github/dataease
github/dataease
3
0
Fork 1
mirror of https://github.com/dataease/dataease.git synced 2025-02-25 12:03:05 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #5216 from dataease/pr@dev@fix_msg_read_api

Browse Source 
fix(消息管理): 消息批量已读api存在IDOR安全漏洞
This commit is contained in:
fit2cloud-chenyw 2023-05-15 15:59:58 +08:00 committed by GitHub
commit 131bd11c9f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
backend/src/main/java/io/dataease/ext/ExtSysMsgMapper.java
View File

@ -19,9 +19,10 @@ public interface ExtSysMsgMapper {
"<foreach collection='msgIds' item='msgId' open='(' separator=',' close=')' >", "<foreach collection='msgIds' item='msgId' open='(' separator=',' close=')' >",
" #{msgId}", " #{msgId}",
"</foreach>", "</foreach>",
" and user_id = #{uid}",
"</script>" "</script>"
}) })
int batchStatus(@Param("msgIds") List<Long> msgIds, @Param("time") Long time); int batchStatus(@Param("msgIds") List<Long> msgIds, @Param("time") Long time, @Param("uid") Long uid);
@Delete({ @Delete({
"<script>", "<script>",

6
backend/src/main/java/io/dataease/service/message/SysMsgService.java
View File

@ -1,16 +1,16 @@
package io.dataease.service.message; package io.dataease.service.message;
import io.dataease.commons.utils.LogUtil;
import io.dataease.ext.ExtSysMsgMapper;
import io.dataease.commons.constants.SysMsgConstants; import io.dataease.commons.constants.SysMsgConstants;
import io.dataease.commons.utils.AuthUtils; import io.dataease.commons.utils.AuthUtils;
import io.dataease.commons.utils.CommonBeanFactory; import io.dataease.commons.utils.CommonBeanFactory;
import io.dataease.commons.utils.LogUtil;
import io.dataease.controller.sys.request.BatchSettingRequest; import io.dataease.controller.sys.request.BatchSettingRequest;
import io.dataease.controller.sys.request.MsgRequest; import io.dataease.controller.sys.request.MsgRequest;
import io.dataease.controller.sys.request.MsgSettingRequest; import io.dataease.controller.sys.request.MsgSettingRequest;
import io.dataease.controller.sys.response.MsgGridDto; import io.dataease.controller.sys.response.MsgGridDto;
import io.dataease.controller.sys.response.SettingTreeNode; import io.dataease.controller.sys.response.SettingTreeNode;
import io.dataease.controller.sys.response.SubscribeNode; import io.dataease.controller.sys.response.SubscribeNode;
import io.dataease.ext.ExtSysMsgMapper;
import io.dataease.plugins.common.base.domain.*; import io.dataease.plugins.common.base.domain.*;
import io.dataease.plugins.common.base.mapper.SysMsgChannelMapper; import io.dataease.plugins.common.base.mapper.SysMsgChannelMapper;
import io.dataease.plugins.common.base.mapper.SysMsgMapper; import io.dataease.plugins.common.base.mapper.SysMsgMapper;
@ -105,7 +105,7 @@ public class SysMsgService {
} }
public void setBatchRead(List<Long> msgIds) { public void setBatchRead(List<Long> msgIds) {
extSysMsgMapper.batchStatus(msgIds, System.currentTimeMillis()); extSysMsgMapper.batchStatus(msgIds, System.currentTimeMillis(), AuthUtils.getUser().getUserId());
} }
public void batchDelete(List<Long> msgIds) { public void batchDelete(List<Long> msgIds) {