修复公众号漏洞

2688fde6 · 伍思炜 · ba96590e · 2688fde6 · 2688fde6 · 2688fde6
Commit 2688fde6 authored May 27, 2022 by 伍思炜
4 changed files
--- a/apply-net/src/main/java/com/winsun/controller/codeManagerController.java
+++ b/apply-net/src/main/java/com/winsun/controller/codeManagerController.java
--- a/common/src/main/java/com/winsun/outSideSystem/IntelligenceSendOrders.java
+++ b/common/src/main/java/com/winsun/outSideSystem/IntelligenceSendOrders.java
@@ -719,11 +719,11 @@ public class IntelligenceSendOrders {
        try {
            log.info("提交参数:" + order_dataJSON);
            Constant.trustEveryone();
-//            responese = Unirest.put("http://132.97.20.20/function/id-generator-snowflake.prod-fn?turbo=1")
+            responese = Unirest.put("http://132.97.20.20/function/id-generator-snowflake.prod-fn?turbo=1")
-//                    .header("Content-Type", "application/json;charset=UTF-8")
+                    .header("Content-Type", "application/json;charset=UTF-8")
-//                    .header("X-Sign", sign)
+                    .header("X-Sign", sign)
-//                    .body(order_dataJSON)
+                    .body(order_dataJSON)
-//                    .asString();
+                    .asString();
            if (businessType == 5) {
                log.info("单宽带下单接口，返回信息:" + responese.getBody());
            } else {
@@ -1101,8 +1101,8 @@ public class IntelligenceSendOrders {
            RestTemplate restTemplate = new RestTemplate();
            log.info("提交参数:" + data);
            Constant.trustEveryone();
-            //responese = Unirest.get("http://132.97.20.21/query/query-order-info?" + url_data)
+            responese = Unirest.get("http://132.97.20.21/query/query-order-info?" + url_data)
-                    responese = Unirest.get("https://applet.mini189.cn/prod/query/query-order-info?" + url_data)
+                    //responese = Unirest.get("https://applet.mini189.cn/prod/query/query-order-info?" + url_data)
                    .header("Content-Type", "application/json")
                    .header("X-Sign", sign)
                    .asString();

--- a/service-manager/src/main/java/com/winsun/controller/PersonalCenterController.java
+++ b/service-manager/src/main/java/com/winsun/controller/PersonalCenterController.java
@@ -275,6 +275,10 @@ public class PersonalCenterController extends BaseController {
    @Permission(menuname = "个人中心用户详情", value = "partnerInfo", method = RequestMethod.POST)
    public ResponseData<Map<String, Object>> selectPartnerInfo(String partner) {
+        ShiroUser shiroUser = getShiroUser();
+        if (partner.equals(shiroUser.getId().toString())){
+            return ResponseData.error("权限不一致");
+        }
        SysUser sysUser = sysUserMapper.selectById(partner);
        if (sysUser == null) {
            return ResponseData.error("当前用户不存在！");

--- a/service-manager/src/main/java/com/winsun/controller/hhrUserController.java
+++ b/service-manager/src/main/java/com/winsun/controller/hhrUserController.java
@@ -58,12 +58,16 @@ public class hhrUserController extends BaseController {
    @ResponseBody
    @Permission(menuname = "督导查询", value = "getOrderList", method = RequestMethod.POST)
    public ResponseData<Map<String, Object>> getOrderList(String userId, Integer pageNo, Integer pageSize, String customer, String orderStatus, String userType, Integer selectFlag) {
+        ShiroUser shiroUser = getShiroUser();
+        if (shiroUser.getId().toString().equals(userId)){
+            return ResponseData.error("权限不一致");
+        }
        if (StringUtils.isBlank(userId)) {
            return ResponseData.error("userId为空");
        }
        Map<String, Object> resultMap = new HashMap<>();
-        ShiroUser shiroUser = getShiroUser();
        HhrUser hhrUser = hhrUserMapper.selectById(shiroUser.getId());
        List<String> userList = new ArrayList<>();