fixed【通用行业版本】后台操作权限判断漏洞修复

fuint-application/src/main/java/com/fuint/common/service/impl/AccountServiceImpl.java

@@ -158,7 +158,8 @@ public class AccountServiceImpl extends ServiceImpl<TAccountMapper, TAccount> im
             accountInfo.setRoleIds(account.getRoleIds());
             accountInfo.setStaffId(account.getStaffId());
             accountInfo.setStoreId(account.getStoreId());
-            accountInfo.setMerchantId(account.getMerchantId());
+            Integer merchantId = account.getMerchantId() == null ? 0 : account.getMerchantId();
+            accountInfo.setMerchantId(merchantId);
             if (account.getMerchantId() != null && account.getMerchantId() > 0) {
                 MtMerchant mtMerchant = mtMerchantMapper.selectById(account.getMerchantId());
                 if (mtMerchant != null) {

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendAccountController.java

@@ -139,9 +139,6 @@ public class BackendAccountController extends BaseController {
     public ResponseObject info(HttpServletRequest request, @PathVariable("userId") Long userId) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
-        if (accountInfo == null) {
-            return getFailureResult(1001, "请先登录");
-        }
         Map<String, Object> result = new HashMap<>();
 
         List<TDuty> roleList = tDutyService.getAvailableRoles(accountInfo.getMerchantId(), accountInfo.getId());
@@ -217,10 +214,7 @@ public class BackendAccountController extends BaseController {
     @PreAuthorize("@pms.hasPermission('system:account:add')")
     public ResponseObject doCreate(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
-        AccountInfo loginAccount = TokenUtil.getAccountInfoByToken(token);
-        if (loginAccount == null) {
-            return getFailureResult(1001, "请先登录");
-        }
+        AccountInfo account = TokenUtil.getAccountInfoByToken(token);
 
         List<Integer> roleIds = (List) param.get("roleIds");
         String accountName = param.get("accountName").toString();
@@ -257,6 +251,7 @@ public class BackendAccountController extends BaseController {
         tAccount.setPassword(password);
         tAccount.setIsActive(1);
         tAccount.setLocked(0);
+        tAccount.setOwnerId(account.getOwnerId());
         if (StringUtil.isNotEmpty(storeId)) {
             tAccount.setStoreId(Integer.parseInt(storeId));
         }
@@ -294,11 +289,12 @@ public class BackendAccountController extends BaseController {
         Long id = Long.parseLong(param.get("id").toString());
 
         AccountInfo loginAccount = TokenUtil.getAccountInfoByToken(token);
-        if (loginAccount == null) {
-            return getFailureResult(1001, "请先登录");
-        }
 
         TAccount tAccount = tAccountService.getAccountInfoById(id.intValue());
+        if (loginAccount.getMerchantId() > 0 && !tAccount.getMerchantId().equals(loginAccount.getMerchantId())) {
+            return getFailureResult(1004);
+        }
+
         tAccount.setAcctId(id.intValue());
         tAccount.setRealName(realName);
 
@@ -355,9 +351,6 @@ public class BackendAccountController extends BaseController {
     public ResponseObject deleteAccount(HttpServletRequest request, @PathVariable("userIds") String userIds) {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
-        if (accountInfo == null) {
-            return getFailureResult(1001, "请先登录");
-        }
         String ids[] = userIds.split(",");
         if (ids.length > 0) {
             for (int i = 0; i < ids.length; i++) {
@@ -397,12 +390,9 @@ public class BackendAccountController extends BaseController {
         Integer status = param.get("status") == null ? 0 : Integer.parseInt(param.get("status").toString());
 
         AccountInfo accountDto = TokenUtil.getAccountInfoByToken(token);
-        if (accountDto == null) {
-            return getFailureResult(1001, "请先登录");
-        }
 
         TAccount tAccount = tAccountService.getAccountInfoById(userId.intValue());
-        if (tAccount == null) {
+        if (tAccount == null || accountDto == null) {
             return getFailureResult(201, "账户不存在");
         }
 
@@ -427,11 +417,11 @@ public class BackendAccountController extends BaseController {
         String password = param.get("password") == null ? "" : param.get("password").toString();
 
