From 628450ded3b738f62f68bc2f7cb90804331eb201 Mon Sep 17 00:00:00 2001
From: Pu Zhibing <393733352@qq.com>
Date: 星期二, 18 二月 2025 15:10:59 +0800
Subject: [PATCH] 修复上传文件漏洞
---
ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java | 79 +++++++++++++++++++++++++++++++++++----
1 files changed, 71 insertions(+), 8 deletions(-)
diff --git a/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java b/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java
index 2ea18aa..5178dc2 100644
--- a/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java
+++ b/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java
@@ -52,6 +52,7 @@
import io.swagger.annotations.ApiOperation;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.client.RestTemplate;
@@ -63,6 +64,7 @@
import java.time.LocalDate;
import java.time.LocalDateTime;
import java.util.*;
+import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
/**
@@ -84,9 +86,8 @@
private TAppUserService appUserService;
@Resource
private TAppUserTagService appUserTagService;
- @Autowired
+ @Resource
private OrderClient orderClient;
-
@Resource
private TAppUserVipDetailService tAppUserVipDetailService;
@Resource
@@ -121,6 +122,9 @@
private TAppUserCarService carService;
@Resource
private IntegralRuleClient integralRuleClient;
+
+ @Resource
+ private RedisTemplate redisTemplate;
@Resource
@@ -716,6 +720,12 @@
@GetMapping(value = "/user/set/avatar")
public R avatar(String url) {
Long userId = tokenService.getLoginUserApplet().getUserId();
+ String fileName = redisTemplate.opsForValue().get("file:" + userId).toString();
+ String substring = url.substring(url.lastIndexOf("/") + 1);
+ if(StringUtils.isEmpty(fileName) || fileName.equals(substring)){
+ return R.fail("请重新上传头像");
+ }
+
TAppUser byId = appUserService.getById(userId);
byId.setAvatar(url);
appUserService.updateById(byId);
@@ -835,6 +845,51 @@
}
return R.ok();
}
+
+
+
+ @PostMapping(value = "/user/give/vip1")
+ public R giveVip1(@RequestBody GiveVipDto giveVipDto) {
+ String[] split = giveVipDto.getUserIds().split(",");
+ for (String s : split) {
+ TAppUser nowUser = appUserService.getById(s);
+ int plusDay = 0;
+ if (giveVipDto.getType() == 1) {
+ plusDay = 1;
+ } else if (giveVipDto.getType() == 2) {
+ plusDay = 3;
+ } else if (giveVipDto.getType() == 3) {
+ plusDay = 12;
+ }
+ BigDecimal bigDecimal = new BigDecimal("0");
+ TVip info = vipClient.getInfo1(giveVipDto.getVipId()).getData();
+ switch (giveVipDto.getType()){
+ case 1:
+ bigDecimal = bigDecimal.add(info.getMonthlyCard()==null?new BigDecimal(0):info.getMonthlyCard());
+ break;
+ case 2:
+ bigDecimal = bigDecimal.add(info.getSeasonCard()==null?new BigDecimal(0):info.getSeasonCard());
+ break;
+ case 3:
+ bigDecimal = bigDecimal.add(info.getAnnualCard()==null?new BigDecimal(0):info.getAnnualCard());
+ break;
+ }
+ //增加vipDetail
+ giveVipUtil.sendVip(nowUser, giveVipDto.getVipId(),plusDay,giveVipDto.getType());
+ appUserService.updateById(nowUser);
+ // 新增后台赠送记录
+ TGrantVip tGrantVip = new TGrantVip();
+ tGrantVip.setCode(OrderCodeUtil.getOrderCode("ZS"));
+ tGrantVip.setAppUserId(nowUser.getId());
+ tGrantVip.setVipId(giveVipDto.getVipId());
+ tGrantVip.setOrderAmount(bigDecimal);
+ tGrantVip.setCreateTime(LocalDateTime.now());
+ tGrantVip.setAppUserId(nowUser.getId());
+ orderClient.managementGiveVip(tGrantVip);
+ }
+ return R.ok();
+ }
+
@ApiOperation(value = "已赠送列表", tags = {"小程序-个人中心-邀请好友"})
@PostMapping(value = "/user/invite/page")
@@ -926,6 +981,10 @@
TAppUser appUser = appUserService.getById(id);
return R.ok(appUser);
}
+ @PostMapping(value = "/user/getAllUser")
+ public R<List<TAppUser>> getAllUser(){
+ return R.ok(appUserService.list(null));
+ }
/**
@@ -967,14 +1026,10 @@
public R sign() {
LoginUserApplet loginUserApplet = tokenService.getLoginUserApplet();
Long userId = loginUserApplet.getUserId();
-
TAppUser byId = appUserService.getById(userId);
-
-
if (signService.lambdaQuery().eq(TAppUserSign::getSignDay, LocalDate.now()).eq(TAppUserSign::getAppUserId, userId).count()>0){
return R.fail("今日已签到");
}
-
//判断当前生效的vipDetail
TAppUserVipDetail one = tAppUserVipDetailService.lambdaQuery().le(TAppUserVipDetail::getStartTime, LocalDateTime.now()).ge(TAppUserVipDetail::getEndTime, LocalDateTime.now()).eq(TAppUserVipDetail::getAppUserId, userId).last("limit 1").one();
boolean doubleVip = false;
@@ -1284,8 +1339,16 @@
return R.ok(result3);
}
}
-
-
+
+
+ public static void main(String[] args) {
+// String reqStr1 = MsgUtil.codeMsg("19983174515", "123456");
+// String result1 = HttpUtils.post(MsgConstants.SEND_URL, reqStr1);
+
+ String reqStr3 = MsgUtil.faultMsg("18398968484", "长河服务区充电站(遂", "123");
+ String result3 = HttpUtils.post(MsgConstants.SEND_URL, reqStr3);
+ System.err.println(result3);
+ }
@PostMapping(value = "/user/logOut")
@ApiOperation(value = "退出登录", tags = {"小程序-个人中心"})
public AjaxResult logOut(){
--
Gitblit v1.7.1