mirror of
https://github.com/dataease/dataease.git
synced 2026-05-24 06:18:10 +08:00
fix: 行列权限接口sql-inject
This commit is contained in:
fit2cloud-chenyw
@@ -8,8 +8,6 @@ import io.dataease.commons.constants.ResourceAuthLevel;
|
||||
import io.dataease.commons.utils.PageUtils;
|
||||
import io.dataease.commons.utils.Pager;
|
||||
import io.dataease.i18n.Translator;
|
||||
import io.dataease.plugins.common.entity.XpackConditionEntity;
|
||||
import io.dataease.plugins.common.entity.XpackGridRequest;
|
||||
import io.dataease.plugins.config.SpringContextUtil;
|
||||
import io.dataease.plugins.xpack.auth.dto.request.DataSetColumnPermissionsDTO;
|
||||
import io.dataease.plugins.xpack.auth.dto.request.DatasetColumnPermissions;
|
||||
@@ -19,8 +17,9 @@ import org.apache.commons.lang3.StringUtils;
|
||||
import org.springframework.util.CollectionUtils;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import springfox.documentation.annotations.ApiIgnore;
|
||||
import java.util.ArrayList;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
@ApiIgnore
|
||||
@RestController
|
||||
@RequestMapping("plugin/dataset/columnPermissions")
|
||||
@@ -36,15 +35,15 @@ public class ColumnPermissionsController {
|
||||
request.setAuthTargetId(datasetColumnPermissions.getAuthTargetId());
|
||||
request.setDatasetId(datasetColumnPermissions.getDatasetId());
|
||||
List<DataSetColumnPermissionsDTO> columnPermissionsDTOS = columnPermissionService.searchPermissions(request);
|
||||
if(StringUtils.isEmpty(datasetColumnPermissions.getId())){
|
||||
if(!CollectionUtils.isEmpty(columnPermissionsDTOS)){
|
||||
if (StringUtils.isEmpty(datasetColumnPermissions.getId())) {
|
||||
if (!CollectionUtils.isEmpty(columnPermissionsDTOS)) {
|
||||
throw new Exception(Translator.get("i18n_cp_exist"));
|
||||
}
|
||||
}else {
|
||||
if(!CollectionUtils.isEmpty(columnPermissionsDTOS) && columnPermissionsDTOS.size() > 1){
|
||||
} else {
|
||||
if (!CollectionUtils.isEmpty(columnPermissionsDTOS) && columnPermissionsDTOS.size() > 1) {
|
||||
throw new Exception(Translator.get("i18n_cp_exist"));
|
||||
}
|
||||
if(columnPermissionsDTOS.size() == 1 && !columnPermissionsDTOS.get(0).getId().equalsIgnoreCase(datasetColumnPermissions.getId())){
|
||||
if (columnPermissionsDTOS.size() == 1 && !columnPermissionsDTOS.get(0).getId().equalsIgnoreCase(datasetColumnPermissions.getId())) {
|
||||
throw new Exception(Translator.get("i18n_cp_exist"));
|
||||
}
|
||||
}
|
||||
@@ -56,7 +55,7 @@ public class ColumnPermissionsController {
|
||||
@PostMapping("/list")
|
||||
public List<DataSetColumnPermissionsDTO> searchPermissions(@RequestBody DataSetColumnPermissionsDTO request) {
|
||||
ColumnPermissionService columnPermissionService = SpringContextUtil.getBean(ColumnPermissionService.class);
|
||||
return columnPermissionService.searchPermissions(request);
|
||||
return columnPermissionService.searchPermissions(request);
|
||||
}
|
||||
|
||||
@DePermission(type = DePermissionType.DATASET, value = "datasetId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE)
|
||||
@@ -70,17 +69,11 @@ public class ColumnPermissionsController {
|
||||
@DePermission(type = DePermissionType.DATASET, level = ResourceAuthLevel.DATASET_LEVEL_MANAGE)
|
||||
@ApiOperation("分页查询")
|
||||
@PostMapping("/pageList/{datasetId}/{goPage}/{pageSize}")
|
||||
public Pager<List<DataSetColumnPermissionsDTO>> rowPermissions(@PathVariable String datasetId, @PathVariable int goPage, @PathVariable int pageSize, @RequestBody XpackGridRequest request) {
|
||||
