跳至主要內容

Bug修复

fastbee大约 11 分钟

通知公告

  1. 请大家尽快修复垂直越权漏洞,保障系统更加安全可靠。
  2. 可以通过更新源码直接修复该漏洞,如果不更新源码的话,可以参考修改以下内容修改文件

一、垂直越权漏洞修复

攻击者可利用该漏洞通过低权限账户处置越权访问只有管理员才能使用的系统接口,对应需要增加权限校验。对应接口如下:

  • /system/user/2
  • /system/user/authRole/1
  • /system/config/list?pageNum=1&pageSize=10
  • /system/role/list?pageNum=1&pageSize=10
  • /system/post/list?pageNum=1&pageSize=10
  • /system/dept/100
  • /system/user/list?pageNum=1&pageSize=10

1. 开源版本修复

  • springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysDeptController.java文件
    /**
     * 根据部门编号获取详细信息
     */
    @ApiOperation("根据部门编号获取详细信息")
    @PreAuthorize("@ss.hasPermi('system:dept:query')")
    @GetMapping(value = "/{deptId}")
    public AjaxResult getInfo(@PathVariable Long deptId)
    {
        LoginUser loginUser = SecurityUtils.getLoginUser();
        List<String> currentRoleKeys = loginUser.getUser().getRoles().stream()
                .map(role -> role.getRoleKey())
                .collect(Collectors.toList());
        if (currentRoleKeys.contains("visitor")) {
            return AjaxResult.error(403, "游客无权限访问部门信息!");
        }
        try {
            deptService.checkDeptDataScope(deptId);
        } catch (ServiceException e) {
            return AjaxResult.error(403, e.getMessage());
        }
        SysDept dept = deptService.selectDeptById(deptId);
        return AjaxResult.success(dept);
    }
  • springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysUserController.java文件
/**
     * 根据用户编号获取详细信息
     */
    @PreAuthorize("@ss.hasPermi('system:user:query')")
    @GetMapping(value = { "/", "/{userId}" })
    public AjaxResult getInfo(@PathVariable(value = "userId", required = false) Long userId)
    {
        AjaxResult ajax = AjaxResult.success();
        LoginUser loginUser = SecurityUtils.getLoginUser();
        SysUser currentUser = loginUser.getUser();
        Long currentUserId = currentUser.getUserId();

        List<String> currentRoleKeys = currentUser.getRoles().stream()
                .map(SysRole::getRoleKey)
                .collect(Collectors.toList());
        if (currentRoleKeys.contains("visitor")) {
            return AjaxResult.error(403, "游客无权限访问用户信息!");
        }
        if (StringUtils.isNotNull(userId))
        {
            try {
                userService.checkUserDataScope(userId);
            } catch (ServiceException e) {
                return AjaxResult.error(403, e.getMessage());
            }
            SysUser sysUser = userService.selectUserById(userId);
            // 非超管过滤超管角色信息
            if (!SysUser.isAdmin(currentUserId)) {
                List<SysRole> filterRoles = sysUser.getRoles().stream()
                        .filter(r -> !r.isAdmin())
                        .collect(Collectors.toList());
                sysUser.setRoles(filterRoles);
            }

            // 封装数据
            ajax.put(AjaxResult.DATA_TAG, sysUser);
            ajax.put("postIds", postService.selectPostListByUserId(userId));
            List<Long> roleIds = sysUser.getRoles().stream()
                    .map(SysRole::getRoleId)
                    .collect(Collectors.toList());
            ajax.put("roleIds", roleIds);
        }
        // 角色/岗位列表过滤
        List<SysRole> roles = roleService.selectRoleAll();
        ajax.put("roles", SysUser.isAdmin(currentUserId) ? roles : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList()));

        // ========== 8. 岗位列表:仅用selectPostListByUserId(适配现有方法) ==========
        if (SysUser.isAdmin(currentUserId)) {
            // 超管:返回所有岗位
            ajax.put("posts", postService.selectPostAll());
        } else {
            // 非超管:仅返回当前登录用户自己的岗位
            ajax.put("posts", postService.selectPostListByUserId(currentUserId));
        }

        return ajax;
    }


    /**
     * 根据用户编号获取授权角色
     */
    @PreAuthorize("@ss.hasPermi('system:user:query')")
    @GetMapping("/authRole/{userId}")
    public AjaxResult authRole(@PathVariable("userId") Long userId)
    {
        AjaxResult ajax = AjaxResult.success();
        LoginUser loginUser = SecurityUtils.getLoginUser();
        SysUser currentUser = loginUser.getUser();
        Long currentUserId = currentUser.getUserId();

