diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/AssetController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/AssetController.java index 78ec50070..ec40c7a6e 100644 --- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/AssetController.java +++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/AssetController.java @@ -22,6 +22,7 @@ import com.ruoyi.xkt.service.IAssetService; import io.swagger.annotations.Api; import io.swagger.annotations.ApiOperation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.validation.annotation.Validated; import org.springframework.web.bind.annotation.*; @@ -41,6 +42,7 @@ public class AssetController extends XktBaseController { @Autowired private FsNotice fsNotice; + @PreAuthorize("@ss.hasAnyRoles('store')||@ss.hasSupplierSubRole()") @ApiOperation(value = "档口资产") @GetMapping(value = "store/current") public R getCurrentStoreAsset() { @@ -48,6 +50,7 @@ public class AssetController extends XktBaseController { return success(BeanUtil.toBean(dto, AssetInfoVO.class)); } + @PreAuthorize("@ss.hasAnyRoles('seller')") @ApiOperation(value = "卖家资产") @GetMapping(value = "user/current") public R getCurrentUserAsset() { @@ -55,6 +58,7 @@ public class AssetController extends XktBaseController { return success(BeanUtil.toBean(dto, AssetInfoVO.class)); } + @PreAuthorize("@ss.hasAnyRoles('store,seller')||@ss.hasSupplierSubRole()") @ApiOperation(value = "发送短信验证码(资产相关功能)") @PostMapping("/sendSmsVerificationCode") public R sendSmsVerificationCode(@Validated @RequestBody PhoneNumberVO vo) { @@ -62,6 +66,7 @@ public class AssetController extends XktBaseController { return R.ok(); } + @PreAuthorize("@ss.hasAnyRoles('store')||@ss.hasSupplierSubRole()") @ApiOperation(value = "档口绑定支付宝") @PostMapping(value = "store/alipay/bind") public R bindStoreAlipay(@Validated @RequestBody AlipayStoreBindVO vo) { @@ -71,6 +76,7 @@ public class AssetController extends XktBaseController { return success(BeanUtil.toBean(assetService.bindAlipay(dto), AssetInfoVO.class)); } + @PreAuthorize("@ss.hasAnyRoles('seller')") @ApiOperation(value = "卖家绑定支付宝") @PostMapping(value = "user/alipay/bind") public R bindUserAlipay(@Validated @RequestBody AlipayUserBindVO vo) { @@ -80,6 +86,7 @@ public class AssetController extends XktBaseController { return success(BeanUtil.toBean(assetService.bindAlipay(dto), AssetInfoVO.class)); } + @PreAuthorize("@ss.hasAnyRoles('store')||@ss.hasSupplierSubRole()") @ApiOperation(value = "档口设置交易密码") @PostMapping(value = "store/transaction-password/set") public R setTransactionPassword(@Validated @RequestBody TransactionPasswordSetVO vo) { @@ -88,6 +95,7 @@ public class AssetController extends XktBaseController { return success(BeanUtil.toBean(assetService.setTransactionPassword(dto), AssetInfoVO.class)); } + @PreAuthorize("@ss.hasAnyRoles('store')||@ss.hasSupplierSubRole()") @ApiOperation(value = "档口支付宝提现") @PostMapping(value = "store/alipay/withdraw") public R withdrawByAlipay(@Validated @RequestBody WithdrawReqVO vo) { @@ -106,6 +114,7 @@ public class AssetController extends XktBaseController { return success(); } + @PreAuthorize("@ss.hasAnyRoles('store')||@ss.hasSupplierSubRole()") @ApiOperation(value = "档口交易明细") @PostMapping("store/trans-detail/page") public R> pageStoreTransDetail(@Validated @RequestBody BasePageVO vo) { @@ -115,6 +124,7 @@ public class AssetController extends XktBaseController { return success(PageVO.of(pageDTO, TransDetailStorePageItemVO.class)); } + @PreAuthorize("@ss.hasAnyRoles('seller')") @ApiOperation(value = "卖家交易明细") @PostMapping("user/trans-detail/page") public R> pageUserTransDetail(@Validated @RequestBody BasePageVO vo) { @@ -124,6 +134,7 @@ public class AssetController extends XktBaseController { return