fixed: 修复跨级操作角色权限的越权问题

Author: pixelmaxQm

server/api/v1/system/sys_user.go

@@ -285,7 +285,8 @@ func (b *BaseApi) SetUserAuthorities(c *gin.Context) {
 		response.FailWithMessage(err.Error(), c)
 		return
 	}
-	err = userService.SetUserAuthorities(sua.ID, sua.AuthorityIds)
+	authorityID := utils.GetUserAuthorityId(c)
+	err = userService.SetUserAuthorities(authorityID, sua.ID, sua.AuthorityIds)
 	if err != nil {
 		global.GVA_LOG.Error("修改失败!", zap.Error(err))
 		response.FailWithMessage("修改失败", c)
@@ -350,9 +351,9 @@ func (b *BaseApi) SetUserInfo(c *gin.Context) {
 		response.FailWithMessage(err.Error(), c)
 		return
 	}
-
 	if len(user.AuthorityIds) != 0 {
-		err = userService.SetUserAuthorities(user.ID, user.AuthorityIds)
+		authorityID := utils.GetUserAuthorityId(c)
+		err = userService.SetUserAuthorities(authorityID, user.ID, user.AuthorityIds)
 		if err != nil {
 			global.GVA_LOG.Error("设置失败!", zap.Error(err))
 			response.FailWithMessage("设置失败", c)

server/service/system/sys_authority.go

@@ -183,7 +183,7 @@ func (authorityService *AuthorityService) DeleteAuthority(auth *system.SysAuthor
 //@param: info request.PageInfo
 //@return: list interface{}, total int64, err error
 
-func (authorityService *AuthorityService) GetAuthorityInfoList(authorityID uint) (list any, err error) {
+func (authorityService *AuthorityService) GetAuthorityInfoList(authorityID uint) (list []system.SysAuthority, err error) {
 	var authority system.SysAuthority
 	err = global.GVA_DB.Where("authority_id = ?", authorityID).First(&authority).Error
 	if err != nil {
@@ -210,6 +210,24 @@ func (authorityService *AuthorityService) GetAuthorityInfoList(authorityID uint)
 	return authorities, err
 }
 
+//@author: [piexlmax](https://github.com/piexlmax)
+//@function: GetAuthorityInfoList
+//@description: 分页获取数据
+//@param: info request.PageInfo
+//@return: list interface{}, total int64, err error
+
+func (authorityService *AuthorityService) GetStructAuthorityList(authorityID uint) (list []uint, err error) {
+	var authorities []system.SysAuthority
+	err = global.GVA_DB.Preload("DataAuthorityId").Where("parent_id = ?", authorityID).Find(&authorities).Error
+	if len(authorities) > 0 {
+		for k := range authorities {
+			list = append(list, authorities[k].AuthorityId)
+			_, err = authorityService.GetStructAuthorityList(authorities[k].AuthorityId)
+		}
+	}
+	return list, err
+}
+
 //@author: [piexlmax](https://github.com/piexlmax)
 //@function: GetAuthorityInfo
 //@description: 获取所有角色信息
@@ -242,6 +260,22 @@ func (authorityService *AuthorityService) SetDataAuthority(auth system.SysAuthor
 
 func (authorityService *AuthorityService) SetMenuAuthority(auth *system.SysAuthority) error {
 	var s system.SysAuthority
+	if global.GVA_CONFIG.System.UseStrictAuth {
+		authids, err := authorityService.GetStructAuthorityList(auth.AuthorityId)
+		if err != nil {
+			return err
+		}
+		hasAuth := false
+		for _, v := range authids {
+			if v == auth.AuthorityId {
+				hasAuth = true
+				break
+			}
+		}
+		if !hasAuth {
+			return errors.New("您提交的角色ID不合法")
+		}
+	}
 	global.GVA_DB.Preload("SysBaseMenus").First(&s, "authority_id = ?", auth.AuthorityId)
 	err := global.GVA_DB.Model(&s).Association("SysBaseMenus").Replace(&auth.SysBaseMenus)
 	return err

server/service/system/sys_casbin.go

@@ -27,6 +27,24 @@ type CasbinService struct{}
 var CasbinServiceApp = new(CasbinService)
 
 func (casbinService *CasbinService) UpdateCasbin(AuthorityID uint, casbinInfos []request.CasbinInfo) error {
+
+	if global.GVA_CONFIG.System.UseStrictAuth {
+		authids, err := AuthorityServiceApp.GetStructAuthorityList(AuthorityID)
+		if err != nil {
+			return err
+		}
+		hasAuth := false
+		for _, v := range authids {
+			if v == AuthorityID {
+				hasAuth = true
+				break
+			}
+		}
+		if !hasAuth {
+			return errors.New("您提交的角色ID不合法")
+		}
+	}
+
 	authorityId := strconv.Itoa(int(AuthorityID))
 	casbinService.ClearCasbin(0, authorityId)
 	rules := [][]string{}

server/service/system/sys_user.go

@@ -152,7 +152,7 @@ func (userService *UserService) SetUserAuthority(id uint, authorityId uint) (err
 //@param: id uint, authorityIds []string
 //@return: err error
 
-func (userService *UserService) SetUserAuthorities(id uint, authorityIds []uint) (err error) {
+func (userService *UserService) SetUserAuthorities(adminAuthorityID, id uint, authorityIds []uint) (err error) {
 	return global.GVA_DB.Transaction(func(tx *gorm.DB) error {
 		var user system.SysUser
 		TxErr := tx.Where("id = ?", id).First(&user).Error
@@ -164,8 +164,28 @@ func (userService *UserService) SetUserAuthorities(id uint, authorityIds []uint)
 		if TxErr != nil {
 			return TxErr
 		}
+		var childrenIDS []uint
+		if global.GVA_CONFIG.System.UseStrictAuth {
+			childrenIDS, err = AuthorityServiceApp.GetStructAuthorityList(adminAuthorityID)
+			if err != nil {
+				return errors.New("获取当前角色可用角色失败")
+			}
+		}
+
 		var useAuthority []system.SysUserAuthority
 		for _, v := range authorityIds {
+			if global.GVA_CONFIG.System.UseStrictAuth {
+				hasAuth := false
+				for i := range childrenIDS {
+					if childrenIDS[i] == v {
+						hasAuth = true
+						break
+					}
+				}
+				if !hasAuth {
+					return errors.New("您提交的角色ID不合法")
+				}
+			}
 			useAuthority = append(useAuthority, system.SysUserAuthority{
 				SysUserId: id, SysAuthorityAuthorityId: v,
 			})