修复漏洞

common/src/main/java/com/winsun/outSideSystem/IntelligenceSendOrders.java

@@ -606,7 +606,7 @@ public class IntelligenceSendOrders {
         } else if (businessType == 5) {
             order_data.put("业务类型", "单宽业务");  //业务类型
         } else if (businessType == 10) {
-            order_data.put("业务类型", "校园宽带提速");  //业务类型
+            order_data.put("业务类型", "增值业务");  //业务类型
         }
 
         if (businessType == 3 || businessType == 10) {
@@ -628,11 +628,12 @@ public class IntelligenceSendOrders {
         broadbandInstalledCapacity.put("宽带接入号", "新装");
         broadbandInstalledCapacity.put("订购类型", "新装");
         if (businessType == 10) {
-            broadbandInstalledCapacity.put("宽带接入号", "已有");
+            broadbandInstalledCapacity.put("宽带接入号", orderViewMap.get("dmt_number"));
             broadbandInstalledCapacity.put("订购类型", "已有");
         }
         order_data.put("宽带装机", broadbandInstalledCapacity);
 
+        if (businessType != 10) {
             HashMap<Object, Object> monthlyFeeItems = new HashMap<>();   //月租费用项
             List<HashMap<String, Object>> expenseItemsList = new ArrayList<>(); //费用项列表
 //        List<HashMap<String, Object>> suipayPayment = new ArrayList<>(); //穗易付支付
@@ -696,7 +697,7 @@ public class IntelligenceSendOrders {
             OneExpenseItemsList.add(OneExpenseItemsMap);
             OneExpenseItems.put("费用项列表", OneExpenseItemsList);
             order_data.put("一次性费用项", OneExpenseItems);
-
+        }
 
         Map<String, Object> map1 = new HashMap<>();
         map1.put("order_data", order_data);
@@ -718,11 +719,11 @@ public class IntelligenceSendOrders {
         try {
             log.info("提交参数:" + order_dataJSON);
             Constant.trustEveryone();
-            responese = Unirest.put("http://132.97.20.20/function/id-generator-snowflake.prod-fn?turbo=1")
-                    .header("Content-Type", "application/json;charset=UTF-8")
-                    .header("X-Sign", sign)
-                    .body(order_dataJSON)
-                    .asString();
+//            responese = Unirest.put("http://132.97.20.20/function/id-generator-snowflake.prod-fn?turbo=1")
+//                    .header("Content-Type", "application/json;charset=UTF-8")
+//                    .header("X-Sign", sign)
+//                    .body(order_dataJSON)
+//                    .asString();
             if (businessType == 5) {
                 log.info("单宽带下单接口，返回信息:" + responese.getBody());
             } else {
@@ -974,7 +975,8 @@ public class IntelligenceSendOrders {
                     0);
         } else if (orderMap.get("user_type").equals("10")) {
 
-            String productName = "校园融合套餐";
+            String productName = "校园宽带提速";
+            orderViewMap.put("dmt_number",orderMap.get("dmt_number"));
             //	3、提交订单到智能平台
             submitOrderJsonObject = getOrderInfo(
                     schoolMap,          //宽带订单对应的学校信息

