ziin/vvDataAdmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(system): 增加租户转账下级校验并补充错误码

Browse Source 
校验目标租户必须为当前租户下级,新增 TENANT_BALANCE_TRANSFER_ERROR_TARGET_NOT_SUBORDINATE 错误码,防止越权转账。
This commit is contained in:
ziin
2025-11-24 14:28:23 +08:00
parent 500feb74cb
commit 30bbbfb729
3 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/controller/admin/tenantpoints/vo/TenantPointsPageReqVO.java
View File

@@ -26,7 +26,7 @@ public class TenantPointsPageReqVO extends PageParam {
private String description; private String description;
@Schema(description = "订单 Id/业务单号", example = "84") @Schema(description = "订单 Id/业务单号", example = "84")
private Long orderId; private String orderId;
@Schema(description = "业务流水号(转账、订单等唯一标识)") @Schema(description = "业务流水号(转账、订单等唯一标识)")
private String bizNo; private String bizNo;

1
yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/enums/ErrorCodeConstants.java
View File

@@ -133,6 +133,7 @@ public interface ErrorCodeConstants {
ErrorCode TENANT_BALANCE_TRANSFER_OPERATION_ERROR = new ErrorCode(1_003_017_009, "转账操作失败"); ErrorCode TENANT_BALANCE_TRANSFER_OPERATION_ERROR = new ErrorCode(1_003_017_009, "转账操作失败");
ErrorCode TENANT_BALANCE_TRANSFER_PASSWORD_ERROR = new ErrorCode(1_003_017_010, "转账密码错误"); ErrorCode TENANT_BALANCE_TRANSFER_PASSWORD_ERROR = new ErrorCode(1_003_017_010, "转账密码错误");
ErrorCode TENANT_BALANCE_TRANSFER_PASSWORD_ERROR_IS_NULL = new ErrorCode(1_003_017_011, "转账密码不能为空"); ErrorCode TENANT_BALANCE_TRANSFER_PASSWORD_ERROR_IS_NULL = new ErrorCode(1_003_017_011, "转账密码不能为空");
ErrorCode TENANT_BALANCE_TRANSFER_ERROR_TARGET_NOT_SUBORDINATE = new ErrorCode(1_003_017_012, "转账目标租户不是当前租户的下级");

17
yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/service/tenantbalance/TenantBalanceServiceImpl.java
View File

@@ -7,9 +7,11 @@ import cn.iocoder.yudao.framework.security.core.LoginUser;
import cn.iocoder.yudao.framework.security.core.util.SecurityFrameworkUtils; import cn.iocoder.yudao.framework.security.core.util.SecurityFrameworkUtils;
import cn.iocoder.yudao.framework.tenant.core.context.TenantContextHolder; import cn.iocoder.yudao.framework.tenant.core.context.TenantContextHolder;
import cn.iocoder.yudao.module.system.controller.admin.tenantbalance.vo.*; import cn.iocoder.yudao.module.system.controller.admin.tenantbalance.vo.*;
import cn.iocoder.yudao.module.system.dal.dataobject.tenant.TenantDO;
import cn.iocoder.yudao.module.system.dal.dataobject.tenantbalance.TenantBalanceDO; import cn.iocoder.yudao.module.system.dal.dataobject.tenantbalance.TenantBalanceDO;
import cn.iocoder.yudao.module.system.dal.dataobject.tenantpoints.TenantPointsDO; import cn.iocoder.yudao.module.system.dal.dataobject.tenantpoints.TenantPointsDO;
import cn.iocoder.yudao.module.system.dal.dataobject.user.AdminUserDO; import cn.iocoder.yudao.module.system.dal.dataobject.user.AdminUserDO;
import cn.iocoder.yudao.module.system.dal.mysql.tenant.TenantMapper;
import cn.iocoder.yudao.module.system.dal.mysql.tenantbalance.TenantBalanceMapper; import cn.iocoder.yudao.module.system.dal.mysql.tenantbalance.TenantBalanceMapper;
import cn.iocoder.yudao.module.system.dal.mysql.tenantpoints.TenantPointsMapper; import cn.iocoder.yudao.module.system.dal.mysql.tenantpoints.TenantPointsMapper;
import cn.iocoder.yudao.module.system.enums.logger.LoginResultEnum; import cn.iocoder.yudao.module.system.enums.logger.LoginResultEnum;
@@ -18,12 +20,14 @@ import cn.iocoder.yudao.module.system.util.BizNoGenerator;
import com.baomidou.mybatisplus.core.metadata.IPage; import com.baomidou.mybatisplus.core.metadata.IPage;
import com.baomidou.mybatisplus.extension.plugins.pagination.Page; import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
import com.mzt.logapi.starter.annotation.LogRecord; import com.mzt.logapi.starter.annotation.LogRecord;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional; import org.springframework.transaction.annotation.Transactional;
import org.springframework.validation.annotation.Validated; import org.springframework.validation.annotation.Validated;
import javax.annotation.Resource; import javax.annotation.Resource;
import java.util.List; import java.util.List;
import java.util.Objects;
import static cn.iocoder.yudao.framework.common.exception.util.ServiceExceptionUtil.exception; import static cn.iocoder.yudao.framework.common.exception.util.ServiceExceptionUtil.exception;
import static cn.iocoder.yudao.module.system.enums.ErrorCodeConstants.*; import static cn.iocoder.yudao.module.system.enums.ErrorCodeConstants.*;
@@ -47,6 +51,9 @@ public class TenantBalanceServiceImpl implements TenantBalanceService {
@Resource @Resource
private AdminUserService userService; private AdminUserService userService;
@Resource
private TenantMapper tenantMapper;
@Override @Override
public Long createTenantBalance(TenantBalanceSaveReqVO createReqVO) { public Long createTenantBalance(TenantBalanceSaveReqVO createReqVO) {
// 插入 // 插入
@@ -165,7 +172,9 @@ public class TenantBalanceServiceImpl implements TenantBalanceService {
if (transferReqVO.getPassword().isEmpty()) { if (transferReqVO.getPassword().isEmpty()) {
throw exception(TENANT_BALANCE_TRANSFER_PASSWORD_ERROR_IS_NULL); throw exception(TENANT_BALANCE_TRANSFER_PASSWORD_ERROR_IS_NULL);
} }
TenantDO targetTenantInfo = tenantMapper.selectById(transferReqVO.getTargetTenantId());
// 获取当前登录用户信息 // 获取当前登录用户信息
AdminUserDO user = userService.getUser(loginUserId); AdminUserDO user = userService.getUser(loginUserId);
@@ -176,7 +185,11 @@ public class TenantBalanceServiceImpl implements TenantBalanceService {
// 获取当前租户ID转出方 // 获取当前租户ID转出方
Long tenantId = TenantContextHolder.getTenantId(); Long tenantId = TenantContextHolder.getTenantId();
if (!Objects.equals(targetTenantInfo.getParentId(), tenantId)) {
throw exception(TENANT_BALANCE_TRANSFER_ERROR_TARGET_NOT_SUBORDINATE);
}
// 校验当前租户钱包是否存在 // 校验当前租户钱包是否存在
TenantBalanceDO tenantBalanceDO = tenantBalanceMapper.selectById(tenantId); TenantBalanceDO tenantBalanceDO = tenantBalanceMapper.selectById(tenantId);
if (tenantBalanceDO == null) { if (tenantBalanceDO == null) {