success(PageVO.of(pageDTO, TransDetailUserPageItemVO.class)); } + @PreAuthorize("@ss.hasAnyRoles('store')||@ss.hasSupplierSubRole()") @ApiOperation(value = "档口充值") @PostMapping(value = "store/recharge") public R rechargeByStore(@Validated @RequestBody StoreRechargeReqVO vo) { @@ -137,6 +148,7 @@ public class AssetController extends XktBaseController { result.getPayRtnStr())); } + @PreAuthorize("@ss.hasAnyRoles('store')||@ss.hasSupplierSubRole()") @ApiOperation(value = "档口充值结果") @PostMapping(value = "store/recharge/result") public R getRechargeResult(@Validated @RequestBody StoreRechargeResultReqVO vo) { diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/StoreOrderController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/StoreOrderController.java index 26b176cb5..769c05c9c 100644 --- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/StoreOrderController.java +++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/StoreOrderController.java @@ -39,6 +39,7 @@ import org.springframework.web.bind.annotation.*; import javax.validation.Valid; import java.util.ArrayList; import java.util.List; +import java.util.Objects; import java.util.Set; import java.util.concurrent.TimeUnit; import java.util.stream.Collectors; @@ -86,8 +87,9 @@ public class StoreOrderController extends XktBaseController { public R edit(@Valid @RequestBody StoreOrderUpdateReqVO vo) { StoreOrderUpdateDTO dto = BeanUtil.toBean(vo, StoreOrderUpdateDTO.class); dto.setOrderUserId(SecurityUtils.getUserId()); + //仅本人可修改 + storeOrderService.checkOrderUser(dto.getId(), dto.getOrderUserId()); StoreOrderExt result = storeOrderService.modifyOrder(dto); - //TODO 非下单人,不允许修改 return success(result.getOrder().getId()); } @@ -96,6 +98,8 @@ public class StoreOrderController extends XktBaseController { @ApiOperation("支付订单") @PostMapping("pay") public R pay(@Valid @RequestBody StoreOrderPayReqVO vo) { + //仅本人可支付 + storeOrderService.checkOrderUser(vo.getStoreOrderId(), SecurityUtils.getUserId()); EPayChannel payChannel = EPayChannel.of(vo.getPayChannel()); PaymentManager paymentManager = getPaymentManager(payChannel); //订单支付状态->支付中 @@ -115,8 +119,9 @@ public class StoreOrderController extends XktBaseController { .storeOrderId(vo.getStoreOrderId()) .operatorId(SecurityUtils.getUserId()) .build(); + //仅本人可取消 + storeOrderService.checkOrderUser(dto.getStoreOrderId(), dto.getOperatorId()); storeOrderService.cancelOrder(dto); - //TODO 非下单人,不允许取消 return success(); } @@ -124,8 +129,13 @@ public class StoreOrderController extends XktBaseController { @GetMapping(value = "/{id}") public R getInfo(@PathVariable("id") Long id) { StoreOrderInfoDTO infoDTO = storeOrderService.getInfo(id); - //TODO 非下单人,非所属档口不允许查询 - return success(BeanUtil.toBean(infoDTO, StoreOrderInfoVO.class)); + if (SecurityUtils.isAdmin() + || Objects.equals(infoDTO.getOrderUserId(), SecurityUtils.getUserId()) + || Objects.equals(infoDTO.getStoreId(), SecurityUtils.getStoreId())) { + return success(BeanUtil.toBean(infoDTO, StoreOrderInfoVO.class)); + } + //没有订单权限 + return success(); } @@ -138,7 +148,12 @@ public class StoreOrderController extends XktBaseController { if (1 == vo.getSrcPage()) { queryDTO.setOrderUserId(SecurityUtils.getUserId()); } else { - queryDTO.setStoreId(SecurityUtils.getStoreId()); + Long storeId = SecurityUtils.getStoreId(); + if (storeId == null && !SecurityUtils.isAdmin()) { + //没有权限 + return success(); + } + queryDTO.setStoreId(storeId); } Page pageDTO = storeOrderService.page(queryDTO); return success(PageVO.of(pageDTO, StoreOrderPageItemVO.class)); @@ -149,7 +164,10 @@ public class StoreOrderController extends XktBaseController { @ApiOperation("发货-平台物流") @PostMapping("ship/platform") public R> shipByPlatform(@Valid @RequestBody