service-manager/src/main/java/com/winsun/aop/AuthorityAspect.java

+package com.winsun.aop;
+
+import com.alibaba.fastjson.JSONObject;
+import com.winsun.auth.core.common.model.ResponseData;
+import com.winsun.auth.core.shiro.ShiroUser;
+import com.winsun.auth.core.support.HttpKit;
+import com.winsun.auth.model.common.Menu;
+import com.winsun.interfaces.PermissionVerification;
+import com.winsun.mapper.SysUserMapper;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.aspectj.lang.ProceedingJoinPoint;
+import org.aspectj.lang.annotation.Around;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Pointcut;
+import org.aspectj.lang.reflect.MethodSignature;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.redis.core.StringRedisTemplate;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * 基于服务层的权限切面
+ *
+ * @author Cocowwy
+ * @create 2021-11-11-13:59
+ */
+@Aspect
+@Component
+@Slf4j
+public class AuthorityAspect {
+
+    @Autowired
+    private StringRedisTemplate stringRedisTemplate;
+
+    @Autowired
+    private SysUserMapper sysUserMapper;
+
+    private final static String PERMISSION_VERIFICATION = "permissionVerification:";
+
+    private final static Integer CACHE_TIME =  60;
+
+    /**
+     * 对接口进行权限校验
+     */
+    @Pointcut("@annotation(com.winsun.interfaces.PermissionVerification)")
+    private void pointcut() {
+    }
+
+    @Around("pointcut()")
+    public Object around(ProceedingJoinPoint joinPoint) throws Throwable {
+        MethodSignature signature = (MethodSignature) joinPoint.getSignature();
+        PermissionVerification permissionVerification = signature.getMethod().getDeclaredAnnotation(PermissionVerification.class);
+        if (permissionVerification != null) {
+            return apiIdempotent(joinPoint, signature);
+        }
+        Object proceed = joinPoint.proceed();
+        return proceed;
+    }
+
+    public Object apiIdempotent(ProceedingJoinPoint joinPoint, MethodSignature signature) throws Throwable {
+        ShiroUser user = getShiroUser();
+        /*if (user.getRoleNames().stream().anyMatch(roleName -> StringUtils.equalsAny(roleName, "超级管理员"))) {
+            Object proceed = joinPoint.proceed();
+            return proceed;
+        }*/
+        PermissionVerification permissionVerification = signature.getMethod().getDeclaredAnnotation(PermissionVerification.class);
+        if ("".equals(permissionVerification.value()[0]) || user == null) {
+            log.error("无权限");
+            return false;
+        }
+
+        List<Integer> roleList = user.getRoleList();
+        if (roleList.size() == 0) {
+            log.error("无权限");
+            return false;
+        }
+
+        String key = PERMISSION_VERIFICATION + getHttpServletRequest().getHeader("Authorization");
+        String[] values = permissionVerification.value();
+
+        String s = stringRedisTemplate.opsForValue().get(key);
+        List<Menu> roleMenu = null;
+        if (StringUtils.isNotBlank(s)) {
+            roleMenu = JSONObject.parseArray(s, Menu.class);
+        }else {
+            roleMenu = sysUserMapper.getRoleMenu(roleList);
+            stringRedisTemplate.opsForValue().set(key,
+                    JSONObject.toJSONString(roleMenu),
+                    CACHE_TIME, TimeUnit.SECONDS);
+        }
+
+        if (roleMenu == null || roleMenu.isEmpty()) {
+            return false;
+        }
+        for (String value : values) {
+            for (Menu menu : roleMenu) {
+                if (menu == null || StringUtils.isBlank(menu.getUrl())) {
+                    continue;
+                }
+
+                if (StringUtils.equals(menu.getUrl(), value)) {
+                    Object proceed = joinPoint.proceed();
+                    return proceed;
+                }
+            }
+
+        }
+        return ResponseData.error("无权限");
+    }
+
+    protected ShiroUser getShiroUser() {
+        HttpServletRequest httpServletRequest = this.getHttpServletRequest();
+        Object Attr = httpServletRequest.getAttribute("user");
+        ShiroUser user = (ShiroUser) JSONObject.parseObject(Attr.toString(), ShiroUser.class);
+        return user;
+    }
+
+    protected HttpServletRequest getHttpServletRequest() {
+        return HttpKit.getRequest();
+    }
+}
+

service-manager/src/main/java/com/winsun/utils/TreeNodeData.java

@@ -75,7 +75,7 @@ public class TreeNodeData {
 		TreeNode treeNode7 =new TreeNode(7, "区域","order_region", treeNode);
 		TreeNode treeNode8 =new TreeNode(8, "客户姓名","orderName", treeNode);
 		TreeNode treeNode9 =new TreeNode(9, "联系电话","orderPhone", treeNode);
-		TreeNode treeNode10 =new TreeNode(10, "订单状态","status", treeNode);
+		TreeNode treeNode10 =new TreeNode(10, "订单状态","order_status", treeNode);
 		TreeNode treeNode11 =new TreeNode(11, "备注","order_customer_remarks", treeNode);
 		TreeNode treeNode12 =new TreeNode(12, "创建时间","orderDate", treeNode);
 		TreeNode treeNode13 =new TreeNode(13, "支付平台","ipay", treeNode);