forked from github/dataease
fix: 分享收藏接口sql-inject
This commit is contained in:
fit2cloud-chenyw
parent
f5f3214271
commit
5dd5c3b31b
@ -31,8 +31,7 @@ public interface ShareApi {
|
||||
|
||||
@ApiOperation("查询分享给我")
|
||||
@PostMapping("/treeList")
|
||||
@SqlInjectValidator(value = {"s.create_time"})
|
||||
List<PanelShareDto> treeList(BaseGridRequest request);
|
||||
List<PanelShareDto> treeList();
|
||||
|
||||
@ApiOperation("查询我分享的")
|
||||
@PostMapping("/shareOut")
|
||||
|
||||
@ -2,15 +2,12 @@ package io.dataease.controller.panel.api;
|
||||
|
||||
import com.github.xiaoymin.knife4j.annotations.ApiSupport;
|
||||
import io.dataease.auth.annotation.DePermission;
|
||||
import io.dataease.auth.annotation.SqlInjectValidator;
|
||||
import io.dataease.commons.constants.DePermissionType;
|
||||
import io.dataease.controller.sys.base.BaseGridRequest;
|
||||
import io.dataease.dto.panel.PanelStoreDto;
|
||||
import io.swagger.annotations.Api;
|
||||
import io.swagger.annotations.ApiOperation;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
|
||||
import java.util.List;
|
||||
@ -32,8 +29,7 @@ public interface StoreApi {
|
||||
|
||||
@ApiOperation("查询收藏")
|
||||
@PostMapping("/list")
|
||||
@SqlInjectValidator(value = {"s.create_time"})
|
||||
List<PanelStoreDto> list(@RequestBody BaseGridRequest request);
|
||||
List<PanelStoreDto> list();
|
||||
|
||||
|
||||
@ApiOperation("移除收藏")
|
||||
|
||||
@ -1,14 +1,13 @@
|
||||
package io.dataease.controller.panel.server;
|
||||
|
||||
import io.dataease.plugins.common.base.domain.PanelShare;
|
||||
import io.dataease.controller.panel.api.ShareApi;
|
||||
import io.dataease.controller.request.panel.PanelShareFineDto;
|
||||
import io.dataease.controller.request.panel.PanelShareRemoveRequest;
|
||||
import io.dataease.controller.request.panel.PanelShareSearchRequest;
|
||||
import io.dataease.controller.sys.base.BaseGridRequest;
|
||||
import io.dataease.dto.panel.PanelShareDto;
|
||||
import io.dataease.dto.panel.PanelShareOutDTO;
|
||||
import io.dataease.dto.panel.PanelSharePo;
|
||||
import io.dataease.plugins.common.base.domain.PanelShare;
|
||||
import io.dataease.service.panel.ShareService;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
@ -24,8 +23,8 @@ public class ShareServer implements ShareApi {
|
||||
private ShareService shareService;
|
||||
|
||||
@Override
|
||||
public List<PanelShareDto> treeList(@RequestBody BaseGridRequest request) {
|
||||
return shareService.queryTree(request);
|
||||
public List<PanelShareDto> treeList() {
|
||||
return shareService.queryTree();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
package io.dataease.controller.panel.server;
|
||||
|
||||
import io.dataease.controller.panel.api.StoreApi;
|
||||
import io.dataease.controller.sys.base.BaseGridRequest;
|
||||
import io.dataease.dto.panel.PanelStoreDto;
|
||||
import io.dataease.service.panel.StoreService;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
@ -21,8 +20,8 @@ public class StoreServer implements StoreApi {
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<PanelStoreDto> list(BaseGridRequest request) {
|
||||
return storeService.query(request);
|
||||
public List<PanelStoreDto> list() {
|
||||
return storeService.query();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@ -2,10 +2,11 @@ package io.dataease.ext;
|
||||
|
||||
import io.dataease.ext.query.GridExample;
|
||||
import io.dataease.dto.panel.PanelStoreDto;
|
||||
import org.apache.ibatis.annotations.Param;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
public interface ExtPanelStoreMapper {
