fix：二级等保【高危】接口权限越权

elevator-admin/src/main/java/com/inspur/idm/media/controller/annualcheck/AnnualCheckRecordController.java

@@ -1,5 +1,6 @@
 package com.inspur.idm.media.controller.annualcheck;
 
+import cn.hutool.core.collection.CollectionUtil;
 import com.github.pagehelper.Page;
 import com.inspur.idm.media.comm.AdminError;
 import com.inspur.idm.media.comm.CommConstant;
@@ -25,6 +26,7 @@ import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
+import java.util.stream.Collectors;
 
 /**
  * @author xyh
@@ -38,6 +40,9 @@ public class AnnualCheckRecordController {
     @Autowired
     private com.inspur.idm.media.service.annualcheck.AnnualCheckRecordService AnnualCheckRecordService;
 
+    @Autowired
+    private com.inspur.idm.media.dao.annualcheck.AnnualCheckRecordDao AnnualCheckRecordDao;
+
     @ApiOperation("年检记录查询")
     @GetMapping("annualCheckRecord")
     @PreAuthorize("hasPermission('AnnualCheckRecord','list')")
@@ -95,6 +100,17 @@ public class AnnualCheckRecordController {
     @GetMapping("annualCheckRecord/{recordId}/result")
     @PreAuthorize("hasPermission('AnnualCheckRecord','result')")
     public List<AnnualCheckResultVO> getAnnualCheckResult(@PathVariable String recordId) {
+        AnnualCheckRecordQuery query = new AnnualCheckRecordQuery();
+        query.setSyncToAdmin(1);
+        getQuery(query);
+        List<AnnualCheckRecordVO> recordVOList = AnnualCheckRecordDao.selectByQuery(query);
+        if (CollectionUtil.isEmpty(recordVOList)) {
+            return null;
+        }
+        List<String> recordIds = recordVOList.stream().map(AnnualCheckRecordVO::getRecordId).collect(Collectors.toList());
+        if (!recordIds.contains(recordId)) {
+            return null;
+        }
         List<AnnualCheckResultVO> vos = AnnualCheckRecordService.getAnnualCheckResult(recordId);
         //转树形结构
         AnnualCheckRecordService.toTree(vos);

elevator-admin/src/main/java/com/inspur/idm/media/controller/report/EstateReportController.java

@@ -40,6 +40,10 @@ public class EstateReportController {
     @GetMapping("/getEstateReportDetail")
     @PreAuthorize("hasPermission('estateReport','detail')")
     public void getEstateReportDetail(ReportDTO reportDTO, HttpServletResponse response) throws Exception {
+        List<String> roleCode = formatNameService.getUserRoleCode(UserUtils.getCurrentUserId());
+        if(!(MyUserUtil.isSuperAdmin() || roleCode.contains(RoleCode.GOV_EXAMINE.getCode()))){
+            return;
+        }
         if ((reportDTO.getReportType()==0||reportDTO.getReportType()==1)&&StringUtils.isNotBlank(reportDTO.getReportTime())) {
             reportDTO.setReportTimeStart(StringUtils.substringBefore(reportDTO.getReportTime(), "~"));
             if (StringUtils.contains(reportDTO.getReportTime(), "~")) {

elevator-admin/src/main/java/com/inspur/idm/media/controller/report/MaintenReportController.java

@@ -41,6 +41,10 @@ public class MaintenReportController {
     @GetMapping("/getMaintenReportDetail")
     @PreAuthorize("hasPermission('maintenReport','detail')")
     public void getMaintenReportDetail(ReportDTO reportDTO, HttpServletResponse response) throws Exception {
+        List<String> roleCode = formatNameService.getUserRoleCode(UserUtils.getCurrentUserId());
+        if(!(MyUserUtil.isSuperAdmin() || roleCode.contains(RoleCode.GOV_EXAMINE.getCode()))){
+            return;
+        }
         handReportDTO(reportDTO);
         //设置响应格式等
         response.setContentType("application/pdf");

elevator-admin/src/main/java/com/inspur/idm/media/controller/report/SupervisionReportController.java

