zyh/game_server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 增强公告管理功能,强制按当前用户归属筛选,添加权限检查以确保用户只能操作自己的公告

Browse Source
This commit is contained in:
yahaozhang
2025-09-15 15:10:08 +08:00
parent 5c2e338067
commit 161f0703c6
1 changed files with 79 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
src/main/java/com/gameplatform/server/controller/admin/AnnouncementController.java
View File

@@ -98,24 +98,30 @@ public class AnnouncementController {
@Parameter(description = "页码", example = "1") @RequestParam(defaultValue = "1") int page,
@Parameter(description = "每页大小", example = "20") @RequestParam(defaultValue = "20") int size,
@Parameter(description = "按启用状态筛选,不传则获取全部") @RequestParam(required = false) Boolean enabled,
@Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId) {
@Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId,
Authentication authentication) {
// 强制按当前用户归属筛选忽略外部传入的belongId
Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
if (claims == null) {
return ResponseEntity.badRequest().build();
}
Long userId = claims.get("userId", Long.class);
if (userId == null) {
return ResponseEntity.badRequest().build();
}
Integer selfBelongId = userId.intValue();
int offset = (page - 1) * size;
List<Announcement> announcements;
long total;
if (belongId != null && enabled != null) {
announcements = announcementService.getAnnouncementsByBelongIdAndEnabled(belongId, enabled, size, offset);
total = announcementService.getAnnouncementCountByBelongIdAndEnabled(belongId, enabled);
} else if (belongId != null) {
announcements = announcementService.getAnnouncementsByBelongId(belongId, size, offset);
total = announcementService.getAnnouncementCountByBelongId(belongId);
} else if (enabled != null) {
announcements = announcementService.getAnnouncementsByEnabled(enabled, size, offset);
total = announcementService.getAnnouncementCountByEnabled(enabled);
if (enabled != null) {
announcements = announcementService.getAnnouncementsByBelongIdAndEnabled(selfBelongId, enabled, size, offset);
total = announcementService.getAnnouncementCountByBelongIdAndEnabled(selfBelongId, enabled);
} else {
announcements = announcementService.getAllAnnouncements(size, offset);
total = announcementService.getAnnouncementCount();
announcements = announcementService.getAnnouncementsByBelongId(selfBelongId, size, offset);
total = announcementService.getAnnouncementCountByBelongId(selfBelongId);
}
List<AnnouncementResponse> responses = announcements.stream()
@@ -134,9 +140,18 @@ public class AnnouncementController {
@GetMapping("/{id}")
@Operation(summary = "获取公告详情", description = "根据ID获取公告详细信息")
public ResponseEntity<AnnouncementResponse> getAnnouncementById(
@Parameter(description = "公告ID", example = "1") @PathVariable Long id) {
@Parameter(description = "公告ID", example = "1") @PathVariable Long id,
Authentication authentication) {
Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
if (claims == null) {
return ResponseEntity.notFound().build();
}
Long userId = claims.get("userId", Long.class);
if (userId == null) {
return ResponseEntity.notFound().build();
}
Announcement announcement = announcementService.getAnnouncementById(id);
if (announcement == null) {
if (announcement == null || announcement.getBelongId() == null || !announcement.getBelongId().equals(userId.intValue())) {
return ResponseEntity.notFound().build();
}
return ResponseEntity.ok(AnnouncementConverter.toResponse(announcement));
@@ -150,7 +165,18 @@ public class AnnouncementController {
Authentication authentication) {
// 检查公告是否存在
if (!announcementService.announcementExists(id)) {
Announcement existing = announcementService.getAnnouncementById(id);
if (existing == null) {
return ResponseEntity.notFound().build();
}
// 所有操作仅限本人公告
Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
if (claims == null) {
return ResponseEntity.notFound().build();
}
Long userId = claims.get("userId", Long.class);
if (userId == null || existing.getBelongId() == null || !existing.getBelongId().equals(userId.intValue())) {
return ResponseEntity.notFound().build();
}
@@ -168,19 +194,10 @@ public class AnnouncementController {
});
}
// 从JWT token中获取当前用户ID
if (authentication != null) {
Claims claims = (Claims) authentication.getDetails();
if (claims != null) {
Long userId = claims.get("userId", Long.class);
if (userId != null) {
request.setBelongId(userId.intValue());
}
}
}
Announcement announcement = AnnouncementConverter.toEntity(request);
announcement.setId(id);
// 禁止通过更新接口修改belongId
announcement.setBelongId(null);
boolean success = announcementService.updateAnnouncement(announcement);
final boolean finalSuccess = success;
@@ -193,10 +210,19 @@ public class AnnouncementController {
@DeleteMapping("/{id}")
@Operation(summary = "删除公告", description = "删除指定ID的公告")
public ResponseEntity<Object> deleteAnnouncement(
@Parameter(description = "公告ID", example = "1") @PathVariable Long id) {
@Parameter(description = "公告ID", example = "1") @PathVariable Long id,
Authentication authentication) {
// 检查公告是否存在
if (!announcementService.announcementExists(id)) {
Announcement existing = announcementService.getAnnouncementById(id);
if (existing == null) {
return ResponseEntity.notFound().build();
}
Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
if (claims == null) {
return ResponseEntity.notFound().build();
}
Long userId = claims.get("userId", Long.class);
if (userId == null || existing.getBelongId() == null || !existing.getBelongId().equals(userId.intValue())) {
return ResponseEntity.notFound().build();
}
@@ -213,10 +239,19 @@ public class AnnouncementController {
@Operation(summary = "更新公告启用状态", description = "启用或禁用指定公告")
public ResponseEntity<Object> updateAnnouncementEnabled(
@Parameter(description = "公告ID", example = "1") @PathVariable Long id,
@Parameter(description = "启用状态", example = "true") @RequestParam Boolean enabled) {
@Parameter(description = "启用状态", example = "true") @RequestParam Boolean enabled,
Authentication authentication) {
// 检查公告是否存在
if (!announcementService.announcementExists(id)) {
Announcement existing = announcementService.getAnnouncementById(id);
if (existing == null) {
return ResponseEntity.notFound().build();
}
Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
if (claims == null) {
return ResponseEntity.notFound().build();
}
Long userId = claims.get("userId", Long.class);
if (userId == null || existing.getBelongId() == null || !existing.getBelongId().equals(userId.intValue())) {
return ResponseEntity.notFound().build();
}
@@ -235,13 +270,18 @@ public class AnnouncementController {
@GetMapping("/enabled")
@Operation(summary = "获取启用的公告", description = "获取所有启用状态的公告,用于前端显示")
public ResponseEntity<List<AnnouncementResponse>> getEnabledAnnouncements(
@Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId) {
List<Announcement> announcements;
if (belongId != null) {
announcements = announcementService.getEnabledAnnouncementsByBelongId(belongId);
} else {
announcements = announcementService.getEnabledAnnouncements();
@Parameter(description = "按归属ID筛选") @RequestParam(required = false) Integer belongId,
Authentication authentication) {
Claims claims = (Claims) (authentication != null ? authentication.getDetails() : null);
if (claims == null) {
return ResponseEntity.ok(List.of());
}
Long userId = claims.get("userId", Long.class);
if (userId == null) {
return ResponseEntity.ok(List.of());
}
Integer selfBelongId = userId.intValue();
List<Announcement> announcements = announcementService.getEnabledAnnouncementsByBelongId(selfBelongId);
List<AnnouncementResponse> responses = announcements.stream()
.map(AnnouncementConverter::toResponse)
.toList();