fix: 用户列表接口sql-inject

2023-09-11 09:18:39 +08:00 · 2023-09-11 09:18:39 +08:00 · d4d6cc23a1
commit d4d6cc23a1
parent 80c4385c5d
2 changed files with 13 additions and 4 deletions
--- a/core/backend/src/main/java/io/dataease/ext/ExtSysUserMapper.xml
+++ b/core/backend/src/main/java/io/dataease/ext/ExtSysUserMapper.xml
@ -73,6 +73,18 @@
            </foreach>
        </if>

+        <choose>
+            <when test="orders!=null and orders.size > 0">
+                order by
+                <foreach collection="orders" item="item" open='' separator=',' close=''>
+                    ${item}
+                </foreach>
+            </when>
+            <otherwise>
+                order by u.update_time desc
+            </otherwise>
+        </choose>
+

    </select>

--- a/core/frontend/src/views/system/user/index.vue
+++ b/core/frontend/src/views/system/user/index.vue
@ -572,11 +572,8 @@ export default {
      })
    },
    search() {
-      /* const param = {
-        orders: formatOrders(this.orderConditions),
-        conditions: [...this.cacheCondition]
-      } */
      const param = buildParam(this.cacheCondition, this.nickName)
+      param.orders = formatOrders(this.orderConditions)

      const { currentPage, pageSize } = this.paginationConfig
      userLists(currentPage, pageSize, param).then((response) => {