fix：二级等保【高危】接口权限越权

elevator-admin/src/main/java/com/inspur/idm/media/controller/RescueConfigController.java

@@ -3,6 +3,7 @@ package com.inspur.idm.media.controller;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import com.inspur.idm.media.po.RescueConfig;
 import com.inspur.idm.media.service.rescueconfig.IRescueConfigService;
+import com.inspur.idm.media.util.MyUserUtil;
 import com.inspur.idm.media.vo.rescueconfig.RescueConfigDTO;
 import com.inspur.idm.media.vo.rescueconfig.RescueConfigQuery;
 import com.inspur.idm.media.vo.rescueconfig.RescueConfigVO;
@@ -42,6 +43,9 @@ public class RescueConfigController {
   @GetMapping()
   @PreAuthorize("hasPermission('rescueConfig','list')")
   public BasePageListObj<RescueConfigVO> queryRescueConfigList(RescueConfigQuery query) {
+    if(!(MyUserUtil.isSuperAdmin())) {
+      return new BasePageListObj(null, 0L);
+    }
     IPage<RescueConfigVO> page = rescueConfigService.getRescueConfigVOList(query);
     BasePageListObj<RescueConfigVO> listObj = new BasePageListObj<>(page.getRecords(), page.getTotal());
     listObj.setPageNum(page.getCurrent());
@@ -73,6 +77,9 @@ public class RescueConfigController {
   @GetMapping("{id}")
   @PreAuthorize("hasPermission('rescueConfig','detail')")
   public RescueConfigVO getRescueConfigById(@PathVariable String id) {
+    if(!(MyUserUtil.isSuperAdmin())) {
+      return null;
+    }
     RescueConfigVO vo = rescueConfigService.getRescueConfigById(id);
     return vo;
   }

elevator-admin/src/main/java/com/inspur/idm/media/controller/device/EleDeviceBlackController.java

@@ -147,6 +147,9 @@ public class EleDeviceBlackController {
     @GetMapping("eleDeviceBlackConfig")
     @PreAuthorize("hasPermission('eleDeviceBlack','list')")
     public BasePageListObj<EleDeviceBlackConfigVO> queryEleDeviceConfigList(EleDeviceBlackConfigQuery query) {
+        if(!(MyUserUtil.isSuperAdmin())) {
+            return new BasePageListObj(null, 0L);
+        }
         MyUserUtil.addDataAuth(query);
         Page<EleDeviceBlackConfigVO> page = eleDeviceBlackService.getEleDeviceConfigList(query);
         return new BasePageListObj<>(page.getResult(), page.getTotal());
@@ -155,6 +158,9 @@ public class EleDeviceBlackController {
     @ApiOperation("黑匣子运行配置明细")
     @GetMapping("eleDeviceBlackConfig/{deviceId}")
     public BaseObj<EleDeviceBlackConfigVO> getEleDeviceDetail(@PathVariable String deviceId) {
+        if(!(MyUserUtil.isSuperAdmin())) {
+            return new BaseObj<>(null);
+        }
         EleDeviceBlackVO eleDeviceBlackVO = eleDeviceBlackService.getEleDeviceInfoById(deviceId);
         if (eleDeviceBlackVO == null || StringUtils.isBlank(eleDeviceBlackVO.getElevatorId())) {
             throw new CodeException(AdminError.BLACK_NOT_BINDED);

elevator-admin/src/main/java/com/inspur/idm/platform/filter/ServiceAuthFilter.java

@@ -5,28 +5,51 @@
 
 package com.inspur.idm.platform.filter;
 
-import com.inspur.idm.platform.comm.BaseCodeError;
+import com.inspur.idm.media.comm.AdminError;
+import com.inspur.idm.media.util.MyUserUtil;
+import com.inspur.idm.platform.comm.BasePageListObj;
 import com.inspur.idm.platform.comm.CodeException;
-import com.inspur.idm.platform.utils.ServerAuthUtils;
-/*import com.inspur.pub.AuthenticateUtil;*/
-import java.io.IOException;
-import java.io.PrintWriter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.filter.OncePerRequestFilter;
+
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.web.filter.OncePerRequestFilter;
+import java.io.IOException;
+import java.io.PrintWriter;
 
 public class ServiceAuthFilter extends OncePerRequestFilter {
     private static final Logger log = LoggerFactory.getLogger(ServiceAuthFilter.class);
     private static final long SERVER_START_TIME = System.currentTimeMillis();
 
