From c2a26be65cd1d730bead80083b7ec34b4bf7ed04 Mon Sep 17 00:00:00 2001 From: jishenghua <752718920@qq.com> Date: Thu, 7 Aug 2025 10:11:44 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E6=BC=8F=E6=B4=9E=EF=BC=9A?= =?UTF-8?q?=E5=AD=98=E5=9C=A8=E6=9D=83=E9=99=90=E7=BB=95=E8=BF=87=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E=EF=BC=8C=E5=8F=AF=E4=BB=BB=E6=84=8F=E4=BF=AE=E6=94=B9?= =?UTF-8?q?=E7=99=BB=E5=BD=95=E8=B4=A6=E6=88=B7=E5=AF=86=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../jsh/erp/controller/UserController.java | 2 +- .../com/jsh/erp/filter/LogCostFilter.java | 5 ++ .../java/com/jsh/erp/service/UserService.java | 46 ++++++++++++------- 3 files changed, 35 insertions(+), 18 deletions(-) diff --git a/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java b/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java index a80eeb32..22a6138f 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java @@ -257,7 +257,7 @@ public class UserController extends BaseController { //必须和原始密码一致才可以更新密码 if (oldpwd.equalsIgnoreCase(user.getPassword())) { user.setPassword(password); - flag = userService.updateUserByObj(user); //1-成功 + flag = userService.updateUserByObj(user, request); //1-成功 info = "修改成功"; } else { flag = 2; //原始密码输入错误 diff --git a/jshERP-boot/src/main/java/com/jsh/erp/filter/LogCostFilter.java b/jshERP-boot/src/main/java/com/jsh/erp/filter/LogCostFilter.java index bf1ee38d..2546892b 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/filter/LogCostFilter.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/filter/LogCostFilter.java @@ -38,6 +38,11 @@ public class LogCostFilter implements Filter { HttpServletRequest servletRequest = (HttpServletRequest) request; HttpServletResponse servletResponse = (HttpServletResponse) response; String requestUrl = servletRequest.getRequestURI(); + if(requestUrl.contains("../") || requestUrl.contains("..;/")) { + servletResponse.setStatus(500); + servletResponse.getWriter().write("loginOut"); + return; + } //具体,比如:处理若用户未登录,则跳转到登录页 Object userId = redisService.getObjectFromSessionByKey(servletRequest,"userId"); if(userId!=null) { //如果已登录,不阻止 diff --git a/jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java b/jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java index 4e6f2cd8..26720855 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java @@ -173,9 +173,13 @@ public class UserService { User user = JSONObject.parseObject(obj.toJSONString(), User.class); int result=0; try{ - result=userMapper.updateByPrimaryKeySelective(user); - logService.insertLog("用户", - new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(user.getLoginName()).toString(), request); + //判断是否登录过 + Object userId = redisService.getObjectFromSessionByKey(request,"userId"); + if (userId != null) { + result = userMapper.updateByPrimaryKeySelective(user); + logService.insertLog("用户", + new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(user.getLoginName()).toString(), request); + } }catch(Exception e){ JshException.writeFail(logger, e); } @@ -183,13 +187,17 @@ public class UserService { } @Transactional(value = "transactionManager", rollbackFor = Exception.class) - public int updateUserByObj(User user) throws Exception{ - logService.insertLog("用户", - new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(user.getId()).toString(), - ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); + public int updateUserByObj(User user, HttpServletRequest request) throws Exception{ int result=0; try{ - result=userMapper.updateByPrimaryKeySelective(user); + //判断是否登录过 + Object userId = redisService.getObjectFromSessionByKey(request,"userId"); + if (userId != null) { + result = userMapper.updateByPrimaryKeySelective(user); + logService.insertLog("用户", + new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(user.getId()).toString(), + ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); + } }catch(Exception e){ JshException.writeFail(logger, e); } @@ -199,9 +207,6 @@ public class UserService { @Transactional(value = "transactionManager", rollbackFor = Exception.class) public int resetPwd(String md5Pwd, Long id, HttpServletRequest request) throws Exception{ int result=0; - logService.insertLog("用户", - new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(id).toString(), - ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); User u = getUser(id); String loginName = u.getLoginName(); if("admin".equals(loginName)){ @@ -215,6 +220,9 @@ public class UserService { Object userId = redisService.getObjectFromSessionByKey(request,"userId"); if (userId != null) { result = userMapper.updateByPrimaryKeySelective(user); + logService.insertLog("用户", + new StringBuffer(BusinessConstants.LOG_OPERATION_TYPE_EDIT).append(id).toString(), + ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); } }catch(Exception e){ JshException.writeFail(logger, e); @@ -225,16 +233,16 @@ public class UserService { @Transactional(value = "transactionManager", rollbackFor = Exception.class) public int deleteUser(Long id, HttpServletRequest request)throws Exception { - return batDeleteUser(id.toString()); + return batDeleteUser(id.toString(), request); } @Transactional(value = "transactionManager", rollbackFor = Exception.class) public int batchDeleteUser(String ids, HttpServletRequest request)throws Exception { - return batDeleteUser(ids); + return batDeleteUser(ids, request); } @Transactional(value = "transactionManager", rollbackFor = Exception.class) - public int batDeleteUser(String ids) throws Exception{ + public int batDeleteUser(String ids, HttpServletRequest request) throws Exception{ int result=0; StringBuffer sb = new StringBuffer(); sb.append(BusinessConstants.LOG_OPERATION_TYPE_DELETE); @@ -248,11 +256,15 @@ public class UserService { } sb.append("[").append(user.getLoginName()).append("]"); } - logService.insertLog("用户", sb.toString(), - ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); String[] idsArray =ids.split(","); try{ - result=userMapperEx.batDeleteOrUpdateUser(idsArray); + //判断是否登录过 + Object userId = redisService.getObjectFromSessionByKey(request,"userId"); + if (userId != null) { + result = userMapperEx.batDeleteOrUpdateUser(idsArray); + logService.insertLog("用户", sb.toString(), + ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()); + } }catch(Exception e){ JshException.writeFail(logger, e); }