        List<String> currentRoleKeys = currentUser.getRoles().stream()
                .map(SysRole::getRoleKey)
                .collect(Collectors.toList());
        if (currentRoleKeys.contains("visitor")) {
            return AjaxResult.error(403, "游客无权限访问用户授权角色信息!");
        }

        try {
            userService.checkUserDataScope(userId);
        } catch (ServiceException e) {
            return AjaxResult.error(403, e.getMessage());
        }

        SysUser user = userService.selectUserById(userId);
        List<SysRole> roles = roleService.selectRolesByUserId(userId);
        List<SysRole> filterRoles = SysUser.isAdmin(currentUserId)
                ? roles  // 超管返回所有授权角色
                : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList()); // 非超管过滤超管角色
        ajax.put("user", user);
        ajax.put("roles", filterRoles);
        return ajax;
    }
  • springboot/fastbee-service/fastbee-system-service/src/main/java/com/fastbee/system/service/impl/SysDeptServiceImpl.java 文件
    /**
     * 校验部门是否有数据权限
     *
     * @param deptId 部门id
     */
    @Override
    public void checkDeptDataScope(Long deptId)
    {
        if (SysUser.isAdmin(SecurityUtils.getUserId())) {
            return;
        }

        SysDept queryDept = new SysDept();
        List<SysDept> accessibleDepts = SpringUtils.getAopProxy(this).selectDeptList(queryDept);

        if (CollectionUtils.isEmpty(accessibleDepts)) {
            throw new ServiceException("没有权限访问部门数据!");
        }

        boolean hasPermission = accessibleDepts.stream()
                .anyMatch(dept -> dept.getDeptId().equals(deptId));
        if (!hasPermission) {
            throw new ServiceException("没有权限访问该部门数据!");
        }

        SysDept targetDept = this.selectDeptById(deptId);
        if (targetDept == null) {
            throw new ServiceException("部门不存在!");
        }
    }
  • springboot/fastbee-service/fastbee-system-service/src/main/java/com/fastbee/system/service/impl/SysPostServiceImpl.java 文件
    /**
     * 查询岗位信息集合
     *
     * @param post 岗位信息
     * @return 岗位信息集合
     */
    @Override
    public List<SysPost> selectPostList(SysPost post)
    {
        LoginUser loginUser = SecurityUtils.getLoginUser();
        if (loginUser.getUser().getRoles().stream()
                .map(role -> role.getRoleKey())
                .collect(Collectors.toList()).contains("visitor")) {
            return Collections.emptyList();
        }

        List<SysPost> postList = postMapper.selectPostList(post);
        return CollectionUtils.isEmpty(postList) ? Collections.emptyList() : postList;
    }
  • springboot/fastbee-service/fastbee-system-service/src/main/java/com/fastbee/system/service/impl/SysRoleServiceImpl.java 文件
/**
     * 根据条件分页查询角色数据
     *
     * @param role 角色信息
     * @return 角色数据集合信息
     */
    @Override
    @DataScope(deptAlias = "d")
    public List<SysRole> selectRoleList(SysRole role)
    {
        LoginUser loginUser = SecurityUtils.getLoginUser();
        List<String> currentRoleKeys = loginUser.getUser().getRoles().stream()
                .map(SysRole::getRoleKey)
                .collect(Collectors.toList());
        if (currentRoleKeys.contains("visitor")) {
            return Collections.emptyList();
        }

        List<SysRole> roleList = roleMapper.selectRoleList(role);
        if (CollectionUtils.isEmpty(roleList)) {
            return Collections.emptyList();
        }

        Long currentUserId = loginUser.getUser().getUserId();
        if (SysUser.isAdmin(currentUserId)) {
            return roleList;
        } else {
            return roleList.stream()
                    .filter(r -> !r.isAdmin())
                    .collect(Collectors.toList());
        }
    }
  • springboot/fastbee-service/fastbee-system-service/src/main/java/com/fastbee/system/service/impl/SysUserServiceImpl.java 文件
    /**
     * 根据条件分页查询用户列表
     *
     * @param user 用户信息
     * @return 用户信息集合信息
     */
    @Override
    @DataScope(deptAlias = "d", userAlias = "u")
    public List<SysUser> selectUserList(SysUser user)
    {
        LoginUser loginUser = SecurityUtils.getLoginUser();
        SysUser currentUser = loginUser.getUser();
        Long currentUserId = currentUser.getUserId();
        Long currentDeptId = currentUser.getDeptId();
        if (!SecurityUtils.isAdmin(currentUserId)) {
            user.setDeptId(currentDeptId);
            user.setUserId(currentUserId);
            return userMapper.selectUserList(user);
        }

        return userMapper.selectUserList(user);
    }

        /**
     * 校验用户是否有数据权限
     *
     * @param userId 用户id
     */
    @Override
    public void checkUserDataScope(Long userId)
    {
        Long currentUserId = SecurityUtils.getUserId();
        // 超管直接放行
        if (SysUser.isAdmin(currentUserId)) {
            return;
        }


