fix：二级等保【高危】接口权限越权

elevator-admin/src/main/java/com/inspur/idm/media/dao/EleBrandDao.java

@@ -25,4 +25,6 @@ public interface EleBrandDao {
     int getElevatorBrandCount(@Param("brandId") String brandId);
 
     int getPartBrandCount(@Param("brandId") String brandId);
-}
+
+    EleBrand selectByPrimaryKeyV2(@Param("brandId") String brandId, @Param("limitCompany") String limitCompany);
+}

elevator-admin/src/main/java/com/inspur/idm/media/dao/EleEstateDao.java

@@ -3,6 +3,7 @@ package com.inspur.idm.media.dao;
 import com.inspur.idm.media.po.estate.EleEstate;
 import com.inspur.idm.media.vo.estate.EleEstateQuery;
 import com.inspur.idm.media.vo.estate.EleEstateVO;
+import org.apache.ibatis.annotations.Param;
 
 import java.util.List;
 
@@ -15,6 +16,8 @@ public interface EleEstateDao {
 
     EleEstate selectByPrimaryKey(String estateId);
 
+    EleEstate selectByPrimaryKeyV2(@Param("estateId") String estateId, @Param("limitUser")String limitUser);
+
     int updateByPrimaryKeySelective(EleEstate record);
 
     int updateByPrimaryKey(EleEstate record);
@@ -22,4 +25,4 @@ public interface EleEstateDao {
     List<EleEstateVO> selectByQuery(EleEstateQuery query);
 
     List<EleEstateVO> selectByCityLevel4(String cityId);
-}
+}

elevator-admin/src/main/java/com/inspur/idm/media/dao/ElePartDao.java

@@ -3,6 +3,7 @@ package com.inspur.idm.media.dao;
 import com.inspur.idm.media.po.part.ElePart;
 import com.inspur.idm.media.vo.part.ElePartQuery;
 import com.inspur.idm.media.vo.part.ElePartVO;
+import org.apache.ibatis.annotations.Param;
 
 import java.util.List;
 
@@ -13,11 +14,11 @@ public interface ElePartDao {
 
     int insertSelective(ElePart record);
 
-    ElePart selectByPrimaryKey(String partId);
+    ElePart selectByPrimaryKey(@Param("partId") String partId, @Param("limitCompany") String limitCompany);
 
     int updateByPrimaryKeySelective(ElePart record);
 
     int updateByPrimaryKey(ElePart record);
 
     List<ElePartVO> selectByQuery(ElePartQuery query);
-}
+}

elevator-admin/src/main/java/com/inspur/idm/media/dao/ElePartTypeDao.java

@@ -16,6 +16,8 @@ public interface ElePartTypeDao {
 
     ElePartType selectByPrimaryKey(String partTypeId);
 
+    ElePartType selectByPrimaryKeyV2(@Param("partTypeId") String partTypeId, @Param("limitCompany") String limitCompany);
+
     int updateByPrimaryKeySelective(ElePartType record);
 
     int updateByPrimaryKeyWithBLOBs(ElePartType record);
@@ -27,4 +29,4 @@ public interface ElePartTypeDao {
     int getElePartCountByType(@Param("partTypeId") String partTypeId);
 
     List<String> selectPartTypeIdsByParent(@Param("partTypeId") String partTypeId);
-}
+}

elevator-admin/src/main/java/com/inspur/idm/media/service/EleBrandServiceImpl.java

@@ -4,6 +4,7 @@ import com.github.pagehelper.Page;
 import com.github.pagehelper.PageHelper;
 import com.inspur.idm.media.dao.EleBrandDao;
 import com.inspur.idm.media.po.brand.EleBrand;
+import com.inspur.idm.media.util.MyUserUtil;
 import com.inspur.idm.media.vo.brand.EleBrandVO;
 import com.inspur.idm.media.vo.brand.EleBrandQuery;
 import com.inspur.idm.media.vo.brand.EleBrandDTO;
@@ -28,7 +29,10 @@ public class EleBrandServiceImpl implements EleBrandService {
 