public Pager<List<DataSetColumnPermissionsDTO>> rowPermissions(@PathVariable String datasetId, @PathVariable int goPage, @PathVariable int pageSize) {
|
||||
Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
|
||||
ColumnPermissionService columnPermissionService = SpringContextUtil.getBean(ColumnPermissionService.class);
|
||||
List<XpackConditionEntity> conditionEntities = request.getConditions() == null ? new ArrayList<>() : request.getConditions();
|
||||
XpackConditionEntity entity = new XpackConditionEntity();
|
||||
entity.setField("dataset_column_permissions.dataset_id");
|
||||
entity.setOperator("eq");
|
||||
entity.setValue(datasetId);
|
||||
conditionEntities.add(entity);
|
||||
request.setConditions(conditionEntities);
|
||||
return PageUtils.setPageInfo(page, columnPermissionService.queryPermissions(request));
|
||||
|
||||
return PageUtils.setPageInfo(page, columnPermissionService.queryPermissions(datasetId));
|
||||
}
|
||||
|
||||
@DePermission(type = DePermissionType.DATASET, value = "datasetId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE)
|
||||
|
||||
@@ -8,21 +8,18 @@ import io.dataease.commons.constants.ResourceAuthLevel;
|
||||
import io.dataease.commons.utils.PageUtils;
|
||||
import io.dataease.commons.utils.Pager;
|
||||
import io.dataease.i18n.Translator;
|
||||
import io.dataease.plugins.common.entity.XpackConditionEntity;
|
||||
import io.dataease.plugins.common.entity.XpackGridRequest;
|
||||
import io.dataease.plugins.config.SpringContextUtil;
|
||||
import io.dataease.plugins.xpack.auth.dto.request.DataSetRowPermissionsDTO;
|
||||
import io.dataease.plugins.xpack.auth.dto.request.DatasetRowPermissions;
|
||||
import io.dataease.plugins.xpack.auth.service.RowPermissionService;
|
||||
import io.swagger.annotations.ApiOperation;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.shiro.authz.annotation.RequiresPermissions;
|
||||
import org.springframework.util.CollectionUtils;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import springfox.documentation.annotations.ApiIgnore;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
@ApiIgnore
|
||||
@RestController
|
||||
@RequestMapping("plugin/dataset/rowPermissions")
|
||||
@@ -39,15 +36,15 @@ public class RowPermissionsController {
|
||||
request.setAuthTargetId(datasetRowPermissions.getAuthTargetId());
|
||||
request.setDatasetFieldId(datasetRowPermissions.getDatasetFieldId());
|
||||
List<DataSetRowPermissionsDTO> rowPermissionsDTOS = rowPermissionService.searchRowPermissions(request);
|
||||
if(StringUtils.isEmpty(datasetRowPermissions.getId())){
|
||||
if(!CollectionUtils.isEmpty(rowPermissionsDTOS)){
|
||||
if (StringUtils.isEmpty(datasetRowPermissions.getId())) {
|
||||
if (!CollectionUtils.isEmpty(rowPermissionsDTOS)) {
|
||||
throw new Exception(Translator.get("i18n_rp_exist"));
|
||||
}
|
||||
}else {
|
||||
if(!CollectionUtils.isEmpty(rowPermissionsDTOS) && rowPermissionsDTOS.size() > 1){
|
||||
} else {
|
||||
if (!CollectionUtils.isEmpty(rowPermissionsDTOS) && rowPermissionsDTOS.size() > 1) {
|
||||
throw new Exception(Translator.get("i18n_rp_exist"));
|
||||
}
|
||||
if(rowPermissionsDTOS.size() == 1 && !rowPermissionsDTOS.get(0).getId().equalsIgnoreCase(datasetRowPermissions.getId())){
|
||||
if (rowPermissionsDTOS.size() == 1 && !rowPermissionsDTOS.get(0).getId().equalsIgnoreCase(datasetRowPermissions.getId())) {
|
||||
throw new Exception(Translator.get("i18n_rp_exist"));
|
||||
}
|
||||
}
|
||||
@@ -59,7 +56,7 @@ public class RowPermissionsController {
|
||||
@PostMapping("/list")
|
||||