        SysUser queryCondition = new SysUser();
        List<SysUser> accessibleUsers = SpringUtils.getAopProxy(this).selectUserList(queryCondition);

        boolean hasPermission = accessibleUsers.stream()
                .anyMatch(u -> u.getUserId().equals(userId));

        SysUser targetUser = this.selectUserById(userId);
        if (targetUser != null && SysUser.isAdmin(targetUser.getUserId())) {
            throw new ServiceException("禁止访问超级管理员信息!");
        }

        if (!hasPermission) {
            throw new ServiceException("没有权限访问用户数据!");
        }
    }

2. 商业版本修复

提示

如果有演示账号fastbee,需要把fastbee账号的游客角色数据权限更改为仅本人数据权限

情况一:如果还有代码仓库授权还未到期,则直接更新主分支代码即可

情况二:代码仓库已过期,如果版本是v2.7.0及以后的参考以下代码修改

  • com.fastbee.common.extend.utils.SecurityUtils#getDataScope 方法
    public static String getDataScope() {
        SysUser user = SecurityUtils.getLoginUser().getUser();
        String dataScope;
        if (user.isAdmin()) {
            dataScope = DataScopeAspect.DATA_SCOPE_DEPT_AND_CHILD;
        } else {
            List<SysRole> roles = user.getRoles();
            List<String> list = roles.stream().map(SysRole::getDataScope).distinct().collect(Collectors.toList());
            if (list.contains(DataScopeAspect.DATA_SCOPE_DEPT_AND_CHILD)) {
                dataScope = DataScopeAspect.DATA_SCOPE_DEPT_AND_CHILD;
            } else if (list.contains(DataScopeAspect.DATA_SCOPE_DEPT)) {
                dataScope = DataScopeAspect.DATA_SCOPE_DEPT;
            } else {
                dataScope = DataScopeAspect.DATA_SCOPE_SELF;
            }
        }
        return dataScope;
    }
  • com.fastbee.system.service.impl.SysDeptServiceImpl#checkDeptDataScope 方法
    /**
     * 校验部门是否有数据权限
     *
     * @param deptId 部门id
     */
    @Override
    public void checkDeptDataScope(Long deptId)
    {
        LoginUser loginUser = getLoginUser();
        SysUser curUser = loginUser.getUser();
        if (SysUser.isAdmin(curUser.getUserId())) {
            return;
        }
        SysDept dept = new SysDept();
        dept.setDeptId(deptId);
        List<SysDept> depts = SpringUtils.getAopProxy(this).selectDeptList(dept);
        if (StringUtils.isEmpty(depts))
        {
            throw new ServiceException("没有权限访问部门数据!");
        }
        if (null == curUser.getDeptId()) {
            throw new ServiceException("没有权限访问部门数据!");
        } else {
            String dataScope = getDataScope();
            if (DataScopeAspect.DATA_SCOPE_SELF.equals(dataScope) || DataScopeAspect.DATA_SCOPE_DEPT.equals(dataScope)) {
                if (!curUser.getDeptId().equals(deptId)) {
                    throw new ServiceException("没有权限访问部门数据!");
                }
            } else if (DataScopeAspect.DATA_SCOPE_DEPT_AND_CHILD.equals(dataScope)) {
                if (!curUser.getDeptId().equals(deptId)) {
                    String ancestors = depts.get(0).getAncestors();
                    if (!ancestors.contains(curUser.getDeptId().toString())) {
                        throw new ServiceException("没有权限访问部门数据!");
                    }
                }
            }
        }
        return;
    }
  • com.fastbee.controller.system.SysDeptController#list 方法
    /**
     * 获取机构列表
     */
    @ApiOperation("获取机构列表")
    @PreAuthorize("@ss.hasPermi('system:dept:list')")
    @GetMapping("/list")
    public AjaxResult list(SysDept dept)
    {
        if (Objects.nonNull(dept) && null != dept.getDeptId()) {
            deptService.checkDeptDataScope(dept.getDeptId());
        }
        List<SysDept> depts = deptService.selectDeptList(dept);
        return success(depts);
    }
  • com.fastbee.controller.system.SysDeptController#getInfo 方法
    /**
     * 根据机构编号获取详细信息
     */
    @ApiOperation("根据机构编号获取详细信息")
    @PreAuthorize("@ss.hasPermi('system:dept:query')")