     @Override
     public EleBrandVO getEleBrandById(String brandId) {
-        EleBrand po = eleBrandDao.selectByPrimaryKey(brandId);
+        EleBrandQuery query = new EleBrandQuery();
+        MyUserUtil.addDataAuth(query);
+        EleBrand po = eleBrandDao.selectByPrimaryKeyV2(brandId, query.getLimitCompany());
+        // EleBrand po = eleBrandDao.selectByPrimaryKey(brandId);
         if(po == null){
             return null;
         }

elevator-admin/src/main/java/com/inspur/idm/media/service/EleEstateServiceImpl.java

@@ -6,6 +6,7 @@ import com.inspur.idm.media.dao.EleBuildingEquipmentDao;
 import com.inspur.idm.media.dao.EleCompanyDao;
 import com.inspur.idm.media.po.company.EleCompany;
 import com.inspur.idm.media.po.estate.EleEstate;
+import com.inspur.idm.media.util.MyUserUtil;
 import com.inspur.idm.media.vo.estate.EleEstateDTO;
 import com.inspur.idm.media.vo.estate.EleEstateQuery;
 import com.inspur.idm.media.vo.estate.EleEstateVO;
@@ -41,7 +42,9 @@ public class EleEstateServiceImpl implements EleEstateService {
 
     @Override
     public EleEstateVO getEleEstateById(String estateId) {
-        EleEstate po = EleEstateDao.selectByPrimaryKey(estateId);
+        EleEstateQuery query = new EleEstateQuery();
+        MyUserUtil.addDataAuth(query);
+        EleEstate po = EleEstateDao.selectByPrimaryKeyV2(estateId,query.getLimitUser());
         if(po == null){
             return null;
         }

elevator-admin/src/main/java/com/inspur/idm/media/service/ElePartServiceImpl.java

@@ -8,6 +8,7 @@ import com.inspur.idm.media.dao.ElePartTypeDao;
 import com.inspur.idm.media.po.brand.EleBrand;
 import com.inspur.idm.media.po.company.EleCompany;
 import com.inspur.idm.media.po.part.ElePartType;
+import com.inspur.idm.media.util.MyUserUtil;
 import com.inspur.idm.media.vo.part.ElePartVO;
 import com.inspur.idm.media.vo.part.ElePartQuery;
 import com.inspur.idm.media.vo.part.ElePartDTO;
@@ -43,7 +44,9 @@ public class ElePartServiceImpl implements ElePartService {
 
     @Override
     public ElePartVO getElePartById(String partId) {
-        ElePart po = ElePartDao.selectByPrimaryKey(partId);
+        ElePartQuery query = new ElePartQuery();
+        MyUserUtil.addDataAuth(query);
+        ElePart po = ElePartDao.selectByPrimaryKey(partId, query.getLimitCompany());
         if(po == null){
             return null;
         }

elevator-admin/src/main/java/com/inspur/idm/media/service/ElePartTypeServiceImpl.java

@@ -3,6 +3,7 @@ package com.inspur.idm.media.service;
 import com.github.pagehelper.Page;
 import com.github.pagehelper.PageHelper;
 import com.inspur.idm.media.po.part.ElePartType;
+import com.inspur.idm.media.util.MyUserUtil;
 import com.inspur.idm.media.vo.part.ElePartTypeDTO;
 import com.inspur.idm.media.vo.part.ElePartTypeQuery;
 import com.inspur.idm.media.vo.part.ElePartTypeVO;
@@ -43,7 +44,9 @@ public class ElePartTypeServiceImpl implements ElePartTypeService {
 
     @Override
     public ElePartTypeVO getElePartTypeById(String partTypeId) {
-        ElePartType po = ElePartTypeDao.selectByPrimaryKey(partTypeId);
+        ElePartTypeQuery query = new ElePartTypeQuery();
+        MyUserUtil.addDataAuth(query);
+        ElePartType po = ElePartTypeDao.selectByPrimaryKeyV2(partTypeId, query.getLimitCompany());
         if(po == null){
             return null;
         }

