From 161f0703c66f862a83f7b59f8a247cd5a587bbe4 Mon Sep 17 00:00:00 2001 From: yahaozhang Date: Mon, 15 Sep 2025 15:10:08 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E5=A2=9E=E5=BC=BA=E5=85=AC=E5=91=8A?= =?UTF-8?q?=E7=AE=A1=E7=90=86=E5=8A=9F=E8=83=BD=EF=BC=8C=E5=BC=BA=E5=88=B6?= =?UTF-8?q?=E6=8C=89=E5=BD=93=E5=89=8D=E7=94=A8=E6=88=B7=E5=BD=92=E5=B1=9E?= =?UTF-8?q?=E7=AD=9B=E9=80=89=EF=BC=8C=E6=B7=BB=E5=8A=A0=E6=9D=83=E9=99=90?= =?UTF-8?q?=E6=A3=80=E6=9F=A5=E4=BB=A5=E7=A1=AE=E4=BF=9D=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E5=8F=AA=E8=83=BD=E6=93=8D=E4=BD=9C=E8=87=AA=E5=B7=B1=E7=9A=84?= =?UTF-8?q?=E5=85=AC=E5=91=8A?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../admin/AnnouncementController.java | 118 ++++++++++++------ 1 file changed, 79 insertions(+), 39 deletions(-) diff --git a/src/main/java/com/gameplatform/server/controller/admin/AnnouncementController.java b/src/main/java/com/gameplatform/server/controller/admin/AnnouncementController.java index 00af032..988c402 100644 --- a/src/main/java/com/gameplatform/server/controller/admin/AnnouncementController.java +++ b/src/main/java/com/gameplatform/server/controller/admin/AnnouncementController.java @@ -98,24 +98,30 @@ public class AnnouncementController { @Parameter(description = "页码", example = "1") @RequestParam(defaultValue = "1") int page, @Parameter(description = "每页大小", example = "20") @RequestParam(defaultValue = "20") int size, @Parameter(description = "按启用状态筛选,不传则获取全部") @RequestParam(required = false) Boolean enabled, - @Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId) { + @Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId, + Authentication authentication) { + // 强制按当前用户归属筛选,忽略外部传入的belongId + Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null); + if (claims == null) { + return ResponseEntity.badRequest().build(); + } + Long userId = claims.get("userId", Long.class); + if (userId == null) { + return ResponseEntity.badRequest().build(); + } + Integer selfBelongId = userId.intValue(); + int offset = (page - 1) * size; List announcements; long total; - if (belongId != null && enabled != null) { - announcements = announcementService.getAnnouncementsByBelongIdAndEnabled(belongId, enabled, size, offset); - total = announcementService.getAnnouncementCountByBelongIdAndEnabled(belongId, enabled); - } else if (belongId != null) { - announcements = announcementService.getAnnouncementsByBelongId(belongId, size, offset); - total = announcementService.getAnnouncementCountByBelongId(belongId); - } else if (enabled != null) { - announcements = announcementService.getAnnouncementsByEnabled(enabled, size, offset); - total = announcementService.getAnnouncementCountByEnabled(enabled); + if (enabled != null) { + announcements = announcementService.getAnnouncementsByBelongIdAndEnabled(selfBelongId, enabled, size, offset); + total = announcementService.getAnnouncementCountByBelongIdAndEnabled(selfBelongId, enabled); } else { - announcements = announcementService.getAllAnnouncements(size, offset); - total = announcementService.getAnnouncementCount(); + announcements = announcementService.getAnnouncementsByBelongId(selfBelongId, size, offset); + total = announcementService.getAnnouncementCountByBelongId(selfBelongId); } List responses = announcements.stream() @@ -134,9 +140,18 @@ public class AnnouncementController { @GetMapping("/{id}") @Operation(summary = "获取公告详情", description = "根据ID获取公告详细信息") public ResponseEntity getAnnouncementById( - @Parameter(description = "公告ID", example = "1") @PathVariable Long id) { + @Parameter(description = "公告ID", example = "1") @PathVariable Long id, + Authentication authentication) { + Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null); + if (claims == null) { + return ResponseEntity.notFound().build(); + } + Long userId = claims.get("userId", Long.class); + if (userId == null) { + return ResponseEntity.notFound().build(); + } Announcement announcement = announcementService.getAnnouncementById(id); - if (announcement == null) { + if (announcement == null || announcement.getBelongId() == null || !announcement.getBelongId().equals(userId.intValue())) { return ResponseEntity.notFound().build(); } return ResponseEntity.ok(AnnouncementConverter.toResponse(announcement)); @@ -150,10 +165,21 @@ public class AnnouncementController { Authentication authentication) { // 检查公告是否存在 - if (!announcementService.announcementExists(id)) { + Announcement existing = announcementService.getAnnouncementById(id); + if (existing == null) { return ResponseEntity.notFound().build(); } - + + // 所有操作仅限本人公告 + Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null); + if (claims == null) { + return ResponseEntity.notFound().build(); + } + Long userId = claims.get("userId", Long.class); + if (userId == null || existing.getBelongId() == null || !existing.getBelongId().equals(userId.intValue())) { + return ResponseEntity.notFound().build(); + } + if (request.getTitle() != null && request.getTitle().trim().isEmpty()) { return ResponseEntity.badRequest().body(new Object() { public final boolean success = false; @@ -168,19 +194,10 @@ public class AnnouncementController { }); } - // 从JWT token中获取当前用户ID - if (authentication != null) { - Claims claims = (Claims) authentication.getDetails(); - if (claims != null) { - Long userId = claims.get("userId", Long.class); - if (userId != null) { - request.setBelongId(userId.intValue()); - } - } - } - Announcement announcement = AnnouncementConverter.toEntity(request); announcement.setId(id); + // 禁止通过更新接口修改belongId + announcement.setBelongId(null); boolean success = announcementService.updateAnnouncement(announcement); final boolean finalSuccess = success; @@ -193,10 +210,19 @@ public class AnnouncementController { @DeleteMapping("/{id}") @Operation(summary = "删除公告", description = "删除指定ID的公告") public ResponseEntity deleteAnnouncement( - @Parameter(description = "公告ID", example = "1") @PathVariable Long id) { + @Parameter(description = "公告ID", example = "1") @PathVariable Long id, + Authentication authentication) { - // 检查公告是否存在 - if (!announcementService.announcementExists(id)) { + Announcement existing = announcementService.getAnnouncementById(id); + if (existing == null) { + return ResponseEntity.notFound().build(); + } + Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null); + if (claims == null) { + return ResponseEntity.notFound().build(); + } + Long userId = claims.get("userId", Long.class); + if (userId == null || existing.getBelongId() == null || !existing.getBelongId().equals(userId.intValue())) { return ResponseEntity.notFound().build(); } @@ -213,10 +239,19 @@ public class AnnouncementController { @Operation(summary = "更新公告启用状态", description = "启用或禁用指定公告") public ResponseEntity updateAnnouncementEnabled( @Parameter(description = "公告ID", example = "1") @PathVariable Long id, - @Parameter(description = "启用状态", example = "true") @RequestParam Boolean enabled) { + @Parameter(description = "启用状态", example = "true") @RequestParam Boolean enabled, + Authentication authentication) { - // 检查公告是否存在 - if (!announcementService.announcementExists(id)) { + Announcement existing = announcementService.getAnnouncementById(id); + if (existing == null) { + return ResponseEntity.notFound().build(); + } + Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null); + if (claims == null) { + return ResponseEntity.notFound().build(); + } + Long userId = claims.get("userId", Long.class); + if (userId == null || existing.getBelongId() == null || !existing.getBelongId().equals(userId.intValue())) { return ResponseEntity.notFound().build(); } @@ -235,13 +270,18 @@ public class AnnouncementController { @GetMapping("/enabled") @Operation(summary = "获取启用的公告", description = "获取所有启用状态的公告,用于前端显示") public ResponseEntity> getEnabledAnnouncements( - @Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId) { - List announcements; - if (belongId != null) { - announcements = announcementService.getEnabledAnnouncementsByBelongId(belongId); - } else { - announcements = announcementService.getEnabledAnnouncements(); + @Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId, + Authentication authentication) { + Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null); + if (claims == null) { + return ResponseEntity.ok(List.of()); } + Long userId = claims.get("userId", Long.class); + if (userId == null) { + return ResponseEntity.ok(List.of()); + } + Integer selfBelongId = userId.intValue(); + List announcements = announcementService.getEnabledAnnouncementsByBelongId(selfBelongId); List responses = announcements.stream() .map(AnnouncementConverter::toResponse) .toList();