From 8ae04e7ee60f12d7a39eea9a877b25f9c5376fda Mon Sep 17 00:00:00 2001 From: paulGao Date: Thu, 16 Sep 2021 11:55:58 +0800 Subject: [PATCH 1/2] fix manager api calling updateGoodsMarketAble error fix manager api es generator get progress error info --- .../goods/serviceimpl/GoodsServiceImpl.java | 16 +++++++++------- .../serviceimpl/EsGoodsIndexServiceImpl.java | 1 - .../other/ElasticsearchController.java | 18 ++++++++++++++---- 3 files changed, 23 insertions(+), 12 deletions(-) diff --git a/framework/src/main/java/cn/lili/modules/goods/serviceimpl/GoodsServiceImpl.java b/framework/src/main/java/cn/lili/modules/goods/serviceimpl/GoodsServiceImpl.java index 52fbce4a..1aabb3cf 100644 --- a/framework/src/main/java/cn/lili/modules/goods/serviceimpl/GoodsServiceImpl.java +++ b/framework/src/main/java/cn/lili/modules/goods/serviceimpl/GoodsServiceImpl.java @@ -282,25 +282,27 @@ public class GoodsServiceImpl extends ServiceImpl implements public Boolean updateGoodsMarketAble(List goodsIds, GoodsStatusEnum goodsStatusEnum, String underReason) { boolean result; - AuthUser currentUser = UserContext.getCurrentUser(); - if (currentUser == null || (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() == null)) { - throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR); - } - //如果商品为空,直接返回 if (goodsIds == null || goodsIds.isEmpty()) { return true; } LambdaUpdateWrapper updateWrapper = Wrappers.lambdaUpdate(); + LambdaQueryWrapper queryWrapper = new LambdaQueryWrapper().in(Goods::getId, goodsIds); updateWrapper.set(Goods::getMarketEnable, goodsStatusEnum.name()); updateWrapper.set(Goods::getUnderMessage, underReason); - updateWrapper.eq(Goods::getStoreId, currentUser.getStoreId()); + AuthUser currentUser = UserContext.getCurrentUser(); + if (currentUser == null || (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() == null)) { + throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR); + } else if (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() != null) { + updateWrapper.eq(Goods::getStoreId, currentUser.getStoreId()); + queryWrapper.eq(Goods::getStoreId, currentUser.getStoreId()); + } updateWrapper.in(Goods::getId, goodsIds); result = this.update(updateWrapper); //修改规格商品 - List goodsList = this.list(new LambdaQueryWrapper().in(Goods::getId, goodsIds).eq(Goods::getStoreId, currentUser.getStoreId())); + List goodsList = this.list(queryWrapper); for (Goods goods : goodsList) { goodsSkuService.updateGoodsSkuStatus(goods); } diff --git a/framework/src/main/java/cn/lili/modules/search/serviceimpl/EsGoodsIndexServiceImpl.java b/framework/src/main/java/cn/lili/modules/search/serviceimpl/EsGoodsIndexServiceImpl.java index 743abc04..32b9c45c 100644 --- a/framework/src/main/java/cn/lili/modules/search/serviceimpl/EsGoodsIndexServiceImpl.java +++ b/framework/src/main/java/cn/lili/modules/search/serviceimpl/EsGoodsIndexServiceImpl.java @@ -199,7 +199,6 @@ public class EsGoodsIndexServiceImpl extends BaseElasticsearchService implements resultMap.put(KEY_FAIL, 0); resultMap.put(KEY_PROCESSED, 0); cache.put(CachePrefix.INIT_INDEX_PROCESS.getPrefix() + "", resultMap); - cache.put(CachePrefix.INIT_INDEX_FLAG.getPrefix(), true); if (!goodsIndexList.isEmpty()) { goodsIndexRepository.deleteAll(); for (EsGoodsIndex goodsIndex : goodsIndexList) { diff --git a/manager-api/src/main/java/cn/lili/controller/other/ElasticsearchController.java b/manager-api/src/main/java/cn/lili/controller/other/ElasticsearchController.java index 6d5c31ca..31ce2559 100644 --- a/manager-api/src/main/java/cn/lili/controller/other/ElasticsearchController.java +++ b/manager-api/src/main/java/cn/lili/controller/other/ElasticsearchController.java @@ -80,9 +80,15 @@ public class ElasticsearchController { public ResultMessage init() { Boolean flag = (Boolean) cache.get(CachePrefix.INIT_INDEX_FLAG.getPrefix()); + if (flag == null) { + cache.put(CachePrefix.INIT_INDEX_FLAG.getPrefix(), false); + } if (Boolean.TRUE.equals(flag)) { return ResultUtil.error(100000, "当前有任务在执行"); } + + cache.put(CachePrefix.INIT_INDEX_PROCESS.getPrefix(), null); + cache.put(CachePrefix.INIT_INDEX_FLAG.getPrefix(), true); ThreadUtil.execAsync(() -> { //查询商品信息 LambdaQueryWrapper queryWrapper = new LambdaQueryWrapper<>(); @@ -129,9 +135,13 @@ public class ElasticsearchController { @GetMapping("/progress") public ResultMessage> getProgress() { - Map map = (Map) cache.get(CachePrefix.INIT_INDEX_PROCESS.getPrefix()); - Boolean flag = (Boolean) cache.get(CachePrefix.INIT_INDEX_FLAG.getPrefix()); - map.put("flag", Boolean.TRUE.equals(flag) ? 1 : 0); - return ResultUtil.data(map); + try { + Map map = (Map) cache.get(CachePrefix.INIT_INDEX_PROCESS.getPrefix()); + Boolean flag = (Boolean) cache.get(CachePrefix.INIT_INDEX_FLAG.getPrefix()); + map.put("flag", Boolean.TRUE.equals(flag) ? 1 : 0); + return ResultUtil.data(map); + } catch (Exception e) { + return ResultUtil.data(null); + } } } From 6ef7a98d8131947905ee0302041a2cbec8c76054 Mon Sep 17 00:00:00 2001 From: paulGao Date: Thu, 16 Sep 2021 17:02:20 +0800 Subject: [PATCH 2/2] improved Broken Access Control check of goods --- .../goods/serviceimpl/GoodsServiceImpl.java | 80 +++++++++++++------ 1 file changed, 56 insertions(+), 24 deletions(-) diff --git a/framework/src/main/java/cn/lili/modules/goods/serviceimpl/GoodsServiceImpl.java b/framework/src/main/java/cn/lili/modules/goods/serviceimpl/GoodsServiceImpl.java index 1aabb3cf..c6a82272 100644 --- a/framework/src/main/java/cn/lili/modules/goods/serviceimpl/GoodsServiceImpl.java +++ b/framework/src/main/java/cn/lili/modules/goods/serviceimpl/GoodsServiceImpl.java @@ -2,6 +2,7 @@ package cn.lili.modules.goods.serviceimpl; import cn.hutool.core.date.DateTime; import cn.hutool.core.date.DateUtil; +import cn.hutool.core.text.CharSequenceUtil; import cn.hutool.core.util.NumberUtil; import cn.hutool.json.JSONUtil; import cn.lili.cache.Cache; @@ -264,8 +265,9 @@ public class GoodsServiceImpl extends ServiceImpl implements if (goodsAuthEnum != null) { queryWrapper.eq(Goods::getIsAuth, goodsAuthEnum.name()); } - queryWrapper.eq(StringUtils.equals(UserContext.getCurrentUser().getRole().name(), UserEnums.STORE.name()), - Goods::getStoreId, UserContext.getCurrentUser().getStoreId()); + AuthUser currentUser = Objects.requireNonNull(UserContext.getCurrentUser()); + queryWrapper.eq(CharSequenceUtil.equals(currentUser.getRole().name(), UserEnums.STORE.name()), + Goods::getStoreId, currentUser.getStoreId()); return this.count(queryWrapper); } @@ -287,21 +289,15 @@ public class GoodsServiceImpl extends ServiceImpl implements return true; } - LambdaUpdateWrapper updateWrapper = Wrappers.lambdaUpdate(); - LambdaQueryWrapper queryWrapper = new LambdaQueryWrapper().in(Goods::getId, goodsIds); + LambdaUpdateWrapper updateWrapper = this.getUpdateWrapperByStoreAuthority(); updateWrapper.set(Goods::getMarketEnable, goodsStatusEnum.name()); updateWrapper.set(Goods::getUnderMessage, underReason); - AuthUser currentUser = UserContext.getCurrentUser(); - if (currentUser == null || (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() == null)) { - throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR); - } else if (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() != null) { - updateWrapper.eq(Goods::getStoreId, currentUser.getStoreId()); - queryWrapper.eq(Goods::getStoreId, currentUser.getStoreId()); - } updateWrapper.in(Goods::getId, goodsIds); result = this.update(updateWrapper); //修改规格商品 + LambdaQueryWrapper queryWrapper = this.getQueryWrapperByStoreAuthority(); + queryWrapper.in(Goods::getId, goodsIds); List goodsList = this.list(queryWrapper); for (Goods goods : goodsList) { goodsSkuService.updateGoodsSkuStatus(goods); @@ -312,20 +308,16 @@ public class GoodsServiceImpl extends ServiceImpl implements @Override public Boolean deleteGoods(List goodsIds) { - AuthUser currentUser = UserContext.getCurrentUser(); - if (currentUser == null || (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() == null)) { - throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR); - } - - LambdaUpdateWrapper updateWrapper = Wrappers.lambdaUpdate(); + LambdaUpdateWrapper updateWrapper = this.getUpdateWrapperByStoreAuthority(); updateWrapper.set(Goods::getMarketEnable, GoodsStatusEnum.DOWN.name()); updateWrapper.set(Goods::getDeleteFlag, true); - updateWrapper.eq(Goods::getStoreId, currentUser.getStoreId()); updateWrapper.in(Goods::getId, goodsIds); this.update(updateWrapper); //修改规格商品 - List goodsList = this.list(new LambdaQueryWrapper().in(Goods::getId, goodsIds).eq(Goods::getStoreId, currentUser.getStoreId())); + LambdaQueryWrapper queryWrapper = this.getQueryWrapperByStoreAuthority(); + queryWrapper.in(Goods::getId, goodsIds); + List goodsList = this.list(queryWrapper); for (Goods goods : goodsList) { //修改SKU状态 goodsSkuService.updateGoodsSkuStatus(goods); @@ -341,16 +333,13 @@ public class GoodsServiceImpl extends ServiceImpl implements @Override public Boolean freight(List goodsIds, String templateId) { - AuthUser currentUser = UserContext.getCurrentUser(); - if (currentUser == null || (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() == null)) { - throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR); - } + AuthUser authUser = this.checkStoreAuthority(); FreightTemplate freightTemplate = freightTemplateService.getById(templateId); if (freightTemplate == null) { throw new ServiceException(ResultCode.FREIGHT_TEMPLATE_NOT_EXIST); } - if (!freightTemplate.getStoreId().equals(currentUser.getStoreId())) { + if (authUser != null && !freightTemplate.getStoreId().equals(authUser.getStoreId())) { throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR); } LambdaUpdateWrapper lambdaUpdateWrapper = Wrappers.lambdaUpdate(); @@ -474,4 +463,47 @@ public class GoodsServiceImpl extends ServiceImpl implements return goods; } + /** + * 检查当前登录的店铺 + * + * @return 当前登录的店铺 + */ + private AuthUser checkStoreAuthority() { + AuthUser currentUser = UserContext.getCurrentUser(); + if (currentUser == null || (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() == null)) { + throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR); + } else if (currentUser.getRole().equals(UserEnums.STORE) && currentUser.getStoreId() != null) { + return currentUser; + } + return null; + } + + /** + * 获取UpdateWrapper(检查用户越权) + * + * @return updateWrapper + */ + private LambdaUpdateWrapper getUpdateWrapperByStoreAuthority() { + LambdaUpdateWrapper updateWrapper = new LambdaUpdateWrapper<>(); + AuthUser authUser = this.checkStoreAuthority(); + if (authUser != null) { + updateWrapper.eq(Goods::getStoreId, authUser.getStoreId()); + } + return updateWrapper; + } + + /** + * 获取QueryWrapper(检查用户越权) + * + * @return queryWrapper + */ + private LambdaQueryWrapper getQueryWrapperByStoreAuthority() { + LambdaQueryWrapper queryWrapper = new LambdaQueryWrapper<>(); + AuthUser authUser = this.checkStoreAuthority(); + if (authUser != null) { + queryWrapper.eq(Goods::getStoreId, authUser.getStoreId()); + } + return queryWrapper; + } + } \ No newline at end of file