elevator-admin/src/main/resources/mapper/media/EleBrandDao.xml

@@ -13,25 +13,34 @@
     <result column="create_company" jdbcType="VARCHAR" property="createCompany" />
   </resultMap>
   <sql id="Base_Column_List">
-    brand_id, brand_intro, brand_logo, brand_name, brand_name_english, brand_type, data_status, 
+    brand_id, brand_intro, brand_logo, brand_name, brand_name_english, brand_type, data_status,
     description, create_company
   </sql>
   <select id="selectByPrimaryKey" parameterType="java.lang.String" resultMap="BaseResultMap">
-    select 
+    select
     <include refid="Base_Column_List" />
     from `ele_brand`
     where brand_id = #{brandId,jdbcType=VARCHAR}
   </select>
+  <select id="selectByPrimaryKeyV2" parameterType="java.lang.String" resultMap="BaseResultMap">
+    select
+    <include refid="Base_Column_List" />
+    from `ele_brand`
+    where brand_id = #{brandId,jdbcType=VARCHAR}
+    <if test="limitCompany!= null">
+      and create_company = #{limitCompany}
+    </if>
+  </select>
   <delete id="deleteByPrimaryKey" parameterType="java.lang.String">
     delete from `ele_brand`
     where brand_id = #{brandId,jdbcType=VARCHAR}
   </delete>
   <insert id="insert" parameterType="com.inspur.idm.media.po.brand.EleBrand">
-    insert into `ele_brand` (brand_id, brand_intro, brand_logo, 
-      brand_name, brand_name_english, brand_type, 
+    insert into `ele_brand` (brand_id, brand_intro, brand_logo,
+      brand_name, brand_name_english, brand_type,
       data_status, description)
-    values (#{brandId,jdbcType=VARCHAR}, #{brandIntro,jdbcType=VARCHAR}, #{brandLogo,jdbcType=VARCHAR}, 
-      #{brandName,jdbcType=VARCHAR}, #{brandNameEnglish,jdbcType=VARCHAR}, #{brandType,jdbcType=VARCHAR}, 
+    values (#{brandId,jdbcType=VARCHAR}, #{brandIntro,jdbcType=VARCHAR}, #{brandLogo,jdbcType=VARCHAR},
+      #{brandName,jdbcType=VARCHAR}, #{brandNameEnglish,jdbcType=VARCHAR}, #{brandType,jdbcType=VARCHAR},
       #{dataStatus,jdbcType=INTEGER}, #{description,jdbcType=VARCHAR})
   </insert>
   <insert id="insertSelective" parameterType="com.inspur.idm.media.po.brand.EleBrand">
@@ -182,4 +191,4 @@
   </select>
 
