fix: 插件操作加入权限控制，解决普通用户或者API能越权上传卸载插件问题

backend/src/main/java/io/dataease/controller/sys/SysPluginController.java

@@ -10,6 +10,7 @@ import io.dataease.controller.sys.request.PluginStatus;
 import io.dataease.service.sys.PluginService;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
@@ -29,6 +30,7 @@ public class SysPluginController {
 
     @ApiOperation("查询已安装插件")
     @PostMapping("/pluginGrid/{goPage}/{pageSize}")
+    @RequiresPermissions("plugin:read")
     public Pager<List<MyPlugin>> pluginGrid(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody BaseGridRequest request) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, pluginService.query(request));
@@ -36,19 +38,21 @@ public class SysPluginController {
 
     @ApiOperation("安装插件")
     @PostMapping("upload")
+    @RequiresPermissions("plugin:upload")
     public Map<String, Object> localUpload(@RequestParam("file") MultipartFile file) throws Exception {
         return pluginService.localInstall(file);
     }
 
     @ApiOperation("卸载插件")
     @PostMapping("/uninstall/{pluginId}")
+    @RequiresPermissions("plugin:uninstall")
     public Boolean unInstall(@PathVariable Long pluginId) {
         return pluginService.uninstall(pluginId);
     }
 
-    @ApiOperation("切换插件状态")
-    @PostMapping("/changeStatus")
-    public Boolean changeStatus(@RequestBody PluginStatus pluginStatus) {
-        return pluginService.changeStatus(pluginStatus.getPluginId(), pluginStatus.getStatus());
-    }
+//    @ApiOperation("切换插件状态")
+//    @PostMapping("/changeStatus")
+//    public Boolean changeStatus(@RequestBody PluginStatus pluginStatus) {
+//        return pluginService.changeStatus(pluginStatus.getPluginId(), pluginStatus.getStatus());
+//    }
 }

backend/src/main/resources/db/migration/V36__1.11.2.sql

@@ -0,0 +1,2 @@
+INSERT INTO `sys_menu` (`menu_id`, `pid`, `sub_count`, `type`, `title`, `name`, `component`, `menu_sort`, `icon`, `path`, `i_frame`, `cache`, `hidden`, `permission`, `create_by`, `update_by`, `create_time`, `update_time`) VALUES (102, 101, 0, 2, '上传插件', NULL, NULL, 999, NULL, NULL, b'0', b'0', b'0', 'plugin:upload', NULL, NULL, 1614930862373, 1614930862373);
+INSERT INTO `sys_menu` (`menu_id`, `pid`, `sub_count`, `type`, `title`, `name`, `component`, `menu_sort`, `icon`, `path`, `i_frame`, `cache`, `hidden`, `permission`, `create_by`, `update_by`, `create_time`, `update_time`) VALUES (103, 101, 0, 2, '卸载插件', NULL, NULL, 999, NULL, NULL, b'0', b'0', b'0', 'plugin:uninstall', NULL, NULL, 1614930862373, 1614930862373);

frontend/src/views/system/plugin/index.vue

@@ -9,6 +9,7 @@
     >
       <template #toolbar>
         <el-upload
+          v-permission="['plugin:upload']"
           :action="baseUrl+'api/plugin/upload'"
           :multiple="false"
           :show-file-list="false"
@@ -54,7 +55,7 @@
 import LayoutContent from '@/components/business/LayoutContent'
 import ComplexTable from '@/components/business/complex-table'
 
-// import { checkPermission } from '@/utils/permission'
+import { checkPermission } from '@/utils/permission'
 import { formatCondition, formatQuickCondition } from '@/utils/index'
 import { pluginLists, uninstall } from '@/api/system/plugin'
 import { getToken } from '@/utils/auth'
@@ -72,6 +73,7 @@ export default {
         // }
         {
           label: this.$t('plugin.un_install'), icon: 'el-icon-delete', type: 'danger', click: this.del,
+          show: checkPermission(['plugin:uninstall']),
           disabled: this.btnDisabled
         }
       ],