diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java index a6128e17..f399e28c 100644 --- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java +++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java @@ -210,7 +210,7 @@ public class SysUserController extends BaseController { @Log(title = "用户管理", businessType = BusinessType.UPDATE) @PutMapping public AjaxResult edit(@Validated @RequestBody SysUser user) throws Exception { - userService.checkUserAllowed(user); + userService.checkUserAllowed(user.getUserId()); userService.checkUserDataScope(user.getUserId()); if (!userService.checkUserNameUnique(user)) { return error("修改用户'" + user.getUserName() + "'失败,登录账号已存在"); @@ -243,7 +243,7 @@ public class SysUserController extends BaseController { @Log(title = "用户管理", businessType = BusinessType.UPDATE) @PutMapping("/resetPwd") public AjaxResult resetPwd(@RequestBody SysUser user) throws Exception { - userService.checkUserAllowed(user); + userService.checkUserAllowed(user.getUserId()); userService.checkUserDataScope(user.getUserId()); return toAjax(userService.resetPwd(user)); } @@ -255,7 +255,7 @@ public class SysUserController extends BaseController { @Log(title = "用户管理", businessType = BusinessType.UPDATE) @PutMapping("/changeStatus") public AjaxResult changeStatus(@RequestBody SysUser user) { - userService.checkUserAllowed(user); + userService.checkUserAllowed(user.getUserId()); userService.checkUserDataScope(user.getUserId()); user.setUpdateBy(SecurityUtils.getUsername()); return toAjax(userService.updateUserStatus(user)); @@ -282,7 +282,7 @@ public class SysUserController extends BaseController { @Log(title = "用户管理", businessType = BusinessType.GRANT) @PutMapping("/authRole/{userId}") public AjaxResult insertAuthRole(@PathVariable("userId") Long userId, @RequestBody Long[] roleIds) { - userService.checkUserAllowed(new SysUser(userId)); + userService.checkUserAllowed(userId); userService.checkUserDataScope(userId); userService.insertUserAuth(userId, roleIds); return success(); diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java index 2e76ee11..89c896fd 100644 --- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java +++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java @@ -96,7 +96,7 @@ public interface ISysUserService * * @param user 用户信息 */ - public void checkUserAllowed(SysUser user); + public void checkUserAllowed(Long userId); /** * 校验用户是否有数据权限 diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java index 7bda359d..97c02cd9 100644 --- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java +++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java @@ -7,7 +7,9 @@ import java.util.List; import java.util.Set; import com.ruoyi.system.api.constant.Constant; +import com.ruoyi.system.service.ISysUserService; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Lazy; import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; import com.ruoyi.common.core.constant.UserConstants; @@ -46,6 +48,9 @@ public class SysRoleServiceImpl implements ISysRoleService { @Autowired private SysRoleDeptMapper roleDeptMapper; + @Autowired + @Lazy + private ISysUserService userService; /** * 根据条件分页查询角色数据 * @@ -364,6 +369,8 @@ public class SysRoleServiceImpl implements ISysRoleService { */ @Override public int deleteAuthUser(SysUserRole userRole) { + checkRoleAllowed(roleMapper.selectRoleById(userRole.getRoleId())); + userService.checkUserAllowed(userRole.getUserId()); return userRoleMapper.deleteUserRoleInfo(userRole); } @@ -376,6 +383,10 @@ public class SysRoleServiceImpl implements ISysRoleService { */ @Override public int deleteAuthUsers(Long roleId, Long[] userIds) { + checkRoleAllowed(roleMapper.selectRoleById(roleId)); + for (Long userId : userIds) { + userService.checkUserAllowed(userId); + } return userRoleMapper.deleteUserRoleInfos(roleId, userIds); } diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java index 8bcc9325..26e95645 100644 --- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java +++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java @@ -220,8 +220,8 @@ public class SysUserServiceImpl implements ISysUserService { * @param user 用户信息 */ @Override - public void checkUserAllowed(SysUser user) { - if (StringUtils.isNotNull(user.getUserId()) && roleService.checkIsAdmin(user.getUserId()) && !SecurityUtils.getUserId().equals(user.getUserId())) { + public void checkUserAllowed(Long userId) { + if (StringUtils.isNotNull(userId) && roleService.checkIsAdmin(userId) && !SecurityUtils.getUserId().equals(userId)) { throw new ServiceException("不允许操作超级管理员用户"); } } @@ -522,7 +522,7 @@ public class SysUserServiceImpl implements ISysUserService { @Transactional(rollbackFor = Exception.class) public int deleteUserByIds(Long[] userIds) throws Exception { for (Long userId : userIds) { - checkUserAllowed(new SysUser(userId)); + checkUserAllowed(userId); checkUserDataScope(userId); } // 删除用户与角色关联 @@ -580,7 +580,7 @@ public class SysUserServiceImpl implements ISysUserService { successMsg.append("
" + successNum + "、账号 " + user.getUserName() + " 导入成功"); } else if (isUpdateSupport) { BeanValidators.validateWithException(validator, user); - checkUserAllowed(u); + checkUserAllowed(u.getUserId()); checkUserDataScope(u.getUserId()); user.setUserId(u.getUserId()); user.setUpdateBy(operName);