Sfoglia il codice sorgente

漏洞增加管理员角色判断

新疆警官学校中职
王晓寒 1 settimana fa
parent
commit
440930dc53
5 ha cambiato i file con 77 aggiunte e 70 eliminazioni
  1. +26
    -17
      Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/EmpInfoController.cs
  2. +12
    -7
      Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/StuInfoBasicController.cs
  3. +19
    -10
      Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/LR_OrganizationModule/Controllers/UserController.cs
  4. +2
    -6
      Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/LR_SystemModule/Controllers/DatabaseLinkController.cs
  5. +18
    -30
      Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/LR_SystemModule/Controllers/DatabaseTableController.cs

+ 26
- 17
Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/EmpInfoController.cs Vedi File

@@ -173,15 +173,18 @@ namespace Learun.Application.Web.Areas.EducationalAdministration.Controllers
public ActionResult GetPageList(string pagination, string queryJson)
{
var user = LoginUserInfo.Get();
if (user.Description == "学生")
if (!user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
{
return Fail("不允许学生查看教师信息");
}
if (user.Description == "教师")
{
var json=queryJson.ToJObject();
json["EmpNo"] = user.enCode;
queryJson=json.ToString();
if (user.Description == "学生")
{
return Fail("不允许学生查看教师信息");
}
if (user.Description == "教师")
{
var json = queryJson.ToJObject();
json["EmpNo"] = user.enCode;
queryJson = json.ToString();
}
}
Pagination paginationobj = pagination.ToObject<Pagination>();
var data = empInfoIBLL.GetPageList(paginationobj, queryJson);
@@ -314,21 +317,27 @@ namespace Learun.Application.Web.Areas.EducationalAdministration.Controllers
entity.SyncFlag = false;
var model = empInfoIBLL.GetEmpInfoEntityByEmpNo(entity.EmpNo);
var user = LoginUserInfo.Get();
if (user.Description=="学生")
if (!user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
{
return Fail("不允许学生修改教师信息");
}
if (user.Description == "教师")
{
if (string.IsNullOrEmpty(keyValue))
if (user.Description == "学生")
{
return Fail("不允许教师新增教师信息");
return Fail("不允许学生修改教师信息");
}
if (entity.EmpId!=keyValue||entity.EmpNo != user.account)

if (user.Description == "教师")
{
return Fail("只允许教师修改自己的信息");
if (string.IsNullOrEmpty(keyValue))
{
return Fail("不允许教师新增教师信息");
}

if (entity.EmpId != keyValue || entity.EmpNo != user.account)
{
return Fail("只允许教师修改自己的信息");
}
}
}

var model_mobile = empInfoIBLL.GetEmpInfoEntityByMobile(entity.mobile);
if (string.IsNullOrEmpty(keyValue))
{


+ 12
- 7
Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/StuInfoBasicController.cs Vedi File

@@ -575,17 +575,22 @@ namespace Learun.Application.Web.Areas.EducationalAdministration.Controllers
public ActionResult SaveForm(string keyValue, string strEntity)
{
var user = LoginUserInfo.Get();
if (user.Description == "学生")
if (!user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
{
if (string.IsNullOrEmpty(keyValue))
if (user.Description == "学生")
{
return Fail("不允许学生添加信息");
}
if (keyValue!=user.userId)
{
return Fail("不允许学生修改其他学生信息");
if (string.IsNullOrEmpty(keyValue))
{
return Fail("不允许学生添加信息");
}

if (keyValue != user.userId)
{
return Fail("不允许学生修改其他学生信息");
}
}
}

StuInfoBasicEntity entity = strEntity.ToObject<StuInfoBasicEntity>();
entity.SyncFlag = false;
var model = stuInfoBasicIBLL.GetStuInfoBasicEntityByStuNo(entity.StuNo);


+ 19
- 10
Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/LR_OrganizationModule/Controllers/UserController.cs Vedi File

@@ -99,15 +99,20 @@ namespace Learun.Application.Web.Areas.LR_OrganizationModule.Controllers
public ActionResult GetPageList(string pagination, string keyword, string companyId, string departmentId, string tp)
{
var user = LoginUserInfo.Get();
if (user.Description == "学生")
{
keyword = user.account;
tp = null;
}
if (user.Description == "教师")
if (!user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
{
tp = "1";
if (user.Description == "学生")
{
keyword = user.account;
tp = null;
}

if (user.Description == "教师")
{
tp = "1";
}
}

Pagination paginationobj = pagination.ToObject<Pagination>();
var data = userIBLL.GetPageList(companyId, departmentId, paginationobj, keyword, tp);
var jsonData = new
@@ -319,13 +324,17 @@ namespace Learun.Application.Web.Areas.LR_OrganizationModule.Controllers
public ActionResult SaveForm(string keyValue, UserEntity entity)
{
var user = LoginUserInfo.Get();
if (user.Description == "学生"|| user.Description == "教师")
if (!user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
{
if (keyValue != user.userId)
if (user.Description == "学生" || user.Description == "教师")
{
return Fail("只允许修改自己的信息");
if (keyValue != user.userId)
{
return Fail("只允许修改自己的信息");
}
}
}

userIBLL.SaveEntity(keyValue, entity);
return Success("保存成功!");
}


+ 2
- 6
Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/LR_SystemModule/Controllers/DatabaseLinkController.cs Vedi File

