zzy
/
fjrcloud-community
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

取消越权的限制

master
zzy 2026-04-26 23:12:28 +08:00
parent 36a77d98b3
commit 10d998901c
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
fjrcloud-framework/fjrcloud-spring-boot-starter-biz-tenant/src/main/java/com/fjrcloud/community/framework/tenant/core/security/TenantSecurityWebFilter.java
View File

@ -20,7 +20,6 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Objects;
import java.util.Set;
/**
@ -78,14 +77,15 @@ public class TenantSecurityWebFilter extends ApiRequestFilter {
tenantId = user.getTenantId();
TenantContextHolder.setTenantId(tenantId);
// 如果传递了租户编号,则进行比对租户编号,避免越权问题
} else if (!Objects.equals(user.getTenantId(), TenantContextHolder.getTenantId())) {
log.error("[doFilterInternal][租户({}) User({}/{}) 越权访问租户({}) URL({}/{})]",
user.getTenantId(), user.getId(), user.getUserType(),
TenantContextHolder.getTenantId(), request.getRequestURI(), request.getMethod());
ServletUtils.writeJSON(response, CommonResult.error(GlobalErrorCodeConstants.FORBIDDEN.getCode(),
"您无权访问该租户的数据"));
return;
}
// else if (!Objects.equals(user.getTenantId(), TenantContextHolder.getTenantId())) {
// log.error("[doFilterInternal][租户({}) User({}/{}) 越权访问租户({}) URL({}/{})]",
// user.getTenantId(), user.getId(), user.getUserType(),
// TenantContextHolder.getTenantId(), request.getRequestURI(), request.getMethod());
// ServletUtils.writeJSON(response, CommonResult.error(GlobalErrorCodeConstants.FORBIDDEN.getCode(),
// "您无权访问该租户的数据"));
// return;
// }
}
// 2. 超级管理员(系统租户)默认忽略租户隔离,可查询所有数据