         AccountInfo accountDto = TokenUtil.getAccountInfoByToken(token);
-        if (accountDto == null) {
-            return getFailureResult(1001, "请先登录");
+        TAccount tAccount = tAccountService.getAccountInfoById(userId.intValue());
+        if (accountDto.getMerchantId() > 0 && !accountDto.getMerchantId().equals(tAccount.getMerchantId())) {
+            return getFailureResult(1004);
         }
 
-        TAccount tAccount = tAccountService.getAccountInfoById(userId.intValue());
         tAccount.setPassword(password);
 
         if (tAccount != null) {

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendCommissionLogController.java

@@ -81,12 +81,7 @@ public class BackendCommissionLogController extends BaseController {
         String endTime = request.getParameter("endTime") == null ? "" : request.getParameter("endTime");
 
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
-        Integer storeId;
-        if (accountInfo == null) {
-            return getFailureResult(1001, "请先登录");
-        } else {
-            storeId = accountInfo.getStoreId();
-        }
+        Integer storeId = accountInfo.getStoreId();
 
         PaginationRequest paginationRequest = new PaginationRequest();
         paginationRequest.setCurrentPage(page);
@@ -164,11 +159,12 @@ public class BackendCommissionLogController extends BaseController {
     public ResponseObject info(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
-        if (accountInfo == null) {
-            return getFailureResult(1001, "请先登录");
-        }
 
         CommissionLogDto commissionLog = commissionLogService.queryCommissionLogById(id);
+        if (accountInfo.getMerchantId() > 0 && !commissionLog.getMerchantId().equals(accountInfo.getMerchantId())) {
+            return getFailureResult(1004);
+        }
+
         Map<String, Object> result = new HashMap<>();
         result.put("commissionLog", commissionLog);
 
@@ -188,9 +184,6 @@ public class BackendCommissionLogController extends BaseController {
         String token = request.getHeader("Access-Token");
 
         AccountInfo accountDto = TokenUtil.getAccountInfoByToken(token);
-        if (accountDto == null) {
-            return getFailureResult(1001, "请先登录");
-        }
 
         commissionLogRequest.setOperator(accountDto.getAccountName());
         commissionLogService.updateCommissionLog(commissionLogRequest);
@@ -211,8 +204,10 @@ public class BackendCommissionLogController extends BaseController {
     public ResponseObject delete(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
-        if (accountInfo == null) {
-            return getFailureResult(1001, "请先登录");
+
+        CommissionLogDto commissionLog = commissionLogService.queryCommissionLogById(id);
+        if (accountInfo.getMerchantId() > 0 && !commissionLog.getMerchantId().equals(accountInfo.getMerchantId())) {
+            return getFailureResult(1004);
         }
 
         CommissionLogRequest commissionLogRequest = new CommissionLogRequest();
@@ -236,9 +231,6 @@ public class BackendCommissionLogController extends BaseController {
         String token = request.getHeader("Access-Token");
 
         AccountInfo accountDto = TokenUtil.getAccountInfoByToken(token);
-        if (accountDto == null) {
-            return getFailureResult(1001, "请先登录");
-        }
 
         commissionSettleRequest.setOperator(accountDto.getAccountName());
         if (accountDto.getMerchantId() != null && accountDto.getMerchantId() > 0) {

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendStaffController.java

@@ -66,9 +66,6 @@ public class BackendStaffController extends BaseController {
         String category = request.getParameter("category");
 
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
-        if (accountInfo == null) {
-            return getFailureResult(1001, "请先登录");
-        }
         if (accountInfo.getStoreId() != null && accountInfo.getStoreId() > 0) {
             storeId = accountInfo.getStoreId().toString();
         }
@@ -199,11 +196,11 @@ public class BackendStaffController extends BaseController {
         String token = request.getHeader("Access-Token");
 
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
-        if (accountInfo == null) {
-            return getFailureResult(1001, "请先登录");
+        MtStaff staffInfo = staffService.queryStaffById(id);
+        if (accountInfo.getMerchantId() > 0 && !accountInfo.getMerchantId().equals(staffInfo.getMerchantId())) {
+            return getFailureResult(1004);
         }
 
-        MtStaff staffInfo = staffService.queryStaffById(id);
         if (staffInfo != null) {
             staffInfo.setMobile(CommonUtil.hidePhone(staffInfo.getMobile()));
         }

fuint-application/src/main/java/com/fuint/module/backendApi/controller/BackendUserGradeController.java