@@ -47,10 +47,8 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
public ActionResult GetList(string keyword)
{
var user = LoginUserInfo.Get();
if (user.Description != "管理员")
{
if (user.Description != "管理员" && !user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
return Fail("不允许的操作");
}
var data = databaseLinkIBLL.GetListByNoConnection(keyword);
return JsonResult(data);
}
@@ -89,10 +87,8 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
public ActionResult GetTreeList()
{
var user = LoginUserInfo.Get();
if (user.Description != "管理员")
{
if (user.Description != "管理员" && !user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
return Fail("不允许的操作");
}
var data = databaseLinkIBLL.GetTreeList();
return JsonResult(data);
}


+ 18
- 30
Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/LR_SystemModule/Controllers/DatabaseTableController.cs Vedi File

@@ -32,7 +32,8 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
/// </summary>
/// <returns></returns>
[HttpGet]
public ActionResult Form() {
public ActionResult Form()
{
return View();
}
/// <summary>
@@ -40,7 +41,8 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
/// </summary>
/// <returns></returns>
[HttpGet]
public ActionResult TableIndex() {
public ActionResult TableIndex()
{
return View();
}

@@ -85,13 +87,11 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
/// <returns></returns>
[HttpGet]
[AjaxOnly]
public ActionResult GetList(string databaseLinkId,string tableName)
public ActionResult GetList(string databaseLinkId, string tableName)
{
var user = LoginUserInfo.Get();
if (user.Description != "管理员")
{
if (user.Description != "管理员" && !user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
return Fail("不允许的操作");
}
var data = databaseTableIBLL.GetTableList(databaseLinkId, tableName);
return JsonResult(data);
}
@@ -106,10 +106,8 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
public ActionResult GetDraftList(string queryJson)
{
var user = LoginUserInfo.Get();
if (user.Description != "管理员")
{
if (user.Description != "管理员" && !user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
return Fail("不允许的操作");
}
var data = dbDraftIBLL.GetList(queryJson);
return JsonResult(data);
}
@@ -122,12 +120,11 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
/// <returns></returns>
[HttpGet]
[AjaxOnly]
public ActionResult GetFieldList(string databaseLinkId, string tableName) {
public ActionResult GetFieldList(string databaseLinkId, string tableName)
{
var user = LoginUserInfo.Get();
if (user.Description != "管理员")
{
if (user.Description != "管理员" && !user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
return Fail("不允许的操作");
}
var data = databaseTableIBLL.GetTableFiledList(databaseLinkId, tableName);
return JsonResult(data);
}
@@ -146,10 +143,8 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
public ActionResult GetTableDataList(string databaseLinkId, string tableName, string field, string logic, string keyword, string pagination)
{
var user = LoginUserInfo.Get();
if (user.Description != "管理员")
{
if (user.Description != "管理员" && !user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
return Fail("不允许的操作");
}
Pagination paginationobj = pagination.ToObject<Pagination>();
var data = databaseTableIBLL.GetTableDataList(databaseLinkId, tableName, field, logic, keyword, paginationobj);
var jsonData = new
@@ -172,10 +167,8 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
public ActionResult GetTableDataAllList(string databaseLinkId, string tableName)
{
var user = LoginUserInfo.Get();
if (user.Description != "管理员")
{
if (user.Description != "管理员" && !user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
return Fail("不允许的操作");
}
var data = databaseTableIBLL.GetTableDataList(databaseLinkId, tableName);
return JsonResult(data);
}
@@ -189,10 +182,8 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
public ActionResult GetTreeList(string parentId)
{
var user = LoginUserInfo.Get();
if (user.Description != "管理员")
{
if (user.Description != "管理员" && !user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
return Fail("不允许的操作");
}
var data = databaseTableIBLL.GetTreeList(parentId);
return JsonResult(data);
}
@@ -205,10 +196,8 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
public ActionResult GetFieldTreeList(string databaseLinkId, string tableName)
{
var user = LoginUserInfo.Get();
if (user.Description != "管理员")
{
if (user.Description != "管理员" && !user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
return Fail("不允许的操作");
}
var data = databaseTableIBLL.GetFiledTreeList(databaseLinkId, tableName);
return JsonResult(data);
}
@@ -221,10 +210,8 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
public ActionResult GetSqlColName(string databaseLinkId, string strSql)
{
var user = LoginUserInfo.Get();
if (user.Description != "管理员")
{
if (user.Description != "管理员" && !user.roleIds.Contains("d61e1853-cdee-4d49-a5e1-e230f1098e52"))
return Fail("不允许的操作");
}
var data = databaseTableIBLL.GetSqlColName(databaseLinkId, strSql);
return JsonResult(data);
}
@@ -264,7 +251,7 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
/// <returns></returns>
[HttpPost]
[AjaxOnly]
public ActionResult SaveTable(string databaseLinkId, string draftId, string tableName,string tableRemark,string strColList)
public ActionResult SaveTable(string databaseLinkId, string draftId, string tableName, string tableRemark, string strColList)
{
List<DatabaseTableFieldModel> colList = strColList.ToObject<List<DatabaseTableFieldModel>>();
string res = databaseTableIBLL.CreateTable(databaseLinkId, tableName, tableRemark, colList);
@@ -276,7 +263,8 @@ namespace Learun.Application.Web.Areas.LR_SystemModule.Controllers
}
return Success("创建成功");
}
else {
else
{
return Fail(res);
}
}


Caricamento…
Annulla
Salva