feat-ISelectAbility-修正view单条接口某些情况下可以突破权限限制的问题

ximatai · Nov 12, 2024 · 6e92276 · 6e92276
1 parent 76d0439
commit 6e92276
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/muyun-authorization/src/main/java/net/ximatai/muyun/authorization/AuthorizationService.java b/muyun-authorization/src/main/java/net/ximatai/muyun/authorization/AuthorizationService.java
@@ -184,7 +184,9 @@ public boolean isAuthorized(ApiRequest request) {
                 request.setError(permsException1);
                 return false;
             }
-        } else if ("view".equals(action)) {
+        }
+
+        if ("view".equals(action)) {
             String condition = getAuthCondition(userID, request.getModule(), action);
             request.setAuthCondition(condition);
         }

diff --git a/muyun-core/src/main/java/net/ximatai/muyun/ability/curd/std/ISelectAbility.java b/muyun-core/src/main/java/net/ximatai/muyun/ability/curd/std/ISelectAbility.java
@@ -61,7 +61,7 @@ default List<SortColumn> getSortDefaultColumns() {
     }
 
     default String getSelectOneRowSql() {
-        return "select * from (%s) %s where %s = :id ".formatted(getSelectSql(), getMainTable(), getPK());
+        return "select * from (%s) %s where 1=1 %s and %s = :id ".formatted(getSelectSql(), getMainTable(), getAuthCondition(), getPK());
     }
 
     default String getSelectSql() {