queryWrapper);
for (Goods goods : goodsList) { for (Goods goods : goodsList) {
goodsSkuService.updateGoodsSkuStatus(goods); goodsSkuService.updateGoodsSkuStatus(goods);
@ -312,20 +308,16 @@ public class GoodsServiceImpl extends ServiceImpl<GoodsMapper, Goods> implements
@Override @Override
public Boolean deleteGoods(List<String> goodsIds) { public Boolean deleteGoods(List<String> goodsIds) {
AuthUser currentUser = UserContext.getCurrentUser(); LambdaUpdateWrapper<Goods> updateWrapper = this.getUpdateWrapperByStoreAuthority();
if (currentUser == null || (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() == null)) {
throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR);
}
LambdaUpdateWrapper<Goods> updateWrapper = Wrappers.lambdaUpdate();
updateWrapper.set(Goods::getMarketEnable, GoodsStatusEnum.DOWN.name()); updateWrapper.set(Goods::getMarketEnable, GoodsStatusEnum.DOWN.name());
updateWrapper.set(Goods::getDeleteFlag, true); updateWrapper.set(Goods::getDeleteFlag, true);
updateWrapper.eq(Goods::getStoreId, currentUser.getStoreId());
updateWrapper.in(Goods::getId, goodsIds); updateWrapper.in(Goods::getId, goodsIds);
this.update(updateWrapper); this.update(updateWrapper);
//修改规格商品 //修改规格商品
List<Goods> goodsList = this.list(new LambdaQueryWrapper<Goods>().in(Goods::getId, goodsIds).eq(Goods::getStoreId, currentUser.getStoreId())); LambdaQueryWrapper<Goods> queryWrapper = this.getQueryWrapperByStoreAuthority();
queryWrapper.in(Goods::getId, goodsIds);
List<Goods> goodsList = this.list(queryWrapper);
for (Goods goods : goodsList) { for (Goods goods : goodsList) {
//修改SKU状态 //修改SKU状态
goodsSkuService.updateGoodsSkuStatus(goods); goodsSkuService.updateGoodsSkuStatus(goods);
@ -341,16 +333,13 @@ public class GoodsServiceImpl extends ServiceImpl<GoodsMapper, Goods> implements
@Override @Override
public Boolean freight(List<String> goodsIds, String templateId) { public Boolean freight(List<String> goodsIds, String templateId) {
AuthUser currentUser = UserContext.getCurrentUser(); AuthUser authUser = this.checkStoreAuthority();
if (currentUser == null || (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() == null)) {
throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR);
}
FreightTemplate freightTemplate = freightTemplateService.getById(templateId); FreightTemplate freightTemplate = freightTemplateService.getById(templateId);
if (freightTemplate == null) { if (freightTemplate == null) {
throw new ServiceException(ResultCode.FREIGHT_TEMPLATE_NOT_EXIST); throw new ServiceException(ResultCode.FREIGHT_TEMPLATE_NOT_EXIST);
} }
if (!freightTemplate.getStoreId().equals(currentUser.getStoreId())) { if (authUser != null && !freightTemplate.getStoreId().equals(authUser.getStoreId())) {
throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR); throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR);
} }
LambdaUpdateWrapper<Goods> lambdaUpdateWrapper = Wrappers.lambdaUpdate(); LambdaUpdateWrapper<Goods> lambdaUpdateWrapper = Wrappers.lambdaUpdate();
@ -474,4 +463,47 @@ public class GoodsServiceImpl extends ServiceImpl<GoodsMapper, Goods> implements
return goods; return goods;
} }
/**
* 检查当前登录的店铺
*
* @return 当前登录的店铺
*/
private AuthUser checkStoreAuthority() {
AuthUser currentUser = UserContext.getCurrentUser();
if (currentUser == null || (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() == null)) {
throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR);
} else if (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() != null) {
return currentUser;
}
return null;
}
/**
* 获取UpdateWrapper检查用户越权
*
* @return updateWrapper
*/
private LambdaUpdateWrapper<Goods> getUpdateWrapperByStoreAuthority() {
LambdaUpdateWrapper<Goods> updateWrapper = new LambdaUpdateWrapper<>();
AuthUser authUser = this.checkStoreAuthority();
if (authUser != null) {
updateWrapper.eq(Goods::getStoreId, authUser.getStoreId());
}
return updateWrapper;
}
/**
* 获取QueryWrapper检查用户越权
*
* @return queryWrapper
*/
private LambdaQueryWrapper<Goods> getQueryWrapperByStoreAuthority() {
LambdaQueryWrapper<Goods> queryWrapper = new LambdaQueryWrapper<>();
AuthUser authUser = this.checkStoreAuthority();
if (authUser != null) {
queryWrapper.eq(Goods::getStoreId, authUser.getStoreId());
}
return queryWrapper;
}
} }