fix(system/user): 修复用户管理水平越权错误

Charles7c · Charles7c · commit 5bc657ad88b6 · 2025-05-06T22:38:48.000+08:00
diff --git a/continew-module-system/src/main/java/top/continew/admin/system/service/UserService.java b/continew-module-system/src/main/java/top/continew/admin/system/service/UserService.java
@@ -85,9 +85,8 @@ public interface UserService extends BaseService<UserResp, UserDetailResp, UserQ
      * @param avatar 头像文件
      * @param id     ID
      * @return 新头像路径
-     * @throws IOException /
      */
-    String updateAvatar(MultipartFile avatar, Long id) throws IOException;
+    String updateAvatar(MultipartFile avatar, Long id);
 
     /**
      * 修改基础信息
diff --git a/continew-module-system/src/main/java/top/continew/admin/system/service/impl/UserServiceImpl.java b/continew-module-system/src/main/java/top/continew/admin/system/service/impl/UserServiceImpl.java
@@ -169,7 +169,7 @@ public void update(UserReq req, Long id) {
         DisEnableStatusEnum newStatus = req.getStatus();
         CheckUtils.throwIf(DisEnableStatusEnum.DISABLE.equals(newStatus) && ObjectUtil.equal(id, UserContextHolder
             .getUserId()), "不允许禁用当前用户");
-        UserDO oldUser = super.getById(id);
+        UserDO oldUser = this.getById(id);
         if (Boolean.TRUE.equals(oldUser.getIsSystem())) {
             CheckUtils.throwIfEqual(DisEnableStatusEnum.DISABLE, newStatus, "[{}] 是系统内置用户，不允许禁用", oldUser
                 .getNickname());
@@ -370,7 +370,7 @@ public UserImportResp importUser(UserImportReq req) {
 
     @Override
     public void resetPassword(UserPasswordResetReq req, Long id) {
-        super.getById(id);
+        this.getById(id);
         baseMapper.lambdaUpdate()
             .set(UserDO::getPassword, req.getNewPassword())
             .set(UserDO::getPwdResetTime, LocalDateTime.now())
@@ -380,7 +380,7 @@ public void resetPassword(UserPasswordResetReq req, Long id) {
 
     @Override
     public void updateRole(UserRoleUpdateReq updateReq, Long id) {
-        super.getById(id);
+        this.getById(id);
         List<Long> roleIds = updateReq.getRoleIds();
         // 保存用户和角色关联
         userRoleService.assignRolesToUser(roleIds, id);
@@ -389,7 +389,7 @@ public void updateRole(UserRoleUpdateReq updateReq, Long id) {
     }
 
     @Override
-    public String updateAvatar(MultipartFile avatarFile, Long id) throws IOException {
+    public String updateAvatar(MultipartFile avatarFile, Long id) {
         String avatarImageType = FileNameUtil.extName(avatarFile.getOriginalFilename());
         CheckUtils.throwIf(!StrUtil.equalsAnyIgnoreCase(avatarImageType, avatarSupportSuffix), "头像仅支持 {} 格式的图片", String
             .join(StringConstants.CHINESE_COMMA, avatarSupportSuffix));
@@ -731,4 +731,16 @@ private void updateContext(Long id) {
             UserContextHolder.setContext(userContext);
         }
     }
+
+    /**
+     * 根据 ID 获取用户信息（数据权限）
+     *
+     * @param id ID
+     * @return 用户信息
+     */
+    private UserDO getById(Long id) {
+        UserDO user = baseMapper.lambdaQuery().eq(UserDO::getId, id).one();
+        CheckUtils.throwIfNull(user, "用户不存在");
+        return user;
+    }
 }