    @GetMapping(value = "/{deptId}")
    public AjaxResult getInfo(@PathVariable Long deptId)
    {
        deptService.checkDeptDataScope(deptId);
        SysDept sysDept = deptService.selectDeptById(deptId);
        if (null != sysDept && null != sysDept.getDeptUserId()) {
            SysUser sysUser = sysUserService.selectUserById(sysDept.getDeptUserId());
            sysDept.setUserName(sysUser.getUserName());
            sysDept.setPhone(sysUser.getPhonenumber());
        }
        return success(sysDept);
    }
  • com.fastbee.controller.system.SysDeptController#getRole 方法
    /**
     * 获取机构角色
     * @param deptId 机构id
     * @return com.fastbee.common.core.domain.AjaxResult
     */
    @GetMapping("/getRole")
    public AjaxResult getRole(Long deptId) {
        deptService.checkDeptDataScope(deptId);
        String dataScope = getDataScope();
        AjaxResult success = AjaxResult.success();
        List<SysRole> sysRoleList = deptService.getRole(deptId);
        if (DataScopeAspect.DATA_SCOPE_SELF.equals(dataScope)) {
            List<Long> roleIdList = getLoginUser().getUser().getRoles().stream().map(SysRole::getRoleId).collect(Collectors.toList());
            sysRoleList = sysRoleList.stream().filter(sysRole -> roleIdList.contains(sysRole.getRoleId())).collect(Collectors.toList());
        }
        success.put("roles", sysRoleList);
        success.put("roleIds", sysRoleList.stream().map(SysRole::getRoleId).collect(Collectors.toList()));
        return success;
    }
  • com.fastbee.system.service.impl.SysUserServiceImpl#checkUserDataScope 方法
    /**
     * 校验用户是否有数据权限
     *
     * @param userId 用户id
     */
    @Override
    public void checkUserDataScope(Long userId) {
        LoginUser loginUser = getLoginUser();
        SysUser curUser = loginUser.getUser();
        if (SysUser.isAdmin(curUser.getUserId())) {
            return;
        }
        SysUser user = SpringUtils.getAopProxy(this).selectUserById(userId);
        if (ObjectUtil.isNull(user)) {
            throw new ServiceException("没有权限访问用户数据!");
        }
        if (null == user.getDeptId()) {
            if (!curUser.getUserId().equals(userId)) {
                throw new ServiceException("没有权限访问用户数据!");
            }
        } else {
            String dataScope = getDataScope();
            if (DataScopeAspect.DATA_SCOPE_SELF.equals(dataScope)) {
                if (!curUser.getUserId().equals(userId)) {
                    throw new ServiceException("没有权限访问用户数据!");
                }
            } else if (DataScopeAspect.DATA_SCOPE_DEPT.equals(dataScope)) {
                if (!curUser.getDeptId().equals(user.getDeptId())) {
                    throw new ServiceException("没有权限访问用户数据!");
                }
                List<SysRole> roles = curUser.getRoles();
                List<String> roleKeyList = roles.stream().map(SysRole::getRoleKey).collect(Collectors.toList());
                if (!roleKeyList.contains("manager") && user.getDept().getDeptUserId().equals(userId)) {
                    throw new ServiceException("没有权限访问用户数据!");
                }
            } else if (DataScopeAspect.DATA_SCOPE_DEPT_AND_CHILD.equals(dataScope)) {
                if (!curUser.getDeptId().equals(user.getDeptId())) {
                    String ancestors = user.getDept().getAncestors();
                    if (!ancestors.contains(curUser.getDeptId().toString())) {
                        throw new ServiceException("没有权限访问用户数据!");
                    }
                } else {
                    List<SysRole> roles = curUser.getRoles();
                    List<String> roleKeyList = roles.stream().map(SysRole::getRoleKey).collect(Collectors.toList());
                    if (!roleKeyList.contains("manager") && user.getDept().getDeptUserId().equals(userId)) {
