fix(system/user): 修复用户管理水平越权错误

2025-10-31 10:57:13 +08:00 · 2025-05-06 22:38:48 +08:00
parent 588bc7ef0a
commit 5bc657ad88
2 changed files with 17 additions and 6 deletions
--- a/continew-module-system/src/main/java/top/continew/admin/system/service/UserService.java
+++ b/continew-module-system/src/main/java/top/continew/admin/system/service/UserService.java
@@ -85,9 +85,8 @@ public interface UserService extends BaseService<UserResp, UserDetailResp, UserQ
     * @param avatar 头像文件
     * @param id     ID
     * @return 新头像路径
-     * @throws IOException /
     */
-    String updateAvatar(MultipartFile avatar, Long id) throws IOException;
+    String updateAvatar(MultipartFile avatar, Long id);

    /**
     * 修改基础信息
--- a/continew-module-system/src/main/java/top/continew/admin/system/service/impl/UserServiceImpl.java
+++ b/continew-module-system/src/main/java/top/continew/admin/system/service/impl/UserServiceImpl.java
@@ -169,7 +169,7 @@ public class UserServiceImpl extends BaseServiceImpl<UserMapper, UserDO, UserRes
        DisEnableStatusEnum newStatus = req.getStatus();
        CheckUtils.throwIf(DisEnableStatusEnum.DISABLE.equals(newStatus) && ObjectUtil.equal(id, UserContextHolder
            .getUserId()), "不允许禁用当前用户");
-        UserDO oldUser = super.getById(id);
+        UserDO oldUser = this.getById(id);
        if (Boolean.TRUE.equals(oldUser.getIsSystem())) {
            CheckUtils.throwIfEqual(DisEnableStatusEnum.DISABLE, newStatus, "[{}] 是系统内置用户，不允许禁用", oldUser
                .getNickname());
@@ -370,7 +370,7 @@ public class UserServiceImpl extends BaseServiceImpl<UserMapper, UserDO, UserRes

    @Override
    public void resetPassword(UserPasswordResetReq req, Long id) {
-        super.getById(id);
+        this.getById(id);
        baseMapper.lambdaUpdate()
            .set(UserDO::getPassword, req.getNewPassword())
            .set(UserDO::getPwdResetTime, LocalDateTime.now())
@@ -380,7 +380,7 @@ public class UserServiceImpl extends BaseServiceImpl<UserMapper, UserDO, UserRes

    @Override
    public void updateRole(UserRoleUpdateReq updateReq, Long id) {
-        super.getById(id);
+        this.getById(id);
        List<Long> roleIds = updateReq.getRoleIds();
        // 保存用户和角色关联
        userRoleService.assignRolesToUser(roleIds, id);
@@ -389,7 +389,7 @@ public class UserServiceImpl extends BaseServiceImpl<UserMapper, UserDO, UserRes
    }

    @Override
-    public String updateAvatar(MultipartFile avatarFile, Long id) throws IOException {
+    public String updateAvatar(MultipartFile avatarFile, Long id) {
        String avatarImageType = FileNameUtil.extName(avatarFile.getOriginalFilename());
        CheckUtils.throwIf(!StrUtil.equalsAnyIgnoreCase(avatarImageType, avatarSupportSuffix), "头像仅支持 {} 格式的图片", String
            .join(StringConstants.CHINESE_COMMA, avatarSupportSuffix));
@@ -731,4 +731,16 @@ public class UserServiceImpl extends BaseServiceImpl<UserMapper, UserDO, UserRes
            UserContextHolder.setContext(userContext);
        }
    }
+
+    /**
+     * 根据 ID 获取用户信息（数据权限）
+     *
+     * @param id ID
+     * @return 用户信息
+     */
+    private UserDO getById(Long id) {
+        UserDO user = baseMapper.lambdaQuery().eq(UserDO::getId, id).one();
+        CheckUtils.throwIfNull(user, "用户不存在");
+        return user;
+    }
 }