 
-</mapper>
+</mapper>

elevator-admin/src/main/resources/mapper/media/EleEstateDao.xml

@@ -23,32 +23,42 @@
     <result column="create_by" jdbcType="VARCHAR" property="createBy" />
   </resultMap>
   <sql id="Base_Column_List">
-    estate_id, address, building_count, capture_interval, city_id, coordinates, create_time, 
-    data_status, enable_capture, estate_code, estate_company_id, estate_name, estate_photo_file_url, 
+    estate_id, address, building_count, capture_interval, city_id, coordinates, create_time,
+    data_status, enable_capture, estate_code, estate_company_id, estate_name, estate_photo_file_url,
     estate_type, home_count, short_msg_alert, `years`, bc_status, create_by
   </sql>
   <select id="selectByPrimaryKey" parameterType="java.lang.String" resultMap="BaseResultMap">
-    select 
+    select
+    <include refid="Base_Column_List" />
+    from `ele_estate`
+    where estate_id = #{estateId,jdbcType=VARCHAR}
+  </select>
+  <select id="selectByPrimaryKeyV2" parameterType="java.lang.String" resultMap="BaseResultMap">
+    select
     <include refid="Base_Column_List" />
     from `ele_estate`
     where estate_id = #{estateId,jdbcType=VARCHAR}
+    <if test="limitUser != null">
+      and (create_by = #{limitUser} or estate_id in (select estate_id from ele_info_usage where elevator_id in
+      (select elevator_id from pf_user_elevator where user_id = #{limitUser})))
+    </if>
   </select>
   <delete id="deleteByPrimaryKey" parameterType="java.lang.String">
     delete from `ele_estate`
     where estate_id = #{estateId,jdbcType=VARCHAR}
   </delete>
   <insert id="insert" parameterType="com.inspur.idm.media.po.estate.EleEstate">
-    insert into `ele_estate` (estate_id, address, building_count, 
-      capture_interval, city_id, coordinates, 
-      create_time, data_status, enable_capture, 
-      estate_code, estate_company_id, estate_name, 
-      estate_photo_file_url, estate_type, home_count, 
+    insert into `ele_estate` (estate_id, address, building_count,
+      capture_interval, city_id, coordinates,
+      create_time, data_status, enable_capture,
+      estate_code, estate_company_id, estate_name,
+      estate_photo_file_url, estate_type, home_count,
       short_msg_alert, `years`)
-    values (#{estateId,jdbcType=VARCHAR}, #{address,jdbcType=VARCHAR}, #{buildingCount,jdbcType=INTEGER}, 
-      #{captureInterval,jdbcType=INTEGER}, #{cityId,jdbcType=VARCHAR}, #{coordinates,jdbcType=VARCHAR}, 
-      #{createTime,jdbcType=TIMESTAMP}, #{dataStatus,jdbcType=INTEGER}, #{enableCapture,jdbcType=INTEGER}, 
-      #{estateCode,jdbcType=VARCHAR}, #{estateCompanyId,jdbcType=VARCHAR}, #{estateName,jdbcType=VARCHAR}, 
-      #{estatePhotoFileUrl,jdbcType=VARCHAR}, #{estateType,jdbcType=INTEGER}, #{homeCount,jdbcType=INTEGER}, 
+    values (#{estateId,jdbcType=VARCHAR}, #{address,jdbcType=VARCHAR}, #{buildingCount,jdbcType=INTEGER},
+      #{captureInterval,jdbcType=INTEGER}, #{cityId,jdbcType=VARCHAR}, #{coordinates,jdbcType=VARCHAR},
+      #{createTime,jdbcType=TIMESTAMP}, #{dataStatus,jdbcType=INTEGER}, #{enableCapture,jdbcType=INTEGER},
+      #{estateCode,jdbcType=VARCHAR}, #{estateCompanyId,jdbcType=VARCHAR}, #{estateName,jdbcType=VARCHAR},
+      #{estatePhotoFileUrl,jdbcType=VARCHAR}, #{estateType,jdbcType=INTEGER}, #{homeCount,jdbcType=INTEGER},
       #{shortMsgAlert,jdbcType=INTEGER}, #{years,jdbcType=VARCHAR})
   </insert>
   <insert id="insertSelective" parameterType="com.inspur.idm.media.po.estate.EleEstate">
@@ -300,4 +310,4 @@
   <select id="selectByCityLevel4" resultType="com.inspur.idm.media.vo.estate.EleEstateVO">
     select * from `ele_estate` where city_id  = #{cityId}
   </select>
-</mapper>
+</mapper>