@@ -48,6 +48,10 @@ public class SupervisionReportController {
     @GetMapping("/getSupervisionReportDetail")
     @PreAuthorize("hasPermission('supervisionReport','detail')")
     public void getSupervisionReportDetail(ReportDTO reportDTO, HttpServletResponse response) throws Exception {
+        List<String> roleCode = formatNameService.getUserRoleCode(UserUtils.getCurrentUserId());
+        if(!(MyUserUtil.isSuperAdmin() || roleCode.contains(RoleCode.GOV_EXAMINE.getCode()))){
+            return;
+        }
         handReportDTO(reportDTO);
         //设置响应格式等
         response.setContentType("application/pdf");

elevator-admin/src/main/java/com/inspur/idm/media/service/fault/FaultInsureOrderServiceImpl.java

@@ -11,6 +11,7 @@ import com.inspur.idm.media.dao.fault.FaultInsureOrderProcessDao;
 import com.inspur.idm.media.po.company.EleCompany;
 import com.inspur.idm.media.po.fault.FaultInsureOrder;
 import com.inspur.idm.media.po.fault.FaultInsureOrderProcess;
+import com.inspur.idm.media.util.MyUserUtil;
 import com.inspur.idm.media.vo.fault.FaultInsureOrderDetailVO;
 import com.inspur.idm.media.vo.fault.FaultInsureOrderQuery;
 import com.inspur.idm.media.vo.fault.FaultInsureOrderVO;
@@ -18,6 +19,7 @@ import com.inspur.idm.platform.comm.BaseCodeError;
 import com.inspur.idm.platform.comm.CodeException;
 import com.inspur.idm.sys.dao.NewAuthUserDao;
 import com.inspur.idm.sys.po.AuthUser;
+import io.jsonwebtoken.lang.Collections;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.BeanUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -25,6 +27,8 @@ import org.springframework.stereotype.Service;
 
 import java.time.LocalDate;
 import java.time.format.DateTimeFormatter;
+import java.util.List;
+import java.util.stream.Collectors;
 
 /**
  * @author zm
@@ -59,6 +63,16 @@ public class FaultInsureOrderServiceImpl implements FaultInsureOrderService {
 
     @Override
     public FaultInsureOrderDetailVO getFaultInsureOrderStatusByIdAndStatus(String insureOrderId, String insureOrderStatus) {
+        FaultInsureOrderQuery query = new FaultInsureOrderQuery();
+        MyUserUtil.addDataAuth(query);
+        List<FaultInsureOrderVO> orderVOList = faultInsureOrderDao.selectByQuery(query);
+        if (Collections.isEmpty(orderVOList)) {
+            return null;
+        }
+        List<String> insureOrderIdList = orderVOList.stream().map(FaultInsureOrderVO::getInsureOrderId).collect(Collectors.toList());
+        if (!insureOrderIdList.contains(insureOrderId)) {
+            return null;
+        }
         FaultInsureOrder po = faultInsureOrderDao.selectByPrimaryKey(insureOrderId);
         if (po == null) {
             return null;

elevator-admin/src/main/java/com/inspur/idm/media/service/fault/FaultRepairInfoServiceImpl.java

@@ -21,10 +21,7 @@ import com.inspur.idm.media.service.rate.PubRateHelper;
 import com.inspur.idm.media.service.rate.RateConstant;
 import com.inspur.idm.media.service.rate.WorkRateDomain;
 import com.inspur.idm.media.util.MyUserUtil;
-import com.inspur.idm.media.vo.fault.FaultRepairInfoDTO;
-import com.inspur.idm.media.vo.fault.FaultRepairInfoQuery;
-import com.inspur.idm.media.vo.fault.FaultRepairInfoVO;
-import com.inspur.idm.media.vo.fault.FaultRepairProcessInfoVO;
+import com.inspur.idm.media.vo.fault.*;
 import com.inspur.idm.media.vo.msg.PubMsgDTO;
 import com.inspur.idm.media.vo.rate.WorkRateAppDTO;
 import com.inspur.idm.media.vo.rate.WorkRateDTO;
@@ -33,6 +30,7 @@ import com.inspur.idm.platform.comm.CodeException;
 import com.inspur.idm.platform.utils.UserUtils;
 import com.inspur.idm.sys.dao.NewAuthUserDao;
 import com.inspur.idm.sys.po.AuthUser;
+import io.jsonwebtoken.lang.Collections;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.BeanUtils;
@@ -42,6 +40,8 @@ import org.springframework.transaction.annotation.Transactional;
 
