fix：二级等保【高危】接口权限越权

elevator-admin/src/main/java/com/inspur/idm/media/dao/WbContractDao.java

@@ -3,6 +3,7 @@ package com.inspur.idm.media.dao;
 import com.inspur.idm.media.po.contract.WbContract;
 import com.inspur.idm.media.vo.contract.WbContractQuery;
 import com.inspur.idm.media.vo.contract.WbContractVO;
+import org.apache.ibatis.annotations.Param;
 
 import java.util.List;
 
@@ -13,7 +14,7 @@ public interface WbContractDao {
 
     int insertSelective(WbContract record);
 
-    WbContract selectByPrimaryKey(String contractId);
+    WbContract selectByPrimaryKey(@Param("contractId") String contractId, @Param("limitUser") String limitUser);
 
     int updateByPrimaryKeySelective(WbContract record);
 
@@ -26,4 +27,4 @@ public interface WbContractDao {
     List<WbContractVO> selectTimeOut();
 
     int getWillExpireInAWeek();
-}
+}

elevator-admin/src/main/java/com/inspur/idm/media/dao/WyContractDao.java

@@ -3,6 +3,7 @@ package com.inspur.idm.media.dao;
 import com.inspur.idm.media.po.contract.WyContract;
 import com.inspur.idm.media.vo.contract.WyContractQuery;
 import com.inspur.idm.media.vo.contract.WyContractVO;
+import org.apache.ibatis.annotations.Param;
 
 import java.util.List;
 
@@ -13,7 +14,7 @@ public interface WyContractDao {
 
     int insertSelective(WyContract record);
 
-    WyContract selectByPrimaryKey(String contractId);
+    WyContract selectByPrimaryKey(@Param("contractId") String contractId, @Param("limitUser") String limitUser);
 
     int updateByPrimaryKeySelective(WyContract record);
 
@@ -26,4 +27,4 @@ public interface WyContractDao {
     List<WyContractVO> selectTimeOut();
 
     int getWillExpireInAWeek();
-}
+}

elevator-admin/src/main/java/com/inspur/idm/media/service/contract/WbContractServiceImpl.java

@@ -10,6 +10,7 @@ import com.inspur.idm.media.po.contract.ContractScope;
 import com.inspur.idm.media.po.contract.WbContract;
 import com.inspur.idm.media.po.elevator.EleInfoBasic;
 import com.inspur.idm.media.po.estate.EleEstate;
+import com.inspur.idm.media.util.MyUserUtil;
 import com.inspur.idm.media.vo.contract.WbContractDTO;
 import com.inspur.idm.media.vo.contract.WbContractQuery;
 import com.inspur.idm.media.vo.contract.WbContractVO;
@@ -43,7 +44,9 @@ public class WbContractServiceImpl implements WbContractService {
 
     @Override
     public WbContractVO getWbContractById(String contractId) {
-        WbContract po = WbContractDao.selectByPrimaryKey(contractId);
+        WbContractQuery query = new WbContractQuery();
+        MyUserUtil.addDataAuth(query);
+        WbContract po = WbContractDao.selectByPrimaryKey(contractId, query.getLimitUser());
         if(po == null){
             return null;
         }

elevator-admin/src/main/java/com/inspur/idm/media/service/contract/WyContractServiceImpl.java

@@ -6,10 +6,14 @@ import com.inspur.idm.media.comm.CommConstant;
 import com.inspur.idm.media.dao.ContractScopeDao;
 import com.inspur.idm.media.dao.EleEstateDao;
 import com.inspur.idm.media.dao.EleInfoBasicDao;
+import com.inspur.idm.media.dao.WbContractDao;
 import com.inspur.idm.media.po.contract.ContractScope;
+import com.inspur.idm.media.po.contract.WbContract;
 import com.inspur.idm.media.po.contract.WyContract;
 import com.inspur.idm.media.po.elevator.EleInfoBasic;
 import com.inspur.idm.media.po.estate.EleEstate;
+import com.inspur.idm.media.util.MyUserUtil;
+import com.inspur.idm.media.vo.contract.WbContractQuery;
 import com.inspur.idm.media.vo.contract.WyContractDTO;
 import com.inspur.idm.media.vo.contract.WyContractQuery;
 import com.inspur.idm.media.vo.contract.WyContractVO;
@@ -71,7 +75,9 @@ public class WyContractServiceImpl implements WyContractService {
 
