fix(system/user): 修复用户管理水平越权错误

Closes #IC9YO9
2025-09-11 06:57:12 +08:00 · 2025-05-25 10:13:13 +08:00
parent c242a9fafd
commit 4f38218628
2 changed files with 17 additions and 3 deletions
--- a/continew-common/src/main/java/top/continew/admin/common/config/mybatis/DataPermissionMapper.java
+++ b/continew-common/src/main/java/top/continew/admin/common/config/mybatis/DataPermissionMapper.java
@@ -40,8 +40,8 @@ public interface DataPermissionMapper<T> extends BaseMapper<T> {
     * @param queryWrapper 实体对象封装操作类（可以为 null）
     * @return 全部记录
     */
-    @Override
    @DataPermission
+    @Override
    List<T> selectList(@Param(Constants.WRAPPER) Wrapper<T> queryWrapper);

    /**
@@ -51,7 +51,18 @@ public interface DataPermissionMapper<T> extends BaseMapper<T> {
     * @param queryWrapper 实体对象封装操作类（可以为 null）
     * @return 全部记录（并翻页）
     */
-    @Override
    @DataPermission
+    @Override
    List<T> selectList(IPage<T> page, @Param(Constants.WRAPPER) Wrapper<T> queryWrapper);
+
+    /**
+     * 根据 ID 删除
+     *
+     * @param obj     主键ID或实体
+     * @param useFill 是否填充
+     * @return 删除个数
+     */
+    @DataPermission
+    @Override
+    int deleteById(Object obj, boolean useFill);
 }
--- a/continew-module-system/src/main/java/top/continew/admin/system/service/impl/UserServiceImpl.java
+++ b/continew-module-system/src/main/java/top/continew/admin/system/service/impl/UserServiceImpl.java
@@ -203,6 +203,9 @@ public class UserServiceImpl extends BaseServiceImpl<UserMapper, UserDO, UserRes
            .select(UserDO::getNickname, UserDO::getIsSystem)
            .in(UserDO::getId, ids)
            .list();
+        List<Long> idList = list.stream().map(UserDO::getId).toList();
+        Collection<Long> subtractIds = CollUtil.subtract(ids, idList);
+        CheckUtils.throwIfNotEmpty(subtractIds, "所选用户 [{}] 不存在", CollUtil.join(subtractIds, StringConstants.COMMA));
        Optional<UserDO> isSystemData = list.stream().filter(UserDO::getIsSystem).findFirst();
        CheckUtils.throwIf(isSystemData::isPresent, "所选用户 [{}] 是系统内置用户，不允许删除", isSystemData.orElseGet(UserDO::new)
            .getNickname());
@@ -392,7 +395,7 @@ public class UserServiceImpl extends BaseServiceImpl<UserMapper, UserDO, UserRes
    public String updateAvatar(MultipartFile avatarFile, Long id) throws IOException {
        String avatarImageType = FileNameUtil.extName(avatarFile.getOriginalFilename());
        CheckUtils.throwIf(!StrUtil.equalsAnyIgnoreCase(avatarImageType, avatarSupportSuffix), "头像仅支持 {} 格式的图片", String
-            .join(StringConstants.CHINESE_COMMA, avatarSupportSuffix));
+            .join(StringConstants.COMMA, avatarSupportSuffix));
        // 上传新头像
        UserDO user = super.getById(id);
        FileInfo fileInfo = fileService.upload(avatarFile, avatarPath);