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
+import java.util.List;
+import java.util.stream.Collectors;
 
 import static com.inspur.idm.media.comm.AdminError.*;
 import static com.inspur.idm.platform.comm.BaseCodeError.NOT_EXISTS_ERROR;
@@ -213,6 +213,18 @@ public class FaultRepairInfoServiceImpl implements FaultRepairInfoService {
 
     @Override
     public FaultRepairInfoVO getFaultRepairInfoById(String faultId) {
+
+        FaultInsureOrderQuery query = new FaultInsureOrderQuery();
+        MyUserUtil.addDataAuth(query);
+        List<FaultInsureOrderVO> orderVOList = faultInsureOrderDao.selectByQuery(query);
+        if (Collections.isEmpty(orderVOList)) {
+            return null;
+        }
+        List<String> insureOrderIdList = orderVOList.stream().map(FaultInsureOrderVO::getFaultId).collect(Collectors.toList());
+        if (!insureOrderIdList.contains(faultId)) {
+            return null;
+        }
+
         FaultRepairInfo po = faultRepairInfoDao.selectByPrimaryKey(faultId);
         if(po == null){
             return null;

elevator-admin/src/main/java/com/inspur/idm/media/service/fault/FaultRepairProcessInfoServiceImpl.java

@@ -12,9 +12,8 @@ import com.inspur.idm.media.service.msg.IPubMsgService;
 import com.inspur.idm.media.service.msg.MsgConstant;
 import com.inspur.idm.media.service.msg.PubMsgHelper;
 import com.inspur.idm.media.util.CoordinateTrans;
-import com.inspur.idm.media.vo.fault.FaultRepairInfoVO;
-import com.inspur.idm.media.vo.fault.FaultRepairProcessInfoDTO;
-import com.inspur.idm.media.vo.fault.FaultRepairProcessInfoVO;
+import com.inspur.idm.media.util.MyUserUtil;
+import com.inspur.idm.media.vo.fault.*;
 import com.inspur.idm.media.vo.fault.app.*;
 import com.inspur.idm.media.vo.msg.PubMsgDTO;
 import com.inspur.idm.platform.utils.UserUtils;
@@ -22,6 +21,7 @@ import com.inspur.idm.sys.dao.NewAuthUserDao;
 import com.inspur.idm.sys.po.AuthUser;
 import com.inspur.idm.sys.vo.user.AuthUserQuery;
 import com.inspur.idm.sys.vo.user.AuthUserVO;
+import io.jsonwebtoken.lang.Collections;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.dubbo.common.utils.CollectionUtils;
 import org.springframework.beans.BeanUtils;
@@ -32,6 +32,7 @@ import java.time.Duration;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.List;
+import java.util.stream.Collectors;
 
 /**
  * @author zy
@@ -88,6 +89,18 @@ public class FaultRepairProcessInfoServiceImpl implements FaultRepairProcessInfo
 
     @Override
     public FaultRepairProcessInfoVO getFaultRepairProcessInfoById(String faultId) {
+
+        FaultInsureOrderQuery query = new FaultInsureOrderQuery();
+        MyUserUtil.addDataAuth(query);
+        List<FaultInsureOrderVO> orderVOList = faultInsureOrderDao.selectByQuery(query);
+        if (Collections.isEmpty(orderVOList)) {
+            return null;
+        }
+        List<String> insureOrderIdList = orderVOList.stream().map(FaultInsureOrderVO::getFaultId).collect(Collectors.toList());
+        if (!insureOrderIdList.contains(faultId)) {
+            return null;
+        }
+
         FaultRepairProcessInfo po = faultRepairProcessInfoDao.selectByPrimaryKey(faultId);
         if(po == null){
             return null;

elevator-admin/src/main/java/com/inspur/idm/media/service/fault/FaultRepairScheduleServiceImpl.java

@@ -16,6 +16,7 @@ import com.inspur.idm.media.po.part.ElePartType;
 import com.inspur.idm.media.service.msg.IPubMsgService;
 import com.inspur.idm.media.service.msg.MsgConstant;
 import com.inspur.idm.media.service.msg.PubMsgHelper;
+import com.inspur.idm.media.util.MyUserUtil;
 import com.inspur.idm.media.vo.fault.*;
 import com.inspur.idm.media.vo.msg.PubMsgDTO;
 import com.inspur.idm.platform.utils.UUIDUtil;
@@ -24,6 +25,7 @@ import com.inspur.idm.sys.dao.NewAuthUserDao;
 import com.inspur.idm.sys.po.AuthUser;
 import com.inspur.idm.sys.vo.user.AuthUserQuery;
 import com.inspur.idm.sys.vo.user.AuthUserVO;
+import io.jsonwebtoken.lang.Collections;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.dubbo.common.utils.CollectionUtils;
@@ -93,6 +95,9 @@ public class FaultRepairScheduleServiceImpl implements FaultRepairScheduleServic
     @Autowired
     private EleFittingsPriceDao eleFittingsPriceDao;
 
