mineadmin/MineAdmin

[BUG] 角色赋予权限 互斥 账户赋予角色,会把对方干掉

Closed this issue · 4 comments

okami-chen commented

执行命令并粘贴以下结果。

Command: uname -a && php -v && composer info | grep mine && php --ri swoole

# Paste the result here.

bug描述:

[2024-10-15 14:30:08] sql.INFO: [default:26.08] select `ptype`, `v0`, `v1`, `v2`, `v3`, `v4`, `v5` from `rules` [] {"request_id":"d31a2be0-047d-402c-9ad2-742bcfb955a3"}
[2024-10-15 14:30:08] sql.INFO: [default:5.79] select * from `user` where `user`.`id` = '1' limit 1 [] {"request_id":"417d122e-042a-4208-b862-e1cb8e8c0f8b"}
[2024-10-15 14:30:08] sql.INFO: [default:5.69] select exists(select * from `role` inner join `rules` on `role`.`code` = `rules`.`v1` where `rules`.`v0` = 'SuperAdmin' and `rules`.`ptype` = 'g' and `code` = 'SuperAdmin') as `exists` [] {"request_id":"4368ea20-6d43-4de5-867b-8948b2f14ded"}
[2024-10-15 14:30:08] sql.INFO: [default:6.1] select * from `user` where `user`.`id` = '1' limit 1 [] {"request_id":"47684da3-d125-4cfa-8371-3f7aa300e8e1"}
[2024-10-15 14:30:08] sql.INFO: [default:6.06] select * from `user` where `user`.`id` = '2' limit 1 [] {"request_id":"373e62f2-e54a-4a04-aa2d-1607828a0452"}
[2024-10-15 14:30:08] sql.INFO: [default:5.82] select `role`.*, `rules`.`v0` as `pivot_v0`, `rules`.`v1` as `pivot_v1` from `role` inner join `rules` on `role`.`code` = `rules`.`v1` where `rules`.`v0` = 'guest' and `rules`.`ptype` = 'g' [] {"request_id":"3c1d04cf-167b-4189-bf85-9f8e11e872d3"}
[2024-10-15 14:30:08] sql.INFO: [default:25.5] insert into `user_operation_log` (`username`, `method`, `router`, `remark`, `ip`, `service_name`, `updated_at`, `created_at`) values ('SuperAdmin', 'GET', '/admin/user/2/roles', '', '127.0.0.1', '获取用户角色列表', '2024-10-15 14:30:08', '2024-10-15 14:30:08') [] {"request_id":"2abe1abf-57d0-455e-bf85-0473b6dbd7fd"}
[2024-10-15 14:30:08] sql.INFO: [default:11.35] select * from `user` where `user`.`id` = '1' limit 1 [] {"request_id":"05524af3-988c-4f31-bdca-ac831e82359d"}
[2024-10-15 14:30:08] sql.INFO: [default:5.91] select exists(select * from `role` inner join `rules` on `role`.`code` = `rules`.`v1` where `rules`.`v0` = 'SuperAdmin' and `rules`.`ptype` = 'g' and `code` = 'SuperAdmin') as `exists` [] {"request_id":"a4bca188-f38d-4588-a0b6-9117e94135ea"}
[2024-10-15 14:30:08] sql.INFO: [default:5.31] select * from `user` where `user`.`id` = '1' limit 1 [] {"request_id":"682afd26-9ae2-4e2f-96eb-dec6db68ee4e"}
[2024-10-15 14:30:08] sql.INFO: [default:6.2] insert into `user_operation_log` (`username`, `method`, `router`, `remark`, `ip`, `service_name`, `updated_at`, `created_at`) values ('SuperAdmin', 'GET', '/admin/role/list', '', '127.0.0.1', '角色列表', '2024-10-15 14:30:08', '2024-10-15 14:30:08') [] {"request_id":"13b5a783-4cec-4848-85c0-e3e59dfa3181"}
[2024-10-15 14:30:08] sql.INFO: [default:6.01] select count(*) as aggregate from `role` [] {"request_id":"368d48ab-3f63-4cfb-8f1e-65e65bf67f2f"}