     @Override
     public WyContractVO getWyContractById(String contractId) {
-        WyContract po = WyContractDao.selectByPrimaryKey(contractId);
+        WbContractQuery query = new WbContractQuery();
+        MyUserUtil.addDataAuth(query);
+        WyContract po = WyContractDao.selectByPrimaryKey(contractId, query.getLimitUser());
         if(po == null){
             return null;
         }

elevator-admin/src/main/java/com/inspur/idm/sys/controller/AuthUserController.java

@@ -43,6 +43,8 @@ import javax.validation.constraints.NotBlank;
 import java.util.ArrayList;
 import java.util.List;
 
+import static com.inspur.idm.media.util.MyUserUtil.isSuperAdmin;
+
 @Api(
         tags = {"sys-user"},
         description = "用户管理"
@@ -69,6 +71,10 @@ public class AuthUserController {
     @GetMapping({"sys/users"})
     @PreAuthorize("hasPermission('user','management')")
     public BasePageListObj<AuthUserVO> queryAuthUserList(AuthUserQuery query) {
+        String currentUserId = UserUtils.getCurrentUserId();
+        if (!isSuperAdmin(currentUserId)) {
+            return new BasePageListObj(new ArrayList(), 0L);
+        }
         return this.queryAuthUserList((String)null, query);
     }
 

elevator-admin/src/main/resources/mapper/media/WbContractDao.xml

@@ -22,30 +22,36 @@
   </resultMap>
   <sql id="Base_Column_List">
     contract_id, company_id,contract_files, contract_name, contract_no, contract_scope, create_by, create_time,
-    data_status, end_date, first_party, remark, second_party, start_date, third_party, 
+    data_status, end_date, first_party, remark, second_party, start_date, third_party,
     update_by, update_time
   </sql>
   <select id="selectByPrimaryKey" parameterType="java.lang.String" resultMap="BaseResultMap">
-    select 
+    select
     <include refid="Base_Column_List" />
     from `wb_contract_info`
     where contract_id = #{contractId,jdbcType=VARCHAR}
+    <if test="limitUser != null">
+      and (create_by = #{limitUser} OR EXISTS (
+      SELECT a.relative_id FROM
+      ( SELECT relative_id FROM contract_scope WHERE contract_id = wb_contract_info.contract_id AND relative_type = 'elevator' ) a
+      INNER JOIN ( SELECT elevator_id FROM pf_user_elevator WHERE user_id = #{limitUser} ) b ON a.relative_id = b.elevator_id))
+    </if>
   </select>
   <delete id="deleteByPrimaryKey" parameterType="java.lang.String">
     delete from `wb_contract_info`
     where contract_id = #{contractId,jdbcType=VARCHAR}
   </delete>
   <insert id="insert" parameterType="com.inspur.idm.media.po.contract.WbContract">
-    insert into `wb_contract_info` (contract_id, contract_files, contract_name, 
-      contract_no, create_by, create_time, 
-      data_status, end_date, first_party, 
-      remark, second_party, start_date, 
+    insert into `wb_contract_info` (contract_id, contract_files, contract_name,
+      contract_no, create_by, create_time,
+      data_status, end_date, first_party,
+      remark, second_party, start_date,
       third_party, update_by, update_time
       )
-    values (#{contractId,jdbcType=VARCHAR}, #{contractFiles,jdbcType=VARCHAR}, #{contractName,jdbcType=VARCHAR}, 
-      #{contractNo,jdbcType=VARCHAR}, #{createBy,jdbcType=VARCHAR}, #{createTime,jdbcType=TIMESTAMP}, 
-      #{dataStatus,jdbcType=INTEGER}, #{endDate,jdbcType=DATE}, #{firstParty,jdbcType=VARCHAR}, 
-      #{remark,jdbcType=VARCHAR}, #{secondParty,jdbcType=VARCHAR}, #{startDate,jdbcType=DATE}, 
+    values (#{contractId,jdbcType=VARCHAR}, #{contractFiles,jdbcType=VARCHAR}, #{contractName,jdbcType=VARCHAR},
+      #{contractNo,jdbcType=VARCHAR}, #{createBy,jdbcType=VARCHAR}, #{createTime,jdbcType=TIMESTAMP},
+      #{dataStatus,jdbcType=INTEGER}, #{endDate,jdbcType=DATE}, #{firstParty,jdbcType=VARCHAR},
+      #{remark,jdbcType=VARCHAR}, #{secondParty,jdbcType=VARCHAR}, #{startDate,jdbcType=DATE},
       #{thirdParty,jdbcType=VARCHAR}, #{updateBy,jdbcType=VARCHAR}, #{updateTime,jdbcType=TIMESTAMP}
       )
   </insert>
@@ -317,4 +323,4 @@
     <include refid="Base_Column_List" />
     from `wb_contract_info` where end_date &lt; now()
   </select>
-</mapper>
+</mapper>