+    @Autowired
+    private FaultInsureOrderDao faultInsureOrderDao;
+
     @Override
     public void deleteFaultRepairScheduleById(String faultId) {
         faultRepairScheduleDao.deleteByPrimaryKey(faultId);
@@ -100,6 +105,18 @@ public class FaultRepairScheduleServiceImpl implements FaultRepairScheduleServic
 
     @Override
     public FaultRepairScheduleVO getFaultRepairScheduleById(String faultId) {
+
+        FaultInsureOrderQuery query = new FaultInsureOrderQuery();
+        MyUserUtil.addDataAuth(query);
+        List<FaultInsureOrderVO> orderVOList = faultInsureOrderDao.selectByQuery(query);
+        if (Collections.isEmpty(orderVOList)) {
+            return null;
+        }
+        List<String> insureOrderIdList = orderVOList.stream().map(FaultInsureOrderVO::getFaultId).collect(Collectors.toList());
+        if (!insureOrderIdList.contains(faultId)) {
+            return null;
+        }
+
         FaultRepairSchedule po = faultRepairScheduleDao.selectByPrimaryKey(faultId);
         if(po == null){
             return null;
@@ -183,8 +200,10 @@ public class FaultRepairScheduleServiceImpl implements FaultRepairScheduleServic
             }
             if (StringUtils.isNotBlank(vo.getInsureAuditUserId())) {
                 AuthUser insureAuditUser = authUserDao.selectByPrimaryKey(vo.getInsureAuditUserId());
-                vo.setInsureUserName(insureAuditUser.getRealName());
-                vo.setInsureUserPhone(insureAuditUser.getPhone());
+                if (insureAuditUser != null) {
+                    vo.setInsureUserName(insureAuditUser.getRealName());
+                    vo.setInsureUserPhone(insureAuditUser.getPhone());
+                }
             }
         }
         return vo;

elevator-admin/src/main/java/com/inspur/idm/media/service/rate/WorkRateServiceImpl.java

@@ -1,5 +1,6 @@
 package com.inspur.idm.media.service.rate;
 
+import cn.hutool.core.collection.CollectionUtil;
 import com.github.pagehelper.Page;
 import com.github.pagehelper.PageHelper;
 import com.inspur.idm.media.comm.CommConstant;
@@ -9,6 +10,7 @@ import com.inspur.idm.media.po.company.EleCompany;
 import com.inspur.idm.media.po.rate.WorkRate;
 import com.inspur.idm.media.service.FileHelpService;
 import com.inspur.idm.media.service.FormatNameService;
+import com.inspur.idm.media.util.MyUserUtil;
 import com.inspur.idm.media.vo.rate.*;
 import com.inspur.idm.platform.comm.BasePageListObj;
 import com.inspur.idm.platform.utils.UUIDUtil;
@@ -111,6 +113,21 @@ public class WorkRateServiceImpl implements WorkRateService{
                 query.setRateTimeEnd(query.getRateTime());
             }
         }
+        String companyId = query.getCompanyId();
+        if (StringUtils.isBlank(companyId)) {
+            return new Page<>();
+        }
+        CompanyRateQuery rateQuery = new CompanyRateQuery();
+        MyUserUtil.addDataAuth(rateQuery);
+        List<CompanyRateVO> companyRates = workRateDao.selectCompanyRateByQuery(rateQuery);
+        if (CollectionUtil.isEmpty(companyRates)) {
+            return new Page<>();
+        }
+        List<String> companyIds = companyRates.stream().map(CompanyRateVO::getCompanyId).collect(Collectors.toList());
+        if (!companyIds.contains(companyId)) {
+            return new Page<>();
+        }
+
         Page<WorkRateVO> page = PageHelper.startPage(query.getPageNum(), query.getPageSize()).doSelectPage(() -> {
             workRateDao.selectByQuery(query);
         });