🔒 安全问题处理

2021-12-10 09:40:56 +08:00 · 2021-12-10 09:40:56 +08:00 · 67f7615a18
commit 67f7615a18
parent fa9d9dd92c
5 changed files with 35 additions and 13 deletions
--- a/src/main/java/com/rymcu/forest/jwt/aop/RestAuthTokenInterceptor.java
+++ b/src/main/java/com/rymcu/forest/jwt/aop/RestAuthTokenInterceptor.java
@ -4,6 +4,7 @@ package com.rymcu.forest.jwt.aop;
 import com.rymcu.forest.jwt.def.JwtConstants;
 import com.rymcu.forest.jwt.model.TokenModel;
 import com.rymcu.forest.jwt.service.TokenManager;
+import com.rymcu.forest.mapper.UserMapper;
 import com.rymcu.forest.web.api.exception.BaseApiException;
 import com.rymcu.forest.web.api.exception.ErrorCode;
 import io.jsonwebtoken.Claims;
@ -14,6 +15,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.ModelAndView;

+import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.util.Objects;
@ -28,6 +30,8 @@ public class RestAuthTokenInterceptor implements HandlerInterceptor {

 	@Autowired
 	private TokenManager manager;
+	@Resource
+	private UserMapper userMapper;

 	@Override
 	public void afterCompletion(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse, Object obj, Exception exception) throws Exception {
@ -36,7 +40,6 @@ public class RestAuthTokenInterceptor implements HandlerInterceptor {

 	@Override
 	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object obj) throws Exception {
-		
 		//从header中得到token
 		String authHeader = request.getHeader(JwtConstants.AUTHORIZATION);
 		if(StringUtils.isBlank(authHeader)){
@ -63,6 +66,19 @@ public class RestAuthTokenInterceptor implements HandlerInterceptor {
            request.setAttribute(JwtConstants.CURRENT_TOKEN_CLAIMS, claims);
 			//如果token验证成功，将token对应的用户id存在request中，便于之后注入
 			request.setAttribute(JwtConstants.CURRENT_USER_NAME, model.getUsername());
+			// 判断是否为后台接口或财政划转接口
+			String adminApi = "/admin";
+			String transactionApi = "/transaction";
+			String uri = request.getRequestURI();
+			if (uri.contains(adminApi) || uri.contains(transactionApi)) {
+				// 判断管理员权限
+				boolean hasPermission = userMapper.hasAdminPermission(model.getUsername());
+				if (hasPermission) {
+					return true;
+				} else {
+					throw new BaseApiException(ErrorCode.ACCESS_DENIED);
+				}
+			}
 			return true;
 		} else {
 			throw new BaseApiException(ErrorCode.TOKEN_);
--- a/src/main/java/com/rymcu/forest/mapper/UserMapper.java
+++ b/src/main/java/com/rymcu/forest/mapper/UserMapper.java
@ -95,13 +95,11 @@ public interface UserMapper extends Mapper<User> {
     * @param nickname
     * @param avatarType
     * @param avatarUrl
-     * @param email
-     * @param phone
     * @param signature
     * @param sex
     * @return
     */
-    Integer updateUserInfo(@Param("idUser") Integer idUser, @Param("nickname") String nickname, @Param("avatarType") String avatarType, @Param("avatarUrl") String avatarUrl, @Param("email") String email, @Param("phone") String phone, @Param("signature") String signature, @Param("sex") String sex);
+    Integer updateUserInfo(@Param("idUser") Integer idUser, @Param("nickname") String nickname, @Param("avatarType") String avatarType, @Param("avatarUrl") String avatarUrl, @Param("signature") String signature, @Param("sex") String sex);

    /**
     * 验证昵称是否重复
@ -153,4 +151,11 @@ public interface UserMapper extends Mapper<User> {
     * @return
     */
    Integer updateLastOnlineTimeByEmail(@Param("email") String email);
+
+    /**
+     * 判断用户是否拥有管理员权限
+     * @param email
+     * @return
+     */
+    boolean hasAdminPermission(@Param("email") String email);
 }
--- a/src/main/java/com/rymcu/forest/service/impl/UserServiceImpl.java
+++ b/src/main/java/com/rymcu/forest/service/impl/UserServiceImpl.java
@ -199,8 +199,7 @@ public class UserServiceImpl extends AbstractService<User> implements UserServic
            user.setAvatarUrl(avatarUrl);
            user.setAvatarType("0");
        }
-        Integer result = userMapper.updateUserInfo(user.getIdUser(), user.getNickname(), user.getAvatarType(),user.getAvatarUrl(),
-                user.getEmail(),user.getPhone(),user.getSignature(), user.getSex());
+        Integer result = userMapper.updateUserInfo(user.getIdUser(), user.getNickname(), user.getAvatarType(),user.getAvatarUrl(),user.getSignature(), user.getSex());
        UserIndexUtil.addIndex(UserLucene.builder()
                .idUser(user.getIdUser())
                .nickname(user.getNickname())
@ -263,7 +262,7 @@ public class UserServiceImpl extends AbstractService<User> implements UserServic
        String email = changeEmailDTO.getEmail();
        String code = changeEmailDTO.getCode();
        String vCode = redisService.get(email);
-        if(StringUtils.isNotBlank(vCode)){
+        if(StringUtils.isNotBlank(vCode) && StringUtils.isNotBlank(code)){
            if(vCode.equals(code)){
                userMapper.updateEmail(idUser, email);
                map.put("message","更新成功！");
--- a/src/main/java/com/rymcu/forest/web/api/exception/ErrorCode.java
+++ b/src/main/java/com/rymcu/forest/web/api/exception/ErrorCode.java
@ -2,10 +2,11 @@ package com.rymcu.forest.web.api.exception;

 public enum ErrorCode {

-    UNAUTHORIZED(401, "请求要求用户的身份认证"),//未认证（签名错误）
+    UNAUTHORIZED(401, "请求要求用户的身份认证"),
    INVALID_TOKEN(402, "TOKEN验证失败，无效的TOKEN！"),
    TOKEN_(402, "TOKEN验证失败，无效的TOKEN！"),
-    NOT_FOUND(404, "此接口不存在"),//接口不存在
+    ACCESS_DENIED(403, "服务器拒绝请求！"),
+    NOT_FOUND(404, "此接口不存在"),
    INTERNAL_SERVER_ERROR(500, "服务内部异常");

    private int code;
--- a/src/main/java/mapper/UserMapper.xml
+++ b/src/main/java/mapper/UserMapper.xml
@ -63,10 +63,7 @@
        update forest_user set status = #{status} where id = #{idUser}
    </update>
    <update id="updateUserInfo">
-        update forest_user set nickname = #{nickname},email = #{email},signature = #{signature},avatar_type = #{avatarType},avatar_url = #{avatarUrl},sex = #{sex}
-        <if test="phone != null and phone != ''">
-            ,phone = #{phone}
-        </if>
+        update forest_user set nickname = #{nickname},signature = #{signature},avatar_type = #{avatarType},avatar_url = #{avatarUrl},sex = #{sex}
        where id = #{idUser}
    </update>
    <update id="updateLastLoginTime">
@ -115,5 +112,9 @@
        </where>
        order by last_online_time desc
    </select>
+    <select id="hasAdminPermission" resultType="java.lang.Boolean">
+        select if(count(fur.id_role) = 0, false, true) from forest_user_role fur join forest_user fu on fur.id_user = fu.id
+        where fu.email = #{email} and exists(select id_role from forest_role fr where instr(fr.input_code, 'admin') > 0 and fr.id = fur.id_role)
+    </select>

 </mapper>