                        throw new ServiceException("没有权限访问用户数据!");
                    }
                }
            }
        }
        return;
    }
  • com.fastbee.controller.system.SysUserController#list 方法
    /**
     * 获取用户列表
     */
    @ApiOperation("获取用户分页列表")
    @PreAuthorize("@ss.hasPermi('system:user:list')")
    @GetMapping("/list")
    public TableDataInfo list(SysUser user)
    {
        if (null != user.getDeptId()) {
            deptService.checkDeptDataScope(user.getDeptId());
            String dataScope = getDataScope();
            if (DataScopeAspect.DATA_SCOPE_SELF.equals(dataScope)) {
                user.setUserId(getUserId());
            }
        }
        Page<SysUser> list = sysUserService.selectUserList(user);
        return getDataTable(list.getRecords(), list.getTotal());
    }
  • com.fastbee.controller.system.SysUserController#export 方法
    @ApiOperation("导出用户列表")
    @Log(title = "用户管理", businessType = BusinessType.EXPORT)
    @PreAuthorize("@ss.hasPermi('system:user:export')")
    @PostMapping("/export")
    public void export(HttpServletResponse response, SysUser user)
    {
        if (null != user.getDeptId()) {
            deptService.checkDeptDataScope(user.getDeptId());
            String dataScope = getDataScope();
            if (DataScopeAspect.DATA_SCOPE_SELF.equals(dataScope)) {
                user.setUserId(getUserId());
            }
        }
        Page<SysUser> list = sysUserService.selectUserList(user);
        ExcelUtil<SysUser> util = new ExcelUtil<SysUser>(SysUser.class);
        util.exportExcel(response, list.getRecords(), "用户数据");
    }
  • com.fastbee.controller.system.SysUserController#authRole 方法
    /**
     * 根据用户编号获取授权角色
     */
    @ApiOperation("根据用户编号获取授权角色")
    @PreAuthorize("@ss.hasPermi('system:user:query')")
    @GetMapping("/authRole/{userId}")
    public AjaxResult authRole(@PathVariable("userId") Long userId)
    {
        sysUserService.checkUserDataScope(userId);
        AjaxResult ajax = AjaxResult.success();
        SysUser user = sysUserService.selectUserById(userId);
        List<SysRole> roles = roleService.selectRolesByUserId(userId);
        ajax.put("user", user);
        ajax.put("roles", SysUser.isAdmin(userId) ? roles : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList()));
        return ajax;
    }
  • com.fastbee.controller.system.SysUserController#insertAuthRole 方法
    /**
     * 用户授权角色
     */
    @ApiOperation("为用户授权角色")
    @PreAuthorize("@ss.hasPermi('system:user:edit')")
    @Log(title = "用户管理", businessType = BusinessType.GRANT)
    @PutMapping("/authRole")
    public AjaxResult insertAuthRole(Long userId, Long[] roleIds)
    {
        sysUserService.checkUserDataScope(userId);
        Long deptId = getLoginUser().getDeptId();
        if (null == deptId) {
            return error("没有权限操作!");
        }
        SysUser sysUser = sysUserService.selectSysUserById(userId);
        if (Objects.isNull(sysUser)) {
            return error("未查询到用户信息");
        }
        List<Long> deptRoleIds = sysRoleDeptMapper.selectByDeptId(sysUser.getDeptId());
        boolean b = deptRoleIds.removeAll(Arrays.asList(roleIds));
        if (!b) {
            return error("请检查角色id");
        }
        sysUserService.insertUserAuth(userId, roleIds);
        return success();
    }
  • com.fastbee.controller.system.SysUserController#deptTree 方法
    /**
     * 获取部门树列表
     */
    @ApiOperation("获取部门树列表")
    @PreAuthorize("@ss.hasPermi('system:dept:list')")
    @GetMapping("/deptTree")
    public AjaxResult deptTree(SysDept dept)
    {
        if (Objects.nonNull(dept) && null != dept.getDeptId()) {
            deptService.checkDeptDataScope(dept.getDeptId());
        }
        return success(deptService.selectDeptTreeList(dept));