@@ -119,9 +119,7 @@ public class BackendUserGradeController extends BaseController {
     public ResponseObject updateStatus(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
-        if (accountInfo == null) {
-            return getFailureResult(1001, "请先登录");
-        }
+
         Integer userGradeId = param.get("userGradeId") == null ? 0 : Integer.parseInt(param.get("userGradeId").toString());
         String status = param.get("status") == null ? StatusEnum.ENABLED.getKey() : param.get("status").toString();
 
@@ -149,9 +147,6 @@ public class BackendUserGradeController extends BaseController {
     public ResponseObject delete(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
-        if (accountInfo == null) {
-            return getFailureResult(1001, "请先登录");
-        }
 
         String operator = accountInfo.getAccountName();
 
@@ -177,9 +172,6 @@ public class BackendUserGradeController extends BaseController {
     public ResponseObject saveHandler(HttpServletRequest request, @RequestBody Map<String, Object> param) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
-        if (accountInfo == null) {
-            return getFailureResult(1001, "请先登录");
-        }
 
         String grade = param.get("grade") == null ? "0" : param.get("grade").toString();
         String name = CommonUtil.replaceXSS(param.get("name").toString());
@@ -261,9 +253,6 @@ public class BackendUserGradeController extends BaseController {
     public ResponseObject info(HttpServletRequest request, @PathVariable("id") Integer id) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         AccountInfo accountInfo = TokenUtil.getAccountInfoByToken(token);
-        if (accountInfo == null) {
-            return getFailureResult(1001, "请先登录");
-        }
 
         MtUserGrade userGradeInfo = userGradeService.queryUserGradeById(accountInfo.getMerchantId(), id, 0);
 

fuint-application/src/main/java/com/fuint/module/merchantApi/controller/MerchantController.java

@@ -11,7 +11,6 @@ import com.fuint.common.util.TokenUtil;
 import com.fuint.framework.exception.BusinessCheckException;
 import com.fuint.framework.web.BaseController;
 import com.fuint.framework.web.ResponseObject;
-import com.fuint.repository.model.MtStaff;
 import com.fuint.repository.model.MtUser;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
@@ -66,9 +65,6 @@ public class MerchantController extends BaseController {
     public ResponseObject info(HttpServletRequest request) throws BusinessCheckException {
         String token = request.getHeader("Access-Token");
         UserInfo userInfo = TokenUtil.getUserInfoByToken(token);
-        if (null == userInfo) {
-            return getFailureResult(1001, "用户未登录");
-        }
 
         MtUser mtUser = memberService.queryMemberById(userInfo.getId());
         Map<String, Object> outParams = new HashMap<>();

fuint-application/src/main/java/com/fuint/module/merchantApi/controller/MerchantCouponController.java

@@ -57,26 +57,19 @@ public class MerchantCouponController extends BaseController {
         String token = request.getHeader("Access-Token");
         String merchantNo = request.getHeader("merchantNo") == null ? "" : request.getHeader("merchantNo");
         Integer merchantId = merchantService.getMerchantId(merchantNo);
-        if (StringUtil.isEmpty(token)) {
-            return getFailureResult(1001);
-        }
 
         UserInfo userInfo = TokenUtil.getUserInfoByToken(token);
-        if (null == userInfo) {
-            return getFailureResult(1001);
-        }
-
-        MtStaff staff = null;
         MtUser mtUser = memberService.queryMemberById(userInfo.getId());
-        if (mtUser != null && mtUser.getMobile() != null) {
-            staff = staffService.queryStaffByMobile(mtUser.getMobile());
-        }
-        if (staff == null) {
+
+        if (mtUser == null || mtUser.getMobile() == null) {
             return getFailureResult(201, "该账号不是商户");
         }
-        if (!merchantId.equals(staff.getMerchantId())) {
+
+        MtStaff staff = staffService.queryStaffByMobile(mtUser.getMobile());
+        if (staff == null || !merchantId.equals(staff.getMerchantId())) {
             return getFailureResult(201, "您没有操作权限");
         }
+
         // 判断店铺权限
         MtCoupon couponInfo = couponService.queryCouponById(receiveParam.getCouponId());
         if (StringUtil.isNotEmpty(couponInfo.getStoreIds()) && staff.getStoreId() != null && staff.getStoreId() > 0) {