+    public static final String AUTHORITYS_PATH = "/sys/authoritys";
+
+    public static final String ORGANS_PATH = "/sys/organs";
+
+    public static final String LOGS_PATH = "/sys/logs";
+
+    public static final String CONFIGS_PATH = "/pub/configs";
+
+    public static final String DICTS_PATH = "/sys/dicts-manage";
+
     public ServiceAuthFilter() {
     }
 
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+        if (request.getServletPath().endsWith(AUTHORITYS_PATH) || request.getServletPath().endsWith(ORGANS_PATH)
+                || request.getServletPath().endsWith(LOGS_PATH) || request.getServletPath().endsWith(CONFIGS_PATH)
+                || request.getServletPath().endsWith(DICTS_PATH)) {
+            if(!(MyUserUtil.isSuperAdmin())) {
+                response.setCharacterEncoding("utf-8");
+                response.setContentType("application/json;charset=utf-8");
+                PrintWriter write = response.getWriter();
+                String msg = this.buildMessage(new CodeException(AdminError.REPAIR_NO_PERMISSION, new Object[0]));
+                write.print(msg);
+                write.flush();
+            }
+        }
         filterChain.doFilter(request, response);
 //        String path = request.getServletPath();
 //        if (!"/service/info".equalsIgnoreCase(path) && !"/auth.html".equalsIgnoreCase(path)) {

elevator-admin/src/main/java/com/inspur/idm/sys/controller/AuthRoleController.java

@@ -1,6 +1,8 @@
 package com.inspur.idm.sys.controller;
 
 import com.github.pagehelper.Page;
+import com.inspur.idm.media.comm.RoleCode;
+import com.inspur.idm.media.util.MyUserUtil;
 import com.inspur.idm.platform.aop.ControllerLog;
 import com.inspur.idm.platform.comm.BaseCodeError;
 import com.inspur.idm.platform.comm.BaseObj;
@@ -57,6 +59,9 @@ public class AuthRoleController {
     @GetMapping({"sys/roles"})
     @PreAuthorize("hasPermission('role','management')")
     public BasePageListObj<RoleVO> queryRoleList(RoleQuery query) {
+        if(!(MyUserUtil.isSuperAdmin())) {
+            return new BasePageListObj(null, 0L);
+        }
         return this.queryRoleList((String)null, query);
     }
 

elevator-admin/src/main/java/com/inspur/idm/sys/controller/AuthUserController.java

@@ -8,6 +8,7 @@ package com.inspur.idm.sys.controller;
 import com.github.pagehelper.Page;
 import com.inspur.idm.media.comm.CommConstant;
 import com.inspur.idm.media.service.ElevatorInfoService;
+import com.inspur.idm.media.util.MyUserUtil;
 import com.inspur.idm.media.util.PasswordValidUtil;
 import com.inspur.idm.media.vo.elevator.ElevatorInfoVO;
 import com.inspur.idm.platform.aop.ControllerLog;
@@ -126,8 +127,9 @@ public class AuthUserController {
     @PreAuthorize("hasPermission('user','management')")
     public BasePageListObj<AuthUserVO> queryCompanyUsersList(AuthUserQuery query) {
         if(!authUserService.isSuperAdmin()){
-            String companyId = authUserService.getCurrentUser().getCompanyId();
-            query.setCompanyId(companyId);
+            /*String companyId = authUserService.getCurrentUser().getCompanyId();
+            query.setCompanyId(companyId);*/
+            return new BasePageListObj<>(new ArrayList<>(), 0);
         }
         return this.queryAuthUserList((String)null, query);
     }
@@ -209,6 +211,9 @@ public class AuthUserController {
     @GetMapping({"sys/users/{userId}"})
     @PreAuthorize("hasPermission('user','management')")
     public AuthUserVO getAuthUserById(@PathVariable String userId) {
+        if(!(MyUserUtil.isSuperAdmin())) {
+            return null;
+        }
         return this.getAuthUserById((String)null, userId);
     }