    }
  • com.fastbee.controller.system.SysUserController#listTerminal 方法
    /**
     * 获取终端用户列表
     * @param user 用户信息
     * @return com.fastbee.common.core.page.TableDataInfo
     */
    @ApiOperation("获取用户分页列表")
    @PreAuthorize("@ss.hasPermi('system:user:list')")
    @GetMapping("/listTerminal")
    public TableDataInfo listTerminal(SysUser user)
    {
        if (!SysUser.isAdmin(SecurityUtils.getUserId())) {
            return new TableDataInfo();
        }
        Page<SysUser> page = sysUserService.listTerminal(user);
        return getDataTable(page.getRecords(), page.getTotal());
    }
  • com.fastbee.system.service.impl.SysUserServiceImpl#selectByDeptId 方法
    /**
     * 根据机构id获取当前机构所有非管理用户
     */
    @Override
    public Page<SysUser> selectByDeptId(SysUser user) {
        Long deptId = SecurityUtils.getDeptId();
        MPJLambdaWrapper<SysUser> wrapper = JoinWrappers.lambda(SysUser.class);
        // select
        wrapper.select(SysUser::getUserId, SysUser::getDeptId, SysUser::getUserName,
                SysUser::getNickName);
        // join
        wrapper.innerJoin(SysDept.class, SysDept::getDeptId, SysUser::getDeptId);
        // where
        String dataScope = getDataScope();
        if (DataScopeAspect.DATA_SCOPE_SELF.equals(dataScope)) {
            wrapper.eq(SysUser::getUserId, user.getUserId());
        } else {
            wrapper.eq(SysUser::getDeptId, deptId);
            wrapper.ne(SysUser::getDeptId, SysDept::getDeptUserId);
        }
        return baseMapper.selectPage(new Page<>(1, Integer.MAX_VALUE), wrapper);
    }
  • com.fastbee.system.service.impl.SysRoleServiceImpl#checkRoleDataScope 方法
    /**
     * 校验角色是否有数据权限
     *
     * @param roleId 角色id
     */
    @Override
    public void checkRoleDataScope(Long roleId) {
        LoginUser loginUser = getLoginUser();
        SysUser curUser = loginUser.getUser();
        if (SysUser.isAdmin(curUser.getUserId())) {
            return;
        }
        List<SysRole> roles = curUser.getRoles();
        List<Long> roleIdList = roles.stream().map(SysRole::getRoleId).collect(Collectors.toList());
        if (roleIdList.contains(roleId)) {
            return;
        }
        if (null == curUser.getDeptId()) {
            if (!roleIdList.contains(roleId)) {
                throw new ServiceException("没有权限访问角色数据!");
            }
        } else {
            String dataScope = getDataScope();
            LambdaQueryWrapper<SysRoleDept> queryWrapper = new LambdaQueryWrapper<>();
            queryWrapper.eq(SysRoleDept::getRoleId, roleId);
            List<SysRoleDept> sysRoleDepts = roleDeptMapper.selectList(queryWrapper);
            SysRoleDept sysRoleDept = sysRoleDepts.get(0);
            if (Objects.isNull(sysRoleDept)) {
                throw new ServiceException("没有权限访问角色数据!");
            }
            Long bindDeptId = sysRoleDept.getDeptId();
            if (DataScopeAspect.DATA_SCOPE_SELF.equals(dataScope)) {
                if (!roleIdList.contains(roleId)) {
                    throw new ServiceException("没有权限访问角色数据!");
                }
            } else if (DataScopeAspect.DATA_SCOPE_DEPT.equals(dataScope)) {
                if (!curUser.getDeptId().equals(bindDeptId)) {
                    throw new ServiceException("没有权限访问角色数据!");
                }
            } else if (DataScopeAspect.DATA_SCOPE_DEPT_AND_CHILD.equals(dataScope)) {
                if (!curUser.getDeptId().equals(bindDeptId)) {
                    SysDept sysDept = sysDeptMapper.selectDeptById(bindDeptId);
                    String ancestors = sysDept.getAncestors();
                    if (!ancestors.contains(curUser.getDeptId().toString())) {
                        throw new ServiceException("没有权限访问角色数据!");
                    }
