fix 修复 CVE-2026-2819 工作流接口通过业务id可以越级删除问题

ruoyi-modules/ruoyi-workflow/src/main/java/org/dromara/workflow/service/impl/FlwInstanceServiceImpl.java

@@ -193,6 +193,13 @@ public class FlwInstanceServiceImpl implements IFlwInstanceService {
             log.warn("未找到对应的流程实例信息，无法执行删除操作。");
             return false;
         }
+        String userId = LoginHelper.getUserIdStr();
+        for (FlowInstance instance : flowInstances) {
+            if (LoginHelper.isSuperAdmin() || instance.getCreateBy().equals(userId)) {
+                continue;
+            }
+            throw new ServiceException("权限不足，无法删除流程实例信息!");
+        }
         return insService.remove(StreamUtils.toList(flowInstances, FlowInstance::getId));
     }
 
@@ -210,6 +217,13 @@ public class FlwInstanceServiceImpl implements IFlwInstanceService {
             log.warn("未找到对应的流程实例信息，无法执行删除操作。");
             return false;
         }
+        String userId = LoginHelper.getUserIdStr();
+        for (Instance instance : instances) {
+            if (LoginHelper.isSuperAdmin() || instance.getCreateBy().equals(userId)) {
+                continue;
+            }
+            throw new ServiceException("权限不足，无法删除流程实例信息!");
+        }
         // 获取定义信息
         Map<Long, Definition> definitionMap = StreamUtils.toMap(
             defService.getByIds(StreamUtils.toList(instances, Instance::getDefinitionId)),
@@ -244,6 +258,13 @@ public class FlwInstanceServiceImpl implements IFlwInstanceService {
             log.warn("未找到对应的流程实例信息，无法执行删除操作。");
             return false;
         }
+        String userId = LoginHelper.getUserIdStr();
+        for (Instance instance : instances) {
+            if (LoginHelper.isSuperAdmin() || instance.getCreateBy().equals(userId)) {
+                continue;
+            }
+            throw new ServiceException("权限不足，无法删除流程实例信息!");
+        }
         // 获取定义信息
         Map<Long, Definition> definitionMap = StreamUtils.toMap(
             defService.getByIds(StreamUtils.toList(instances, Instance::getDefinitionId)),