[2024-10-15 14:30:08] sql.INFO: [default:5.73] select * from `role` order by `id` desc limit 999 offset 0 [] {"request_id":"a9e64cda-d5a0-4dce-88ed-89d84b83b7e6"}
[2024-10-15 14:30:12] sql.INFO: [default:5.65] select count(*) as aggregate from `role` where `code` = 'guest' [] {"request_id":"4a793c0f-4f13-4466-b8b0-9a22e88bac24"}
[2024-10-15 14:30:12] sql.INFO: [default:5.83] select * from `user` where `user`.`id` = '1' limit 1 [] {"request_id":"fcae24c5-2b7c-416e-b933-6e8612d3185c"}
[2024-10-15 14:30:12] sql.INFO: [default:5.65] select exists(select * from `role` inner join `rules` on `role`.`code` = `rules`.`v1` where `rules`.`v0` = 'SuperAdmin' and `rules`.`ptype` = 'g' and `code` = 'SuperAdmin') as `exists` [] {"request_id":"0295c80b-e6eb-491c-a468-32984e393b1f"}
[2024-10-15 14:30:12] sql.INFO: [default:5.45] select * from `user` where `user`.`id` = '1' limit 1 [] {"request_id":"8c0e2175-57ac-4950-b323-5136df3d65ac"}
[2024-10-15 14:30:12] sql.INFO: [default:5.15] select * from `user` where `user`.`id` = '2' limit 1 [] {"request_id":"a670a261-9a0a-4d58-ab15-073e021fa2ff"}
[2024-10-15 14:30:12] sql.INFO: [default:6.04] insert into `user_operation_log` (`username`, `method`, `router`, `remark`, `ip`, `service_name`, `updated_at`, `created_at`) values ('SuperAdmin', 'PUT', '/admin/user/2/roles', '', '127.0.0.1', '批量授权用户角色', '2024-10-15 14:30:12', '2024-10-15 14:30:12') [] {"request_id":"c8db1ec5-d3ed-4b15-be3b-5b60050c6d56"}
[2024-10-15 14:30:12] sql.INFO: [default:5.23] select `v1` from `rules` where `v0` = 'guest' [] {"request_id":"061d5f8f-74ee-42a2-914e-5f182a27a17d"}
[2024-10-15 14:30:12] sql.INFO: [default:6.37] delete from `rules` where `v0` = 'guest' and `v1` in ('log', 'log:userLogin', 'log:userLogin:delete', 'log:userLogin:list', 'log:userOperation', 'log:userOperation:delete', 'log:userOperation:list', 'permission', 'permission:user', 'permission:user:index', 'user:set:roles', 'user:get:roles', 'permission:user:password', 'permission:user:delete', 'permission:user:update', 'permission:user:save', 'permission:menu', 'permission:menu:delete', 'permission:menu:save', 'permission:menu:create', 'permission:menu:index', 'permission:role', 'permission:set:role', 'permission:get:role', 'permission:role:delete', 'permission:role:update', 'permission:role:save', 'permission:role:index') [] {"request_id":"946b3383-0d80-418a-a731-f38f50dd94d4"}
[2024-10-15 14:30:12] sql.INFO: [default:5.94] insert into `rules` (`created_at`, `ptype`, `updated_at`, `v0`, `v1`) values ('2024-10-15 14:30:12', 'g', '2024-10-15 14:30:12', 'guest', 'guest') [] {"request_id":"1733917d-27c0-40ae-8b50-7e5a12ea826f"}

重现步骤:

okami-chen commented

user: guest, role: guest

zds-s commented

晚点测一下

zds-s commented

常见的业务场景,应该不会有 用户账号和角色code 一致的情况

但是以防用户恶意攻击,是该加一个检测