StoreOrderShipByPlatformReqVO vo) { - //TODO 权限 + if (!SecurityUtils.isAdmin()) { + //仅档口可操作 + storeOrderService.checkOrderStore(vo.getStoreOrderId(), SecurityUtils.getStoreId()); + } StoreOrderExt orderExt = storeOrderService.shipOrderByPlatform(vo.getStoreOrderId(), vo.getStoreOrderDetailIds(), vo.getExpressId(), SecurityUtils.getUserId()); List respList = new ArrayList<>(vo.getStoreOrderDetailIds().size()); @@ -166,7 +184,10 @@ public class StoreOrderController extends XktBaseController { @ApiOperation("发货-档口物流") @PostMapping("ship/store") public R> shipByStore(@Valid @RequestBody StoreOrderShipByStoreReqVO vo) { - //TODO 权限 + if (!SecurityUtils.isAdmin()) { + //仅档口可操作 + storeOrderService.checkOrderStore(vo.getStoreOrderId(), SecurityUtils.getStoreId()); + } StoreOrderExt orderExt = storeOrderService.shipOrderByStore(vo.getStoreOrderId(), vo.getStoreOrderDetailIds(), vo.getExpressId(), vo.getExpressWaybillNo(), SecurityUtils.getUserId()); List respList = new ArrayList<>(vo.getStoreOrderDetailIds().size()); @@ -183,7 +204,10 @@ public class StoreOrderController extends XktBaseController { @ApiOperation("打印面单") @PostMapping("ship/print") public R> print(@Valid @RequestBody StoreOrderPrintReqVO vo) { - //TODO 权限 + if (!SecurityUtils.isAdmin()) { + //仅档口可操作 + storeOrderService.checkOrderStore(vo.getStoreOrderDetailIds(), SecurityUtils.getStoreId()); + } List dtoList = storeOrderService.printOrder(vo.getStoreOrderDetailIds()); List rtnList = dtoList.stream().map(o -> { StoreOrderPrintRespVO rtn = new StoreOrderPrintRespVO(); @@ -199,7 +223,10 @@ public class StoreOrderController extends XktBaseController { @ApiOperation("确认收货") @PostMapping("receipt") public R receipt(@Valid @RequestBody StoreOrderReceiptReqVO vo) { - //TODO 权限 + if (!SecurityUtils.isAdmin()) { + //仅档口可操作 + storeOrderService.checkOrderStore(vo.getStoreOrderId(), SecurityUtils.getStoreId()); + } storeOrderService.receiptOrder(vo.getStoreOrderId(), SecurityUtils.getUserId()); return success(); } @@ -209,7 +236,8 @@ public class StoreOrderController extends XktBaseController { @ApiOperation("申请售后(创建售后订单)") @PostMapping("refund/apply") public R applyRefund(@Valid @RequestBody StoreOrderAfterSaleReqVO vo) { - //TODO 权限 + //仅本人可操作 + storeOrderService.checkOrderUser(vo.getStoreOrderId(), SecurityUtils.getUserId()); StoreOrderAfterSaleDTO dto = BeanUtil.toBean(vo, StoreOrderAfterSaleDTO.class); dto.setOperatorId(SecurityUtils.getUserId()); //创建售后订单 @@ -245,7 +273,10 @@ public class StoreOrderController extends XktBaseController { @ApiOperation("确认退款") @PostMapping("refund/confirm") public R confirmRefund(@Valid @RequestBody StoreOrderRefundConfirmVO vo) { - //TODO 权限 + if (!SecurityUtils.isAdmin()) { + //仅档口可操作 + storeOrderService.checkOrderStore(vo.getStoreOrderId(), SecurityUtils.getStoreId()); + } StoreOrderRefundConfirmDTO dto = BeanUtil.toBean(vo, StoreOrderRefundConfirmDTO.class); dto.setOperatorId(SecurityUtils.getUserId()); //支付宝接口要求:同一笔交易的退款至少间隔3s后发起 @@ -277,7 +308,10 @@ public class StoreOrderController extends XktBaseController { @ApiOperation("拒绝退款") @PostMapping("refund/reject") public R rejectRefund(@Valid @RequestBody StoreOrderRefundRejectVO vo) { - //TODO 权限 + if (!SecurityUtils.isAdmin()) { + //仅档口可操作 + storeOrderService.checkOrderStore(vo.getStoreOrderId(), SecurityUtils.getStoreId()); + } StoreOrderRefundRejectDTO dto = BeanUtil.toBean(vo, StoreOrderRefundRejectDTO.class); dto.setOperatorId(SecurityUtils.getUserId()); storeOrderService.rejectRefundOrder(dto); diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/UserAccountController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/UserAccountController.java index e71c96399..c9921f232 100644 --- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/UserAccountController.java +++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/UserAccountController.java @@ -21,8 +21,8 @@ import java.util.List; * @author ruoyi * @date 2025-03-26 */ -@RestController -@RequestMapping("/rest/v1/user-accs") +//@RestController +//@RequestMapping("/rest/v1/user-accs") public class UserAccountController extends XktBaseController { @Autowired private IUserAccountService userAccountService; diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/UserAddressController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/UserAddressController.java index 1da7fefca..4386b0dfe 100644 --- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/UserAddressController.java +++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/xkt/UserAddressController.java @@ -13,6 +13,7 @@ import com.ruoyi.xkt.service.IUserAddressService; import io.swagger.annotations.Api; import io.swagger.annotations.ApiOperation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import javax.validation.Valid; @@ -31,6 +32,7 @@ public class UserAddressController extends XktBaseController { @Autowired private IUserAddressService userAddressService; + @PreAuthorize("@ss.hasAnyRoles('seller')") @ApiOperation("创建用户收货地址") @PostMapping("create") public R create(@Valid @RequestBody UserAddressCreateVO vo) { @@ -39,37 +41,44 @@ public class UserAddressController extends XktBaseController { return success(BeanUtil.toBean(userAddressService.createUserAddress(dto), UserAddressInfoVO.class)); } + @PreAuthorize("@ss.hasAnyRoles('seller')") @ApiOperation("修改用户收货地址") @PostMapping("edit") public R edit(@Valid @RequestBody UserAddressModifyVO vo) { UserAddressInfoDTO dto = BeanUtil.toBean(vo, UserAddressInfoDTO.class); dto.setUserId(SecurityUtils.getUserId()); - //TODO 非本人不允许修改 + userAddressService.checkOwner(dto.getId(), dto.getUserId()); return success(BeanUtil.toBean(userAddressService.modifyUserAddress(dto), UserAddressInfoVO.class)); } + @PreAuthorize("@ss.hasAnyRoles('seller')") @ApiOperation("复制用户收货地址") @PostMapping("copy") public R copy(@Valid @RequestBody IdVO vo) { + userAddressService.checkOwner(vo.getId(), SecurityUtils.getUserId()); UserAddressInfoDTO dto = userAddressService.copyUserAddress(vo.getId()); return success(BeanUtil.toBean(dto, UserAddressInfoVO.class)); } + @PreAuthorize("@ss.hasAnyRoles('seller')") @ApiOperation("删除用户收货地址") @PostMapping("delete") public R delete(@Valid @RequestBody IdVO vo) { + userAddressService.checkOwner(vo.getId(), SecurityUtils.getUserId()); userAddressService.deleteUserAddress(vo.getId()); return success(); } + @PreAuthorize("@ss.hasAnyRoles('seller')") @ApiOperation(value = "用户收货地址详情") @GetMapping("/{id}") public R getInfo(@PathVariable("id") Long id) { + userAddressService.checkOwner(id, SecurityUtils.getUserId()); UserAddressInfoDTO infoDTO = userAddressService.getUserAddress(id); - //TODO 非本人不允许查询 return success(BeanUtil.toBean(infoDTO, UserAddressInfoVO.class)); } + @PreAuthorize("@ss.hasAnyRoles('seller')") @ApiOperation(value = "用户收货地址列表") @PostMapping("/list") public R> list() { diff --git a/xkt/src/main/java/com/ruoyi/xkt/service/IStoreOrderService.java b/xkt/src/main/java/com/ruoyi/xkt/service/IStoreOrderService.java index ca718e177..be94d17e9 100644 --- a/xkt/src/main/java/com/ruoyi/xkt/service/IStoreOrderService.java +++ b/xkt/src/main/java/com/ruoyi/xkt/service/IStoreOrderService.java @@ -8,6 +8,7 @@ import com.ruoyi.xkt.enums.EPayChannel; import com.ruoyi.xkt.enums.EPayPage; import java.math.BigDecimal; +import java.util.Collection; import java.util.Date; import java.util.List; @@ -193,4 +194,28 @@ public interface IStoreOrderService { * @return */ List listNeedContinueRefundOrder(Integer count); + + /** + * 订单是否属于用户 + * + * @param