public List<DataSetRowPermissionsDTO> rowPermissions(@RequestBody DataSetRowPermissionsDTO request) {
|
||||
RowPermissionService rowPermissionService = SpringContextUtil.getBean(RowPermissionService.class);
|
||||
return rowPermissionService.searchRowPermissions(request);
|
||||
return rowPermissionService.searchRowPermissions(request);
|
||||
}
|
||||
|
||||
@DePermission(type = DePermissionType.DATASET, value = "datasetId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE)
|
||||
@@ -73,17 +70,11 @@ public class RowPermissionsController {
|
||||
@DePermission(type = DePermissionType.DATASET, value = "datasetId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE)
|
||||
@ApiOperation("分页查询")
|
||||
@PostMapping("/pageList/{datasetId}/{goPage}/{pageSize}")
|
||||
public Pager<List<DataSetRowPermissionsDTO>> rowPermissions(@PathVariable String datasetId, @PathVariable int goPage, @PathVariable int pageSize, @RequestBody XpackGridRequest request) {
|
||||
public Pager<List<DataSetRowPermissionsDTO>> rowPermissions(@PathVariable String datasetId, @PathVariable int goPage, @PathVariable int pageSize) {
|
||||
Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
|
||||
RowPermissionService rowPermissionService = SpringContextUtil.getBean(RowPermissionService.class);
|
||||
List<XpackConditionEntity> conditionEntities = request.getConditions() == null ? new ArrayList<>() : request.getConditions();
|
||||
XpackConditionEntity entity = new XpackConditionEntity();
|
||||
entity.setField("dataset_row_permissions.dataset_id");
|
||||
entity.setOperator("eq");
|
||||
entity.setValue(datasetId);
|
||||
conditionEntities.add(entity);
|
||||
request.setConditions(conditionEntities);
|
||||
return PageUtils.setPageInfo(page, rowPermissionService.queryRowPermissions(request));
|
||||
|
||||
return PageUtils.setPageInfo(page, rowPermissionService.queryRowPermissions(datasetId));
|
||||
}
|
||||
|
||||
@DePermission(type = DePermissionType.DATASET, value = "datasetId", level = ResourceAuthLevel.DATASET_LEVEL_MANAGE)
|
||||
|
||||
@@ -20,7 +20,6 @@ import io.dataease.commons.utils.Pager;
|
||||
import io.dataease.controller.sys.response.DeptNodeResponse;
|
||||
import io.dataease.dto.SysLogDTO;
|
||||
import io.dataease.listener.util.CacheUtils;
|
||||
import io.dataease.plugins.common.entity.XpackGridRequest;
|
||||
import io.dataease.plugins.config.SpringContextUtil;
|
||||
import io.dataease.plugins.xpack.dept.dto.request.*;
|
||||
import io.dataease.plugins.xpack.dept.dto.response.DeptUserItemDTO;
|
||||
@@ -33,7 +32,6 @@ import io.swagger.annotations.ApiImplicitParams;
|
||||
import io.swagger.annotations.ApiOperation;
|
||||
import org.apache.shiro.authz.annotation.RequiresPermissions;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.cache.annotation.CacheEvict;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import springfox.documentation.annotations.ApiIgnore;
|
||||
|
||||
|
||||
@@ -14,8 +14,6 @@ import io.dataease.commons.utils.*;
|
||||
import io.dataease.i18n.Translator;
|
||||
import io.dataease.plugins.common.entity.GlobalTaskEntity;
|
||||
import io.dataease.plugins.common.entity.GlobalTaskInstance;
|
||||
import io.dataease.plugins.common.entity.XpackConditionEntity;
|
||||
import io.dataease.plugins.common.entity.XpackGridRequest;
|
||||
import io.dataease.plugins.config.SpringContextUtil;
|
||||
import io.dataease.plugins.xpack.email.dto.request.*;
|
||||
import io.dataease.plugins.xpack.email.dto.response.XpackTaskEntity;
|
||||
|
||||
Reference in New Issue
Block a user