fix(system): 增加租户转账下级校验并补充错误码
校验目标租户必须为当前租户下级,新增 TENANT_BALANCE_TRANSFER_ERROR_TARGET_NOT_SUBORDINATE 错误码,防止越权转账。
This commit is contained in:
@@ -26,7 +26,7 @@ public class TenantPointsPageReqVO extends PageParam {
|
||||
private String description;
|
||||
|
||||
@Schema(description = "订单 Id/业务单号", example = "84")
|
||||
private Long orderId;
|
||||
private String orderId;
|
||||
|
||||
@Schema(description = "业务流水号(转账、订单等唯一标识)")
|
||||
private String bizNo;
|
||||
|
||||
@@ -133,6 +133,7 @@ public interface ErrorCodeConstants {
|
||||
ErrorCode TENANT_BALANCE_TRANSFER_OPERATION_ERROR = new ErrorCode(1_003_017_009, "转账操作失败");
|
||||
ErrorCode TENANT_BALANCE_TRANSFER_PASSWORD_ERROR = new ErrorCode(1_003_017_010, "转账密码错误");
|
||||
ErrorCode TENANT_BALANCE_TRANSFER_PASSWORD_ERROR_IS_NULL = new ErrorCode(1_003_017_011, "转账密码不能为空");
|
||||
ErrorCode TENANT_BALANCE_TRANSFER_ERROR_TARGET_NOT_SUBORDINATE = new ErrorCode(1_003_017_012, "转账目标租户不是当前租户的下级");
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -7,9 +7,11 @@ import cn.iocoder.yudao.framework.security.core.LoginUser;
|
||||
import cn.iocoder.yudao.framework.security.core.util.SecurityFrameworkUtils;
|
||||
import cn.iocoder.yudao.framework.tenant.core.context.TenantContextHolder;
|
||||
import cn.iocoder.yudao.module.system.controller.admin.tenantbalance.vo.*;
|
||||
import cn.iocoder.yudao.module.system.dal.dataobject.tenant.TenantDO;
|
||||
import cn.iocoder.yudao.module.system.dal.dataobject.tenantbalance.TenantBalanceDO;
|
||||
import cn.iocoder.yudao.module.system.dal.dataobject.tenantpoints.TenantPointsDO;
|
||||
import cn.iocoder.yudao.module.system.dal.dataobject.user.AdminUserDO;
|
||||
import cn.iocoder.yudao.module.system.dal.mysql.tenant.TenantMapper;
|
||||
import cn.iocoder.yudao.module.system.dal.mysql.tenantbalance.TenantBalanceMapper;
|
||||
import cn.iocoder.yudao.module.system.dal.mysql.tenantpoints.TenantPointsMapper;
|
||||
import cn.iocoder.yudao.module.system.enums.logger.LoginResultEnum;
|
||||
@@ -18,12 +20,14 @@ import cn.iocoder.yudao.module.system.util.BizNoGenerator;
|
||||
import com.baomidou.mybatisplus.core.metadata.IPage;
|
||||
import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
|
||||
import com.mzt.logapi.starter.annotation.LogRecord;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.stereotype.Service;
|
||||
import org.springframework.transaction.annotation.Transactional;
|
||||
import org.springframework.validation.annotation.Validated;
|
||||
|
||||
import javax.annotation.Resource;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
|
||||
import static cn.iocoder.yudao.framework.common.exception.util.ServiceExceptionUtil.exception;
|
||||
import static cn.iocoder.yudao.module.system.enums.ErrorCodeConstants.*;
|
||||
@@ -47,6 +51,9 @@ public class TenantBalanceServiceImpl implements TenantBalanceService {
|
||||
@Resource
|
||||
private AdminUserService userService;
|
||||
|
||||
@Resource
|
||||
private TenantMapper tenantMapper;
|
||||
|
||||
@Override
|
||||
public Long createTenantBalance(TenantBalanceSaveReqVO createReqVO) {
|
||||
// 插入
|
||||
@@ -165,7 +172,9 @@ public class TenantBalanceServiceImpl implements TenantBalanceService {
|
||||
if (transferReqVO.getPassword().isEmpty()) {
|
||||
throw exception(TENANT_BALANCE_TRANSFER_PASSWORD_ERROR_IS_NULL);
|
||||
}
|
||||
|
||||
TenantDO targetTenantInfo = tenantMapper.selectById(transferReqVO.getTargetTenantId());
|
||||
|
||||
|
||||
// 获取当前登录用户信息
|
||||
AdminUserDO user = userService.getUser(loginUserId);
|
||||
|
||||
@@ -176,7 +185,11 @@ public class TenantBalanceServiceImpl implements TenantBalanceService {
|
||||
|
||||
// 获取当前租户ID(转出方)
|
||||
Long tenantId = TenantContextHolder.getTenantId();
|
||||
|
||||
|
||||
if (!Objects.equals(targetTenantInfo.getParentId(), tenantId)) {
|
||||
throw exception(TENANT_BALANCE_TRANSFER_ERROR_TARGET_NOT_SUBORDINATE);
|
||||
}
|
||||
|
||||
// 校验当前租户钱包是否存在
|
||||
TenantBalanceDO tenantBalanceDO = tenantBalanceMapper.selectById(tenantId);
|
||||
if (tenantBalanceDO == null) {
|
||||
|
||||
Reference in New Issue
Block a user