From 334c85ed6175c550881e6c96f926c950a1e10f41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=96=AF=E7=8B=82=E7=9A=84=E7=8B=AE=E5=AD=90Li?=
 <15040126243@163.com>
Date: Wed, 18 Mar 2026 11:35:51 +0800
Subject: [PATCH] =?UTF-8?q?fix=20=E4=BF=AE=E5=A4=8D=20CVE-2026-2819=20?=
 =?UTF-8?q?=E5=B7=A5=E4=BD=9C=E6=B5=81=E6=8E=A5=E5=8F=A3=E9=80=9A=E8=BF=87?=
 =?UTF-8?q?=E4=B8=9A=E5=8A=A1id=E5=8F=AF=E4=BB=A5=E8=B6=8A=E7=BA=A7?=
 =?UTF-8?q?=E5=88=A0=E9=99=A4=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../service/impl/FlwInstanceServiceImpl.java  | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/ruoyi-modules/ruoyi-workflow/src/main/java/org/dromara/workflow/service/impl/FlwInstanceServiceImpl.java b/ruoyi-modules/ruoyi-workflow/src/main/java/org/dromara/workflow/service/impl/FlwInstanceServiceImpl.java
index 897d8a6e2..71e9be636 100644
--- a/ruoyi-modules/ruoyi-workflow/src/main/java/org/dromara/workflow/service/impl/FlwInstanceServiceImpl.java
+++ b/ruoyi-modules/ruoyi-workflow/src/main/java/org/dromara/workflow/service/impl/FlwInstanceServiceImpl.java
@@ -193,6 +193,13 @@ public class FlwInstanceServiceImpl implements IFlwInstanceService {
             log.warn("未找到对应的流程实例信息，无法执行删除操作。");
             return false;
         }
+        String userId = LoginHelper.getUserIdStr();
+        for (FlowInstance instance : flowInstances) {
+            if (LoginHelper.isSuperAdmin() || instance.getCreateBy().equals(userId)) {
+                continue;
+            }
+            throw new ServiceException("权限不足，无法删除流程实例信息!");
+        }
         return insService.remove(StreamUtils.toList(flowInstances, FlowInstance::getId));
     }
 
@@ -210,6 +217,13 @@ public class FlwInstanceServiceImpl implements IFlwInstanceService {
             log.warn("未找到对应的流程实例信息，无法执行删除操作。");
             return false;
         }
+        String userId = LoginHelper.getUserIdStr();
+        for (Instance instance : instances) {
+            if (LoginHelper.isSuperAdmin() || instance.getCreateBy().equals(userId)) {
+                continue;
+            }
+            throw new ServiceException("权限不足，无法删除流程实例信息!");
+        }
         // 获取定义信息
         Map<Long, Definition> definitionMap = StreamUtils.toMap(
             defService.getByIds(StreamUtils.toList(instances, Instance::getDefinitionId)),
@@ -244,6 +258,13 @@ public class FlwInstanceServiceImpl implements IFlwInstanceService {
             log.warn("未找到对应的流程实例信息，无法执行删除操作。");
             return false;
         }
+        String userId = LoginHelper.getUserIdStr();
+        for (Instance instance : instances) {
+            if (LoginHelper.isSuperAdmin() || instance.getCreateBy().equals(userId)) {
+                continue;
+            }
+            throw new ServiceException("权限不足，无法删除流程实例信息!");
+        }
         // 获取定义信息
         Map<Long, Definition> definitionMap = StreamUtils.toMap(
             defService.getByIds(StreamUtils.toList(instances, Instance::getDefinitionId)),