fix 修复 CVE-2026-2819 工作流接口通过业务id可以越级删除问题

2026-03-19 03:58:50 +08:00 · 2026-03-18 11:40:35 +08:00
parent 334c85ed61
commit a71541a227
1 changed files with 39 additions and 56 deletions
--- a/ruoyi-modules/ruoyi-workflow/src/main/java/org/dromara/workflow/service/impl/FlwInstanceServiceImpl.java
+++ b/ruoyi-modules/ruoyi-workflow/src/main/java/org/dromara/workflow/service/impl/FlwInstanceServiceImpl.java
@@ -193,13 +193,8 @@ public class FlwInstanceServiceImpl implements IFlwInstanceService {
            log.warn("未找到对应的流程实例信息，无法执行删除操作。");
            return false;
        }
-        String userId = LoginHelper.getUserIdStr();
-        for (FlowInstance instance : flowInstances) {
-            if (LoginHelper.isSuperAdmin() || instance.getCreateBy().equals(userId)) {
-                continue;
-            }
-            throw new ServiceException("权限不足，无法删除流程实例信息!");
-        }
+        // 发送事件
+        processDeleteHandler(flowInstances);
        return insService.remove(StreamUtils.toList(flowInstances, FlowInstance::getId));
    }

@@ -212,34 +207,13 @@ public class FlwInstanceServiceImpl implements IFlwInstanceService {
    @Transactional(rollbackFor = Exception.class)
    public boolean deleteByInstanceIds(List<Long> instanceIds) {
        // 获取实例信息
-        List<Instance> instances = insService.getByIds(instanceIds);
-        if (CollUtil.isEmpty(instances)) {
+        List<FlowInstance> flowInstances = flowInstanceMapper.selectByIds(instanceIds);
+        if (CollUtil.isEmpty(flowInstances)) {
            log.warn("未找到对应的流程实例信息，无法执行删除操作。");
            return false;
        }
-        String userId = LoginHelper.getUserIdStr();
-        for (Instance instance : instances) {
-            if (LoginHelper.isSuperAdmin() || instance.getCreateBy().equals(userId)) {
-                continue;
-            }
-            throw new ServiceException("权限不足，无法删除流程实例信息!");
-        }
-        // 获取定义信息
-        Map<Long, Definition> definitionMap = StreamUtils.toMap(
-            defService.getByIds(StreamUtils.toList(instances, Instance::getDefinitionId)),
-            Definition::getId,
-            Function.identity()
-        );
-
-        // 逐一触发删除事件
-        instances.forEach(instance -> {
-            Definition definition = definitionMap.get(instance.getDefinitionId());
-            if (ObjectUtil.isNull(definition)) {
-                log.warn("实例 ID: {} 对应的流程定义信息未找到，跳过删除事件触发。", instance.getId());
-                return;
-            }
-            flowProcessEventHandler.processDeleteHandler(definition.getFlowCode(), instance.getBusinessId());
-        });
+        // 发送事件
+        processDeleteHandler(flowInstances);
        // 删除实例
        return insService.remove(instanceIds);
    }
@@ -253,33 +227,13 @@ public class FlwInstanceServiceImpl implements IFlwInstanceService {
    @Transactional(rollbackFor = Exception.class)
    public boolean deleteHisByInstanceIds(List<Long> instanceIds) {
        // 获取实例信息
-        List<Instance> instances = insService.getByIds(instanceIds);
-        if (CollUtil.isEmpty(instances)) {
+        List<FlowInstance> flowInstances = flowInstanceMapper.selectByIds(instanceIds);
+        if (CollUtil.isEmpty(flowInstances)) {
            log.warn("未找到对应的流程实例信息，无法执行删除操作。");
            return false;
        }
-        String userId = LoginHelper.getUserIdStr();
-        for (Instance instance : instances) {
-            if (LoginHelper.isSuperAdmin() || instance.getCreateBy().equals(userId)) {
-                continue;
-            }
-            throw new ServiceException("权限不足，无法删除流程实例信息!");
-        }
-        // 获取定义信息
-        Map<Long, Definition> definitionMap = StreamUtils.toMap(
-            defService.getByIds(StreamUtils.toList(instances, Instance::getDefinitionId)),
-            Definition::getId,
-            Function.identity()
-        );
-        // 逐一触发删除事件
-        instances.forEach(instance -> {
-            Definition definition = definitionMap.get(instance.getDefinitionId());
-            if (ObjectUtil.isNull(definition)) {
-                log.warn("实例 ID: {} 对应的流程定义信息未找到，跳过删除事件触发。", instance.getId());
-                return;
-            }
-            flowProcessEventHandler.processDeleteHandler(definition.getFlowCode(), instance.getBusinessId());
-        });
+        // 发送事件
+        processDeleteHandler(flowInstances);
        List<FlowTask> flowTaskList = flwTaskService.selectByInstIds(instanceIds);
        if (CollUtil.isNotEmpty(flowTaskList)) {
            FlowEngine.userService().deleteByTaskIds(StreamUtils.toList(flowTaskList, FlowTask::getId));
@@ -290,6 +244,35 @@ public class FlwInstanceServiceImpl implements IFlwInstanceService {
        return true;
    }

+
+    private void processDeleteHandler(List<FlowInstance> flowInstances) {
+
+        String userId = LoginHelper.getUserIdStr();
+        for (FlowInstance flowInstance : flowInstances) {
+            //如果创建人与当前登陆人一致或者当前登陆人为管理员才能删除
+            if (LoginHelper.isSuperAdmin() || flowInstance.getCreateBy().equals(userId)) {
+                continue;
+            }
+            throw new ServiceException("权限不足，无法删除流程实例信息!");
+        }
+        // 获取定义信息
+        Map<Long, Definition> definitionMap = StreamUtils.toMap(
+            defService.getByIds(StreamUtils.toList(flowInstances, Instance::getDefinitionId)),
+            Definition::getId,
+            Function.identity()
+        );
+
+        // 逐一触发删除事件
+        flowInstances.forEach(instance -> {
+            Definition definition = definitionMap.get(instance.getDefinitionId());
+            if (ObjectUtil.isNull(definition)) {
+                log.warn("实例 ID: {} 对应的流程定义信息未找到，跳过删除事件触发。", instance.getId());
+                return;
+            }
+            flowProcessEventHandler.processDeleteHandler(definition.getFlowCode(), instance.getBusinessId());
+        });
+    }
+
    /**
     * 撤销流程
     *