elevator-admin/src/main/resources/mapper/media/ElePartDao.xml

@@ -16,27 +16,30 @@
     <result column="create_company" jdbcType="VARCHAR" property="createCompany" />
   </resultMap>
   <sql id="Base_Column_List">
-    part_id, brand_id, create_time, data_status, description, manufact_company_id, parent_id, 
+    part_id, brand_id, create_time, data_status, description, manufact_company_id, parent_id,
     part_model, part_name, part_type_id, validity, create_company
   </sql>
   <select id="selectByPrimaryKey" parameterType="java.lang.String" resultMap="BaseResultMap">
-    select 
+    select
     <include refid="Base_Column_List" />
     from `ele_part`
     where part_id = #{partId,jdbcType=VARCHAR}
+    <if test="limitCompany!= null">
+      and ele_part.create_company = #{limitCompany}
+    </if>
   </select>
   <delete id="deleteByPrimaryKey" parameterType="java.lang.String">
     delete from `ele_part`
     where part_id = #{partId,jdbcType=VARCHAR}
   </delete>
   <insert id="insert" parameterType="com.inspur.idm.media.po.part.ElePart">
-    insert into `ele_part` (part_id, brand_id, create_time, 
-      data_status, description, manufact_company_id, 
-      parent_id, part_model, part_name, 
+    insert into `ele_part` (part_id, brand_id, create_time,
+      data_status, description, manufact_company_id,
+      parent_id, part_model, part_name,
       part_type_id, validity)
-    values (#{partId,jdbcType=VARCHAR}, #{brandId,jdbcType=VARCHAR}, #{createTime,jdbcType=TIMESTAMP}, 
-      #{dataStatus,jdbcType=INTEGER}, #{description,jdbcType=VARCHAR}, #{manufactCompanyId,jdbcType=VARCHAR}, 
-      #{parentId,jdbcType=VARCHAR}, #{partModel,jdbcType=VARCHAR}, #{partName,jdbcType=VARCHAR}, 
+    values (#{partId,jdbcType=VARCHAR}, #{brandId,jdbcType=VARCHAR}, #{createTime,jdbcType=TIMESTAMP},
+      #{dataStatus,jdbcType=INTEGER}, #{description,jdbcType=VARCHAR}, #{manufactCompanyId,jdbcType=VARCHAR},
+      #{parentId,jdbcType=VARCHAR}, #{partModel,jdbcType=VARCHAR}, #{partName,jdbcType=VARCHAR},
       #{partTypeId,jdbcType=VARCHAR}, #{validity,jdbcType=INTEGER})
   </insert>
   <insert id="insertSelective" parameterType="com.inspur.idm.media.po.part.ElePart">
@@ -220,4 +223,4 @@
       </otherwise>
     </choose>
   </select>
-</mapper>
+</mapper>

elevator-admin/src/main/resources/mapper/media/ElePartTypeDao.xml

@@ -21,23 +21,34 @@
     path_code
   </sql>
   <select id="selectByPrimaryKey" parameterType="java.lang.String" resultMap="ResultMapWithBLOBs">
-    select 
+    select
+    <include refid="Base_Column_List" />
+    ,
+    <include refid="Blob_Column_List" />
+    from `ele_part_type`
+    where part_type_id = #{partTypeId,jdbcType=VARCHAR}
+  </select>
+  <select id="selectByPrimaryKeyV2" parameterType="java.lang.String" resultMap="ResultMapWithBLOBs">
+    select
     <include refid="Base_Column_List" />
     ,
     <include refid="Blob_Column_List" />
     from `ele_part_type`
     where part_type_id = #{partTypeId,jdbcType=VARCHAR}
+    <if test="limitCompany!= null">
+      and create_company = #{limitCompany}
+    </if>
   </select>
   <delete id="deleteByPrimaryKey" parameterType="java.lang.String">
     delete from `ele_part_type`
     where part_type_id = #{partTypeId,jdbcType=VARCHAR}
   </delete>
   <insert id="insert" parameterType="com.inspur.idm.media.po.part.ElePartType">
-    insert into `ele_part_type` (part_type_id, create_time, importancy, 
-      `level`, parent_id, part_type_name, 
+    insert into `ele_part_type` (part_type_id, create_time, importancy,
+      `level`, parent_id, part_type_name,
       part_type_name_english, path_code)
-    values (#{partTypeId,jdbcType=VARCHAR}, #{createTime,jdbcType=TIMESTAMP}, #{importancy,jdbcType=VARCHAR}, 
-      #{level,jdbcType=INTEGER}, #{parentId,jdbcType=VARCHAR}, #{partTypeName,jdbcType=VARCHAR}, 
+    values (#{partTypeId,jdbcType=VARCHAR}, #{createTime,jdbcType=TIMESTAMP}, #{importancy,jdbcType=VARCHAR},
+      #{level,jdbcType=INTEGER}, #{parentId,jdbcType=VARCHAR}, #{partTypeName,jdbcType=VARCHAR},
       #{partTypeNameEnglish,jdbcType=VARCHAR}, #{pathCode,jdbcType=LONGVARCHAR})
   </insert>
   <insert id="insertSelective" parameterType="com.inspur.idm.media.po.part.ElePartType">
@@ -198,4 +209,4 @@
       path_code like concat('%',#{partTypeId,jdbcType=VARCHAR},'-%')
     </where>
   </select>
-</mapper>
+</mapper>