用户访问控制时校验数据权限，防止越权

2022-01-27 12:05:04 +08:00
parent 8007b22b85
commit 612c4293d1
5 changed files with 15 additions and 3 deletions
--- a/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java
+++ b/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java
@@ -361,6 +361,7 @@ public class SysRoleServiceImpl implements ISysRoleService
        for (Long roleId : roleIds)
        {
            checkRoleAllowed(new SysRole(roleId));
+            checkRoleDataScope(roleId);
            SysRole role = selectRoleById(roleId);
            if (countUserRoleByRoleId(roleId) > 0)
            {
--- a/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
+++ b/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
@@ -482,6 +482,7 @@ public class SysUserServiceImpl implements ISysUserService
        for (Long userId : userIds)
        {
            checkUserAllowed(new SysUser(userId));
+            checkUserDataScope(userId);
        }
        // 删除用户与角色关联
        userRoleMapper.deleteUserRole(userIds);