                }
            }
        }
        return;
    }
  • com.fastbee.system.service.impl.SysRoleServiceImpl#selectRoleList 方法
    /**
     * 根据条件分页查询角色数据
     *
     * @param role 角色信息
     * @return 角色数据集合信息
     */
    @Override
//    @DataScope(deptAlias = "d")
    public Page<SysRole> selectRoleList(SysRole role) {
        LoginUser loginUser = getLoginUser();
        Long userId = loginUser.getUserId();
        Long userDeptId = loginUser.getDeptId();
        String dataScope = getDataScope();
        Page<SysRole> rolePage;
        if (DataScopeAspect.DATA_SCOPE_SELF.equals(dataScope)) {
            List<Long> roleIdList = loginUser.getUser().getRoles().stream().map(SysRole::getRoleId).collect(Collectors.toList());
            rolePage = roleMapper.selectRoleByIds(new Page<>(role.getPageNum(), role.getPageSize()), roleIdList, role.getRoleName(), role.getStatus());
            if (0 == rolePage.getTotal()) {
                return rolePage;
            }
            List<SysRole> sysRoleList = rolePage.getRecords();
            SysDept dept = loginUser.getUser().getDept();
            for (SysRole sysRole : sysRoleList) {
                if (Objects.nonNull(dept)) {
                    sysRole.setDeptId(dept.getDeptId());
                    sysRole.setDeptName(dept.getDeptName());
                }
                sysRole.setManager("manager".equals(sysRole.getRoleKey()));
            }
            return rolePage;
        } else {
            SysDept sysDept = new SysDept();
            sysDept.setDeptId(role.getDeptId());
            List<SysDept> sysDeptList = deptService.selectDeptList(sysDept);
            if (CollectionUtils.isNotEmpty(sysDeptList)) {
                Map<Long, String> deptMap = sysDeptList.stream().collect(Collectors.toMap(SysDept::getDeptId, SysDept::getDeptName));
                List<Long> deptIdList = sysDeptList.stream().map(SysDept::getDeptId).collect(Collectors.toList());
                List<SysRoleDeptVO> sysRoleDeptVOList = roleDeptMapper.selectRoleDeptByDeptIds(deptIdList);
                Map<Long, SysRoleDeptVO> roleDeptMap = sysRoleDeptVOList.stream().collect(Collectors.toMap(SysRoleDeptVO::getRoleId, Function.identity()));
                if (CollectionUtils.isEmpty(sysRoleDeptVOList)) {
                    return new Page<>();
                }
                List<Long> roleIdList = sysRoleDeptVOList.stream().map(SysRoleDeptVO::getRoleId).collect(Collectors.toList());
                if (CollectionUtils.isEmpty(roleIdList)) {
                    return new Page<>();
                }
                rolePage = roleMapper.selectRoleByIds(new Page<>(role.getPageNum(), role.getPageSize()), roleIdList, role.getRoleName(), role.getStatus());
                List<SysRole> sysRoleList = rolePage.getRecords();
                for (SysRole sysRole : sysRoleList) {
                    SysRoleDeptVO sysRoleDeptVO = roleDeptMap.get(sysRole.getRoleId());
                    Long deptId1 = sysRoleDeptVO.getDeptId();
                    String deptName = deptMap.get(deptId1);
                    sysRole.setDeptId(deptId1);
                    sysRole.setDeptName(deptName);
                    sysRole.setCanEditRole(!(userDeptId.equals(deptId1) && "manager".equals(sysRole.getRoleKey()) && !isAdmin(userId)));
                    if (isAdmin(sysRoleDeptVO.getDeptUserId())) {
                        sysRole.setManager("terminalRegister".equals(sysRole.getRoleKey()) || "scadaShare".equals(sysRole.getRoleKey())
                                || "manager".equals(sysRole.getRoleKey()) || "webRegister".equals(sysRole.getRoleKey()));
                    } else {
                        sysRole.setManager("manager".equals(sysRole.getRoleKey()));
                    }
                }

