fix: 修复公共链接获取多余用户信息漏洞问题

backend/src/main/java/io/dataease/auth/api/dto/CurrentUserDto.java

@@ -17,4 +17,9 @@ public class CurrentUserDto extends SysUserEntity implements Serializable {
 
     @ApiModelProperty("权限集合")
     private List<String> permissions;
+
+    public CurrentUserDto(String username, String nickName) {
+        super.setUsername(username);
+        super.setNickName(nickName);
+    }
 }

backend/src/main/java/io/dataease/auth/service/impl/ShiroServiceImpl.java

@@ -129,7 +129,7 @@ public class ShiroServiceImpl implements ShiroService {
         filterChainDefinitionMap.put("/panel/group/exportDetails", ANON);
         filterChainDefinitionMap.put("/dataset/field/linkMultFieldValues", "link");
         filterChainDefinitionMap.put("/dataset/field/linkMappingFieldValues", "link");
-        filterChainDefinitionMap.put("/systemInfo/proxyUserLoginInfo/**", ANON);
+        filterChainDefinitionMap.put("/systemInfo/proxyUserLoginInfo", ANON);
 
         filterChainDefinitionMap.put("/**", "authc");
 

backend/src/main/java/io/dataease/controller/sys/SystemInfoController.java

@@ -1,14 +1,20 @@
 package io.dataease.controller.sys;
 
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import io.dataease.auth.filter.F2CLinkFilter;
 import io.dataease.dto.UserLoginInfoDTO;
 import io.dataease.service.SystemInfoService;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 import springfox.documentation.annotations.ApiIgnore;
 
 import javax.annotation.Resource;
+import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 
 @ApiIgnore
@@ -23,8 +29,17 @@ public class SystemInfoController {
         return systemInfoService.getUserLoginInfo(null);
     }
 
-    @GetMapping("proxyUserLoginInfo/{userId}")
-    public UserLoginInfoDTO proxyUserLoginInfo(@PathVariable String userId) throws IOException {
-        return systemInfoService.getUserLoginInfo(userId);
+    @GetMapping("proxyUserLoginInfo")
+    public UserLoginInfoDTO proxyUserLoginInfo() throws IOException {
+        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes())
+                .getRequest();
+        String linkToken = request.getHeader(F2CLinkFilter.LINK_TOKEN_KEY);
+        if (StringUtils.isNotEmpty(linkToken)) {
+            DecodedJWT jwt = JWT.decode(linkToken);
+            return systemInfoService.getUserLoginInfo(jwt.getClaim("userId").asLong());
+        } else {
+            return null;
+        }
+        
     }
 }

backend/src/main/java/io/dataease/dto/UserLoginInfoDTO.java

@@ -22,4 +22,9 @@ public class UserLoginInfoDTO {
         this.userInfo = userInfo;
         this.ip = ip;
     }
+
+    public UserLoginInfoDTO(String username, String nickname, String ip) {
+        this.userInfo = new CurrentUserDto(username, nickname);
+        this.ip = ip;
+    }
 }

backend/src/main/java/io/dataease/service/SystemInfoService.java

@@ -2,12 +2,10 @@ package io.dataease.service;
 
 import io.dataease.auth.api.dto.CurrentUserDto;
 import io.dataease.commons.utils.AuthUtils;
-import io.dataease.commons.utils.BeanUtils;
 import io.dataease.commons.utils.IPUtils;
 import io.dataease.dto.UserLoginInfoDTO;
 import io.dataease.plugins.common.base.domain.SysUser;
 import io.dataease.plugins.common.base.mapper.SysUserMapper;
-import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Service;
 
 import javax.annotation.Resource;
@@ -18,14 +16,18 @@ public class SystemInfoService {
     @Resource
     private SysUserMapper sysUserMapper;
 
-    public UserLoginInfoDTO getUserLoginInfo(String userId) {
-        if (StringUtils.isNotEmpty(userId)) {
-            SysUser userInfo = sysUserMapper.selectByPrimaryKey(Long.parseLong(userId));
-            CurrentUserDto userDto = new CurrentUserDto();
-            BeanUtils.copyBean(userDto, userInfo);
-            return new UserLoginInfoDTO(userDto, IPUtils.get());
+    public UserLoginInfoDTO getUserLoginInfo(Long userId) {
+        if (userId != null) {
+            SysUser userInfo = sysUserMapper.selectByPrimaryKey(userId);
+            return new UserLoginInfoDTO(userInfo.getUsername(), userInfo.getNickName(), IPUtils.get());
+        }
+        CurrentUserDto userDto = AuthUtils.getUser();
+        if (userDto != null) {
+            return new UserLoginInfoDTO(userDto.getUsername(), userDto.getNickName(), IPUtils.get());
+        } else {
+            return new UserLoginInfoDTO(null, null, IPUtils.get());
         }
-        return new UserLoginInfoDTO(AuthUtils.getUser(), IPUtils.get());
     }
 
+
 }

frontend/src/api/systemInfo/userLogin.js

@@ -8,9 +8,9 @@ export function userLoginInfo() {
   })
 }
 
-export function proxyUserLoginInfo(userId) {
+export function proxyUserLoginInfo() {
   return request({
-    url: '/systemInfo/proxyUserLoginInfo/' + userId,
+    url: '/systemInfo/proxyUserLoginInfo',
     method: 'get',
     loading: false
   })

frontend/src/components/canvas/components/editor/Preview.vue

@@ -485,7 +485,7 @@ export default {
           activeWatermark(this.panelInfo.watermarkInfo.settingContent, this.userInfo, waterDomId, this.canvasId, this.panelInfo.watermarkOpen)
         } else {
           const method = this.userId ? proxyUserLoginInfo : userLoginInfo
-          method(this.userId).then(res => {
+          method().then(res => {
             this.userInfo = res.data
             activeWatermark(this.panelInfo.watermarkInfo.settingContent, this.userInfo, waterDomId, this.canvasId, this.panelInfo.watermarkOpen)
           })