elevator-admin/src/main/resources/mapper/media/WyContractDao.xml

@@ -21,32 +21,39 @@
     <result column="update_time" jdbcType="TIMESTAMP" property="updateTime" />
   </resultMap>
   <sql id="Base_Column_List">
-    contract_id, company_id, contract_files, contract_name, contract_no, contract_scope, 
-    create_by, create_time, data_status, end_date, first_party, remark, second_party, 
+    contract_id, company_id, contract_files, contract_name, contract_no, contract_scope,
+    create_by, create_time, data_status, end_date, first_party, remark, second_party,
     start_date, third_party, update_by, update_time
   </sql>
   <select id="selectByPrimaryKey" parameterType="java.lang.String" resultMap="BaseResultMap">
-    select 
+    select
     <include refid="Base_Column_List" />
     from `wy_contract_info`
     where contract_id = #{contractId,jdbcType=VARCHAR}
+    <if test="limitUser != null">
+      and (create_by = #{limitUser} OR EXISTS (
+      SELECT a.relative_id FROM
+      ( SELECT relative_id FROM contract_scope WHERE contract_id = wy_contract_info.contract_id AND relative_type = 'estate' ) a
+      INNER JOIN ( SELECT DISTINCT estate_id FROM ele_info_usage WHERE elevator_id IN
+      (SELECT elevator_id FROM pf_user_elevator WHERE user_id = #{limitUser}) ) b ON a.relative_id = b.estate_id))
+    </if>
   </select>
   <delete id="deleteByPrimaryKey" parameterType="java.lang.String">
     delete from `wy_contract_info`
     where contract_id = #{contractId,jdbcType=VARCHAR}
   </delete>
   <insert id="insert" parameterType="com.inspur.idm.media.po.contract.WyContract">
-    insert into `wy_contract_info` (contract_id, company_id, contract_files, 
-      contract_name, contract_no, contract_scope, 
-      create_by, create_time, data_status, 
-      end_date, first_party, remark, 
-      second_party, start_date, third_party, 
+    insert into `wy_contract_info` (contract_id, company_id, contract_files,
+      contract_name, contract_no, contract_scope,
+      create_by, create_time, data_status,
+      end_date, first_party, remark,
+      second_party, start_date, third_party,
       update_by, update_time)
-    values (#{contractId,jdbcType=VARCHAR}, #{companyId,jdbcType=VARCHAR}, #{contractFiles,jdbcType=VARCHAR}, 
-      #{contractName,jdbcType=VARCHAR}, #{contractNo,jdbcType=VARCHAR}, #{contractScope,jdbcType=VARCHAR}, 
-      #{createBy,jdbcType=VARCHAR}, #{createTime,jdbcType=TIMESTAMP}, #{dataStatus,jdbcType=INTEGER}, 
-      #{endDate,jdbcType=DATE}, #{firstParty,jdbcType=VARCHAR}, #{remark,jdbcType=VARCHAR}, 
-      #{secondParty,jdbcType=VARCHAR}, #{startDate,jdbcType=DATE}, #{thirdParty,jdbcType=VARCHAR}, 
+    values (#{contractId,jdbcType=VARCHAR}, #{companyId,jdbcType=VARCHAR}, #{contractFiles,jdbcType=VARCHAR},
+      #{contractName,jdbcType=VARCHAR}, #{contractNo,jdbcType=VARCHAR}, #{contractScope,jdbcType=VARCHAR},
+      #{createBy,jdbcType=VARCHAR}, #{createTime,jdbcType=TIMESTAMP}, #{dataStatus,jdbcType=INTEGER},
+      #{endDate,jdbcType=DATE}, #{firstParty,jdbcType=VARCHAR}, #{remark,jdbcType=VARCHAR},
+      #{secondParty,jdbcType=VARCHAR}, #{startDate,jdbcType=DATE}, #{thirdParty,jdbcType=VARCHAR},
       #{updateBy,jdbcType=VARCHAR}, #{updateTime,jdbcType=TIMESTAMP})
   </insert>
   <insert id="insertSelective" parameterType="com.inspur.idm.media.po.contract.WyContract">
@@ -320,4 +327,4 @@
     <include refid="Base_Column_List" />
     from `wy_contract_info` where end_date &lt; now()
   </select>
-</mapper>
+</mapper>