|
||||
|
||||
List<PanelStoreDto> query(GridExample example);
|
||||
List<PanelStoreDto> query(@Param("uid") Long uid);
|
||||
}
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
|
||||
<mapper namespace="io.dataease.ext.ExtPanelStoreMapper">
|
||||
|
||||
<resultMap id="panelStoreMap" type="io.dataease.dto.panel.PanelStoreDto" >
|
||||
<resultMap id="panelStoreMap" type="io.dataease.dto.panel.PanelStoreDto">
|
||||
<id column="store_id" property="storeId"></id>
|
||||
<result column="panel_group_id" property="panelGroupId"></result>
|
||||
<result column="name" property="name"></result>
|
||||
@ -10,26 +10,14 @@
|
||||
</resultMap>
|
||||
|
||||
|
||||
|
||||
|
||||
<select id="query" parameterType="io.dataease.ext.query.GridExample" resultMap="panelStoreMap">
|
||||
select s.store_id,s.panel_group_id, g.name ,g.status
|
||||
from panel_store s
|
||||
inner join panel_group g on g.id = s.panel_group_id
|
||||
<if test="_parameter != null">
|
||||
<include refid="io.dataease.ext.query.GridSql.gridCondition" />
|
||||
</if>
|
||||
<if test="orderByClause != null">
|
||||
order by ${orderByClause}
|
||||
</if>
|
||||
<if test="orderByClause == null">
|
||||
order by s.create_time desc
|
||||
</if>
|
||||
select s.store_id, s.panel_group_id, g.name, g.status
|
||||
from panel_store s
|
||||
inner join panel_group g on g.id = s.panel_group_id
|
||||
where s.user_id = #{uid}
|
||||
order by s.create_time desc
|
||||
|
||||
</select>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</mapper>
|
||||
|
||||
@ -338,7 +338,7 @@ public class ShareService {
|
||||
return extPanelShareMapper.queryOut(username);
|
||||
}
|
||||
|
||||
public List<PanelShareDto> queryTree(BaseGridRequest request) {
|
||||
public List<PanelShareDto> queryTree() {
|
||||
CurrentUserDto user = AuthUtils.getUser();
|
||||
Long userId = user.getUserId();
|
||||
Long deptId = user.getDeptId();
|
||||
|
||||
@ -1,18 +1,14 @@
|
||||
package io.dataease.service.panel;
|
||||
|
||||
import io.dataease.ext.ExtPanelStoreMapper;
|
||||
import io.dataease.ext.query.GridExample;
|
||||
import io.dataease.commons.utils.AuthUtils;
|
||||
import io.dataease.controller.sys.base.BaseGridRequest;
|
||||
import io.dataease.controller.sys.base.ConditionEntity;
|
||||
import io.dataease.dto.panel.PanelStoreDto;
|
||||
import io.dataease.ext.ExtPanelStoreMapper;
|
||||
import io.dataease.plugins.common.base.domain.PanelStore;
|
||||
import io.dataease.plugins.common.base.domain.PanelStoreExample;
|
||||
import io.dataease.plugins.common.base.mapper.PanelStoreMapper;
|
||||
import org.springframework.stereotype.Service;
|
||||
|
||||
import javax.annotation.Resource;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
@Service
|
||||
@ -40,17 +36,9 @@ public class StoreService {
|
||||
panelStoreMapper.deleteByExample(panelStoreExample);
|
||||
}
|
||||
|
||||
public List<PanelStoreDto> query(BaseGridRequest request) {
|
||||
public List<PanelStoreDto> query() {
|
||||
Long userId = AuthUtils.getUser().getUserId();
|
||||
ConditionEntity condition = new ConditionEntity();
|
||||
condition.setField("s.user_id");
|
||||
condition.setOperator("eq");
|
||||
condition.setValue(userId);
|
||||
request.setConditions(new ArrayList<ConditionEntity>() {{
|
||||
add(condition);
|
||||
}});
|
||||
GridExample example = request.convertExample();
|
||||
return extPanelStoreMapper.query(example);
|
||||
return extPanelStoreMapper.query(userId);
|
||||
}
|
||||
|
||||
public Long count(String panelId) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user