storeOrderId + * @param userId + */ + void checkOrderUser(Long storeOrderId, Long userId); + + /** + * 订单是否属于档口 + * + * @param storeOrderId + * @param storeId + */ + void checkOrderStore(Long storeOrderId, Long storeId); + + /** + * 订单明细是否属于档口 + * + * @param storeOrderDetailIds + * @param storeId + */ + void checkOrderStore(Collection storeOrderDetailIds, Long storeId); } diff --git a/xkt/src/main/java/com/ruoyi/xkt/service/IUserAddressService.java b/xkt/src/main/java/com/ruoyi/xkt/service/IUserAddressService.java index a2d2c5be5..eee7b1205 100644 --- a/xkt/src/main/java/com/ruoyi/xkt/service/IUserAddressService.java +++ b/xkt/src/main/java/com/ruoyi/xkt/service/IUserAddressService.java @@ -57,4 +57,12 @@ public interface IUserAddressService { * @param id */ void deleteUserAddress(Long id); + + /** + * 校验地址归属 + * + * @param id + * @param userId + */ + void checkOwner(Long id, Long userId); } diff --git a/xkt/src/main/java/com/ruoyi/xkt/service/impl/StoreOrderServiceImpl.java b/xkt/src/main/java/com/ruoyi/xkt/service/impl/StoreOrderServiceImpl.java index d524f0870..d4eeb20fa 100644 --- a/xkt/src/main/java/com/ruoyi/xkt/service/impl/StoreOrderServiceImpl.java +++ b/xkt/src/main/java/com/ruoyi/xkt/service/impl/StoreOrderServiceImpl.java @@ -1323,6 +1323,34 @@ public class StoreOrderServiceImpl implements IStoreOrderService { return storeOrderRefunds; } + @Override + public void checkOrderUser(Long storeOrderId, Long userId) { + StoreOrder order = storeOrderMapper.selectById(storeOrderId); + Assert.notNull(order, "订单不存在"); + if (!Objects.equals(userId, order.getOrderUserId())) { + throw new ServiceException(CharSequenceUtil.format("无订单[{}]权限", order.getId())); + } + } + + @Override + public void checkOrderStore(Long storeOrderId, Long storeId) { + StoreOrder order = storeOrderMapper.selectById(storeOrderId); + Assert.notNull(order, "订单不存在"); + if (!Objects.equals(storeId, order.getStoreId())) { + throw new ServiceException(CharSequenceUtil.format("无订单[{}]权限", order.getId())); + } + } + + @Override + public void checkOrderStore(Collection storeOrderDetailIds, Long storeId) { + Assert.notEmpty(storeOrderDetailIds); + Set storeOrderIds = storeOrderDetailMapper.selectByIds(storeOrderDetailIds) + .stream() + .map(StoreOrderDetail::getStoreOrderId) + .collect(Collectors.toSet()); + storeOrderIds.forEach(id -> checkOrderStore(id, storeId)); + } + /** * 添加操作记录 * diff --git a/xkt/src/main/java/com/ruoyi/xkt/service/impl/UserAddressServiceImpl.java b/xkt/src/main/java/com/ruoyi/xkt/service/impl/UserAddressServiceImpl.java index 63fa6f9ec..808ada839 100644 --- a/xkt/src/main/java/com/ruoyi/xkt/service/impl/UserAddressServiceImpl.java +++ b/xkt/src/main/java/com/ruoyi/xkt/service/impl/UserAddressServiceImpl.java @@ -7,6 +7,7 @@ import cn.hutool.core.lang.Assert; import com.baomidou.mybatisplus.core.toolkit.Wrappers; import com.ruoyi.common.constant.Constants; import com.ruoyi.common.core.domain.XktBaseEntity; +import com.ruoyi.common.exception.ServiceException; import com.ruoyi.xkt.domain.UserAddress; import com.ruoyi.xkt.dto.express.ExpressStructAddressDTO; import com.ruoyi.xkt.dto.express.UserAddressInfoDTO; @@ -19,6 +20,7 @@ import org.springframework.transaction.annotation.Transactional; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.stream.Collectors; /** @@ -147,4 +149,15 @@ public class UserAddressServiceImpl implements IUserAddressService { userAddress.setDelFlag(Constants.DELETED); userAddressMapper.updateById(userAddress); } + + @Override + public void checkOwner(Long id, Long userId) { + UserAddress ua = userAddressMapper.selectById(id); + if (ua == null) { + return; + } + if (!Objects.equals(ua.getUserId(), userId)) { + throw new ServiceException("无权操作"); + } + } }