forked from github/dataease
Merge pull request #4715 from dataease/pr@dev@fix_link-leak
fix: 修复公共链接获取多余用户信息漏洞问题
This commit is contained in:
王嘉豪
GitHub
commit
fb0fe9e57c
@ -17,4 +17,9 @@ public class CurrentUserDto extends SysUserEntity implements Serializable {
|
||||
|
||||
@ApiModelProperty("权限集合")
|
||||
private List<String> permissions;
|
||||
|
||||
public CurrentUserDto(String username, String nickName) {
|
||||
super.setUsername(username);
|
||||
super.setNickName(nickName);
|
||||
}
|
||||
}
|
||||
|
||||
@ -129,7 +129,7 @@ public class ShiroServiceImpl implements ShiroService {
|
||||
filterChainDefinitionMap.put("/panel/group/exportDetails", ANON);
|
||||
filterChainDefinitionMap.put("/dataset/field/linkMultFieldValues", "link");
|
||||
filterChainDefinitionMap.put("/dataset/field/linkMappingFieldValues", "link");
|
||||
filterChainDefinitionMap.put("/systemInfo/proxyUserLoginInfo/**", ANON);
|
||||
filterChainDefinitionMap.put("/systemInfo/proxyUserLoginInfo", ANON);
|
||||
|
||||
filterChainDefinitionMap.put("/**", "authc");
|
||||
|
||||
|
||||
@ -1,14 +1,20 @@
|
||||
package io.dataease.controller.sys;
|
||||
|
||||
import com.auth0.jwt.JWT;
|
||||
import com.auth0.jwt.interfaces.DecodedJWT;
|
||||
import io.dataease.auth.filter.F2CLinkFilter;
|
||||
import io.dataease.dto.UserLoginInfoDTO;
|
||||
import io.dataease.service.SystemInfoService;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.context.request.RequestContextHolder;
|
||||
import org.springframework.web.context.request.ServletRequestAttributes;
|
||||
import springfox.documentation.annotations.ApiIgnore;
|
||||
|
||||
import javax.annotation.Resource;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
@ApiIgnore
|
||||
@ -23,8 +29,17 @@ public class SystemInfoController {
|
||||
return systemInfoService.getUserLoginInfo(null);
|
||||
}
|
||||
|
||||
@GetMapping("proxyUserLoginInfo/{userId}")
|
||||
public UserLoginInfoDTO proxyUserLoginInfo(@PathVariable String userId) throws IOException {
|
||||
return systemInfoService.getUserLoginInfo(userId);
|
||||
@GetMapping("proxyUserLoginInfo")
|
||||
public UserLoginInfoDTO proxyUserLoginInfo() throws IOException {
|
||||
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes())
|
||||
.getRequest();
|
||||
String linkToken = request.getHeader(F2CLinkFilter.LINK_TOKEN_KEY);
|
||||
if (StringUtils.isNotEmpty(linkToken)) {
|
||||
DecodedJWT jwt = JWT.decode(linkToken);
|
||||
return systemInfoService.getUserLoginInfo(jwt.getClaim("userId").asLong());
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@ -22,4 +22,9 @@ public class UserLoginInfoDTO {
|
||||
this.userInfo = userInfo;
|
||||
this.ip = ip;
|
||||
}
|
||||
|
||||
public UserLoginInfoDTO(String username, String nickname, String ip) {
|
||||
this.userInfo = new CurrentUserDto(username, nickname);
|
||||
this.ip = ip;
|
||||
}
|
||||
}
|
||||
|
||||
@ -2,12 +2,10 @@ package io.dataease.service;
|
||||
|
||||
import io.dataease.auth.api.dto.CurrentUserDto;
|
||||
import io.dataease.commons.utils.AuthUtils;
|
||||
import io.dataease.commons.utils.BeanUtils;
|
||||
import io.dataease.commons.utils.IPUtils;
|
||||
import io.dataease.dto.UserLoginInfoDTO;
|
||||
import io.dataease.plugins.common.base.domain.SysUser;
|
||||
import io.dataease.plugins.common.base.mapper.SysUserMapper;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.springframework.stereotype.Service;
|
||||
|
||||
import javax.annotation.Resource;
|
||||
@ -18,14 +16,18 @@ public class SystemInfoService {
|
||||
@Resource
|
||||
private SysUserMapper sysUserMapper;
|
||||
|
||||
public UserLoginInfoDTO getUserLoginInfo(String userId) {
|
||||
if (StringUtils.isNotEmpty(userId)) {
|
||||
SysUser userInfo = sysUserMapper.selectByPrimaryKey(Long.parseLong(userId));
|
||||
CurrentUserDto userDto = new CurrentUserDto();
|
||||
BeanUtils.copyBean(userDto, userInfo);
|
||||
return new UserLoginInfoDTO(userDto, IPUtils.get());
|
||||
public UserLoginInfoDTO getUserLoginInfo(Long userId) {
|
||||
if (userId != null) {
|
||||
SysUser userInfo = sysUserMapper.selectByPrimaryKey(userId);
|
||||
return new UserLoginInfoDTO(userInfo.getUsername(), userInfo.getNickName(), IPUtils.get());
|
||||
}
|
||||
CurrentUserDto userDto = AuthUtils.getUser();
|
||||
if (userDto != null) {
|
||||
return new UserLoginInfoDTO(userDto.getUsername(), userDto.getNickName(), IPUtils.get());
|
||||
} else {
|
||||
return new UserLoginInfoDTO(null, null, IPUtils.get());
|
||||
}
|
||||
return new UserLoginInfoDTO(AuthUtils.getUser(), IPUtils.get());
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
@ -8,9 +8,9 @@ export function userLoginInfo() {
|
||||
})
|
||||
}
|
||||
|
||||
export function proxyUserLoginInfo(userId) {
|
||||
export function proxyUserLoginInfo() {
|
||||
return request({
|
||||
url: '/systemInfo/proxyUserLoginInfo/' + userId,
|
||||
url: '/systemInfo/proxyUserLoginInfo',
|
||||
method: 'get',
|
||||
loading: false
|
||||
})
|
||||
|
||||
@ -485,7 +485,7 @@ export default {
|
||||
activeWatermark(this.panelInfo.watermarkInfo.settingContent, this.userInfo, waterDomId, this.canvasId, this.panelInfo.watermarkOpen)
|
||||
} else {
|
||||
const method = this.userId ? proxyUserLoginInfo : userLoginInfo
|
||||
method(this.userId).then(res => {
|
||||
method().then(res => {
|
||||
this.userInfo = res.data
|
||||
activeWatermark(this.panelInfo.watermarkInfo.settingContent, this.userInfo, waterDomId, this.canvasId, this.panelInfo.watermarkOpen)
|
||||
})
|
||||
|
||||
Loading…
Reference in New Issue
Block a user