                return rolePage;
            } else {
                return new Page<>();
            }
        }
    }
  • com.fastbee.controller.system.SysRoleController#list 方法
    @ApiOperation("获取角色分页列表")
    @PreAuthorize("@ss.hasPermi('system:role:list')")
    @GetMapping("/list")
    public TableDataInfo list(SysRole role, Integer pageNum, Integer pageSize)
    {
        if (null != role.getDeptId()) {
            deptService.checkDeptDataScope(role.getDeptId());
        }
        role.setPageNum(pageNum);
        role.setPageSize(pageSize);
        Page<SysRole> rolePage = sysRoleService.selectRoleList(role);

        // 按照 roleSort 字段排序
        rolePage.getRecords().sort(Comparator.comparingInt(SysRole::getRoleSort));

        TableDataInfo tableDataInfo = new TableDataInfo();
        tableDataInfo.setCode(HttpStatus.SUCCESS);
        tableDataInfo.setMsg(MessageUtils.message("query.success"));
        tableDataInfo.setRows(rolePage.getRecords());
        tableDataInfo.setTotal(rolePage.getTotal());

        return tableDataInfo;
    }
  • com.fastbee.controller.system.SysRoleController#export 方法
    @ApiOperation("导出角色列表")
    @Log(title = "角色管理", businessType = BusinessType.EXPORT)
    @PreAuthorize("@ss.hasPermi('system:role:export')")
    @PostMapping("/export")
    public void export(HttpServletResponse response, SysRole role)
    {
        if (null != role.getDeptId()) {
            deptService.checkDeptDataScope(role.getDeptId());
        }
        List<SysRole> list = sysRoleService.selectRoleList(role).getRecords();
        ExcelUtil<SysRole> util = new ExcelUtil<SysRole>(SysRole.class);
        util.exportExcel(response, list, "角色数据");
    }
  • com.fastbee.controller.system.SysRoleController#optionselect 方法
    /**
     * 获取角色选择框列表
     */
    @ApiOperation("获取角色选择框列表")
    @PreAuthorize("@ss.hasPermi('system:role:query')")
    @GetMapping("/optionselect")
    public AjaxResult optionselect()
    {
        SysRole sysRole = new SysRole();
        sysRole.setPageNum(1);
        sysRole.setPageSize(99);
        Page<SysRole> rolePage = sysRoleService.selectRoleList(sysRole);
        return success(rolePage.getRecords());
    }
  • com.fastbee.controller.system.SysRoleController#allocatedList 方法
    /**
     * 查询已分配用户角色列表
     */
    @ApiOperation("查询已分配用户角色列表")
    @PreAuthorize("@ss.hasPermi('system:role:list')")
    @GetMapping("/authUser/allocatedList")
    public TableDataInfo allocatedList(SysUser user)
    {
        if (null != user.getRoleId()) {
            sysRoleService.checkRoleDataScope(user.getRoleId());
        }
        Page<SysUser> list = userService.selectAllocatedList(user);
        return getDataTable(list.getRecords(), list.getTotal());
    }
  • com.fastbee.controller.system.SysRoleController#unallocatedList 方法
    /**
     * 查询未分配用户角色列表
     */
    @ApiOperation("查询未分配用户角色列表")
    @PreAuthorize("@ss.hasPermi('system:role:list')")
    @GetMapping("/authUser/unallocatedList")
    public TableDataInfo unallocatedList(SysUser user)
    {
        if (null != user.getRoleId()) {
            sysRoleService.checkRoleDataScope(user.getRoleId());
        }
        Page<SysUser> list = userService.selectUnallocatedList(user);
        return getDataTable(list.getRecords(), list.getTotal());
    }
  • com.fastbee.controller.system.SysRoleController#cancelAuthUser 方法
    /**
     * 取消授权用户
     */
    @ApiOperation("取消授权用户")
    @PreAuthorize("@ss.hasPermi('system:role:edit')")
    @Log(title = "角色管理", businessType = BusinessType.GRANT)
    @PutMapping("/authUser/cancel")
    public AjaxResult cancelAuthUser(@RequestBody SysUserRole userRole)
    {
        if (null != userRole.getRoleId()) {
            sysRoleService.checkRoleDataScope(userRole.getRoleId());
        }
        return toAjax(sysRoleService.deleteAuthUser(userRole));
    }
  • com.fastbee.controller.system.SysRoleController#cancelAuthUser 方法
    /**
     * 批量取消授权用户
     */
    @ApiOperation("批量取消授权用户")
    @PreAuthorize("@ss.hasPermi('system:role:edit')")
    @Log(title = "角色管理", businessType = BusinessType.GRANT)
    @PutMapping("/authUser/cancelAll")
    public AjaxResult cancelAuthUserAll(Long roleId, Long[] userIds)
    {
        if (null != roleId) {
            sysRoleService.checkRoleDataScope(roleId);
        }
        return toAjax(sysRoleService.deleteAuthUsers(roleId, userIds));
    }
  • com.fastbee.controller.system.SysRoleController#deptTree 方法
    /**
     * 获取对应角色部门树列表
     */
    @ApiOperation("获取对应角色部门树列表")
    @PreAuthorize("@ss.hasPermi('system:role:query')")
    @GetMapping(value = "/deptTree/{roleId}")
    public AjaxResult deptTree(@PathVariable("roleId") Long roleId)
    {
        sysRoleService.checkRoleDataScope(roleId);
        AjaxResult ajax = AjaxResult.success();
        ajax.put("checkedKeys", deptService.selectDeptListByRoleId(roleId));
        ajax.put("depts", deptService.selectDeptTreeList(new SysDept()));
        return ajax;
    }

情况三:代码仓库已过期,如果版本是v2.3~v2.6.0参考以下代码做修改,待整理

上次编辑于:
贡献者: ZhangZhiYi,kerwincui
蜂信物联 | 曲靖蜂信科技有限公司
Copyright © 2026 fastbee