From 30bbbfb7298d8a7ed81f565064adea4d704cb127 Mon Sep 17 00:00:00 2001 From: ziin Date: Mon, 24 Nov 2025 14:28:23 +0800 Subject: [PATCH] =?UTF-8?q?fix(system):=20=E5=A2=9E=E5=8A=A0=E7=A7=9F?= =?UTF-8?q?=E6=88=B7=E8=BD=AC=E8=B4=A6=E4=B8=8B=E7=BA=A7=E6=A0=A1=E9=AA=8C?= =?UTF-8?q?=E5=B9=B6=E8=A1=A5=E5=85=85=E9=94=99=E8=AF=AF=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 校验目标租户必须为当前租户下级,新增 TENANT_BALANCE_TRANSFER_ERROR_TARGET_NOT_SUBORDINATE 错误码,防止越权转账。 --- .../tenantpoints/vo/TenantPointsPageReqVO.java | 2 +- .../module/system/enums/ErrorCodeConstants.java | 1 + .../tenantbalance/TenantBalanceServiceImpl.java | 17 +++++++++++++++-- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/controller/admin/tenantpoints/vo/TenantPointsPageReqVO.java b/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/controller/admin/tenantpoints/vo/TenantPointsPageReqVO.java index 9162fde..d0cd4b1 100644 --- a/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/controller/admin/tenantpoints/vo/TenantPointsPageReqVO.java +++ b/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/controller/admin/tenantpoints/vo/TenantPointsPageReqVO.java @@ -26,7 +26,7 @@ public class TenantPointsPageReqVO extends PageParam { private String description; @Schema(description = "订单 Id/业务单号", example = "84") - private Long orderId; + private String orderId; @Schema(description = "业务流水号(转账、订单等唯一标识)") private String bizNo; diff --git a/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/enums/ErrorCodeConstants.java b/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/enums/ErrorCodeConstants.java index 3e33b79..458f380 100644 --- a/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/enums/ErrorCodeConstants.java +++ b/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/enums/ErrorCodeConstants.java @@ -133,6 +133,7 @@ public interface ErrorCodeConstants { ErrorCode TENANT_BALANCE_TRANSFER_OPERATION_ERROR = new ErrorCode(1_003_017_009, "转账操作失败"); ErrorCode TENANT_BALANCE_TRANSFER_PASSWORD_ERROR = new ErrorCode(1_003_017_010, "转账密码错误"); ErrorCode TENANT_BALANCE_TRANSFER_PASSWORD_ERROR_IS_NULL = new ErrorCode(1_003_017_011, "转账密码不能为空"); + ErrorCode TENANT_BALANCE_TRANSFER_ERROR_TARGET_NOT_SUBORDINATE = new ErrorCode(1_003_017_012, "转账目标租户不是当前租户的下级"); diff --git a/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/service/tenantbalance/TenantBalanceServiceImpl.java b/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/service/tenantbalance/TenantBalanceServiceImpl.java index 400c6b8..35aa5ec 100644 --- a/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/service/tenantbalance/TenantBalanceServiceImpl.java +++ b/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/service/tenantbalance/TenantBalanceServiceImpl.java @@ -7,9 +7,11 @@ import cn.iocoder.yudao.framework.security.core.LoginUser; import cn.iocoder.yudao.framework.security.core.util.SecurityFrameworkUtils; import cn.iocoder.yudao.framework.tenant.core.context.TenantContextHolder; import cn.iocoder.yudao.module.system.controller.admin.tenantbalance.vo.*; +import cn.iocoder.yudao.module.system.dal.dataobject.tenant.TenantDO; import cn.iocoder.yudao.module.system.dal.dataobject.tenantbalance.TenantBalanceDO; import cn.iocoder.yudao.module.system.dal.dataobject.tenantpoints.TenantPointsDO; import cn.iocoder.yudao.module.system.dal.dataobject.user.AdminUserDO; +import cn.iocoder.yudao.module.system.dal.mysql.tenant.TenantMapper; import cn.iocoder.yudao.module.system.dal.mysql.tenantbalance.TenantBalanceMapper; import cn.iocoder.yudao.module.system.dal.mysql.tenantpoints.TenantPointsMapper; import cn.iocoder.yudao.module.system.enums.logger.LoginResultEnum; @@ -18,12 +20,14 @@ import cn.iocoder.yudao.module.system.util.BizNoGenerator; import com.baomidou.mybatisplus.core.metadata.IPage; import com.baomidou.mybatisplus.extension.plugins.pagination.Page; import com.mzt.logapi.starter.annotation.LogRecord; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; import org.springframework.validation.annotation.Validated; import javax.annotation.Resource; import java.util.List; +import java.util.Objects; import static cn.iocoder.yudao.framework.common.exception.util.ServiceExceptionUtil.exception; import static cn.iocoder.yudao.module.system.enums.ErrorCodeConstants.*; @@ -47,6 +51,9 @@ public class TenantBalanceServiceImpl implements TenantBalanceService { @Resource private AdminUserService userService; + @Resource + private TenantMapper tenantMapper; + @Override public Long createTenantBalance(TenantBalanceSaveReqVO createReqVO) { // 插入 @@ -165,7 +172,9 @@ public class TenantBalanceServiceImpl implements TenantBalanceService { if (transferReqVO.getPassword().isEmpty()) { throw exception(TENANT_BALANCE_TRANSFER_PASSWORD_ERROR_IS_NULL); } - + TenantDO targetTenantInfo = tenantMapper.selectById(transferReqVO.getTargetTenantId()); + + // 获取当前登录用户信息 AdminUserDO user = userService.getUser(loginUserId); @@ -176,7 +185,11 @@ public class TenantBalanceServiceImpl implements TenantBalanceService { // 获取当前租户ID(转出方) Long tenantId = TenantContextHolder.getTenantId(); - + + if (!Objects.equals(targetTenantInfo.getParentId(), tenantId)) { + throw exception(TENANT_BALANCE_TRANSFER_ERROR_TARGET_NOT_SUBORDINATE); + } + // 校验当前租户钱包是否存在 TenantBalanceDO tenantBalanceDO = tenantBalanceMapper.selectById(tenantId); if (tenantBalanceDO == null) {