diff --git a/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java b/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java index a80eeb32..22a6138f 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java @@ -257,7 +257,7 @@ public class UserController extends BaseController { //必须和原始密码一致才可以更新密码 if (oldpwd.equalsIgnoreCase(user.getPassword())) { user.setPassword(password); - flag = userService.updateUserByObj(user); //1-成功 + flag = userService.updateUserByObj(user, request); //1-成功 info = "修改成功"; } else { flag = 2; //原始密码输入错误 diff --git a/jshERP-boot/src/main/java/com/jsh/erp/filter/LogCostFilter.java b/jshERP-boot/src/main/java/com/jsh/erp/filter/LogCostFilter.java index bf1ee38d..2546892b 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/filter/LogCostFilter.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/filter/LogCostFilter.java @@ -38,6 +38,11 @@ public class LogCostFilter implements Filter { HttpServletRequest servletRequest = (HttpServletRequest) request; HttpServletResponse servletResponse = (HttpServletResponse) response; String requestUrl = servletRequest.getRequestURI(); + if(requestUrl.contains("../") || requestUrl.contains("..;/")) { + servletResponse.setStatus(500); + servletResponse.getWriter().write("loginOut"); + return; + } //具体,比如:处理若用户未登录,则跳转到登录页 Object userId = redisService.getObjectFromSessionByKey(servletRequest,"userId"); if(userId!=null) { //如果已登录,不阻止 diff --git a/jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java b/jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java index 4e6f2cd8..26720855 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java @@ -173,9 +173,13 @@ public class UserService { User user = JSONObject.parseObject(obj.toJSONString(), User.class); int result=0; try{ - result=userMapper.updateByPrimaryKeySelective(user); - logService.insertLog("用户", - new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(user.getLoginName()).toString(), request); + //判断是否登录过 + Object userId = redisService.getObjectFromSessionByKey(request,"userId"); + if (userId != null) { + result = userMapper.updateByPrimaryKeySelective(user); + logService.insertLog("用户", + new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(user.getLoginName()).toString(), request); + } }catch(Exception e){ JshException.writeFail(logger, e); } @@ -183,13 +187,17 @@ public class UserService { } @Transactional(value = "transactionManager", rollbackFor = Exception.class) - public int updateUserByObj(User user) throws Exception{ - logService.insertLog("用户", - new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(user.getId()).toString(), - ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); + public int updateUserByObj(User user, HttpServletRequest request) throws Exception{ int result=0; try{ - result=userMapper.updateByPrimaryKeySelective(user); + //判断是否登录过 + Object userId = redisService.getObjectFromSessionByKey(request,"userId"); + if (userId != null) { + result = userMapper.updateByPrimaryKeySelective(user); + logService.insertLog("用户", + new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(user.getId()).toString(), + ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); + } }catch(Exception e){ JshException.writeFail(logger, e); } @@ -199,9 +207,6 @@ public class UserService { @Transactional(value = "transactionManager", rollbackFor = Exception.class) public int resetPwd(String md5Pwd, Long id, HttpServletRequest request) throws Exception{ int result=0; - logService.insertLog("用户", - new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(id).toString(), - ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); User u = getUser(id); String loginName = u.getLoginName(); if("admin".equals(loginName)){ @@ -215,6 +220,9 @@ public class UserService { Object userId = redisService.getObjectFromSessionByKey(request,"userId"); if (userId != null) { result = userMapper.updateByPrimaryKeySelective(user); + logService.insertLog("用户", + new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(id).toString(), + ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); } }catch(Exception e){ JshException.writeFail(logger, e); @@ -225,16 +233,16 @@ public class UserService { @Transactional(value = "transactionManager", rollbackFor = Exception.class) public int deleteUser(Long id, HttpServletRequest request)throws Exception { - return batDeleteUser(id.toString()); + return batDeleteUser(id.toString(), request); } @Transactional(value = "transactionManager", rollbackFor = Exception.class) public int batchDeleteUser(String ids, HttpServletRequest request)throws Exception { - return batDeleteUser(ids); + return batDeleteUser(ids, request); } @Transactional(value = "transactionManager", rollbackFor = Exception.class) - public int batDeleteUser(String ids) throws Exception{ + public int batDeleteUser(String ids, HttpServletRequest request) throws Exception{ int result=0; StringBuffer sb = new StringBuffer(); sb.append(BusinessConstants.LOG_OPERATION_TYPE_DELETE); @@ -248,11 +256,15 @@ public class UserService { } sb.append("[").append(user.getLoginName()).append("]"); } - logService.insertLog("用户", sb.toString(), - ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); String[] idsArray =ids.split(","); try{ - result=userMapperEx.batDeleteOrUpdateUser(idsArray); + //判断是否登录过 + Object userId = redisService.getObjectFromSessionByKey(request,"userId"); + if (userId != null) { + result = userMapperEx.batDeleteOrUpdateUser(idsArray); + logService.insertLog("用户", sb.toString(), + ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); + } }catch(Exception e){ JshException.writeFail(logger, e); }