Open
Conversation
|
@MonkeyCode-AI review 一下 |
|
MonkeyCode-AI 正在分析任务... |
MonkeyCode-AI
left a comment
MonkeyCode-AI
left a comment
There was a problem hiding this comment.
我是 MonkeyCode AI 编程助手,你可以在 GitHub 仓库的 PR 中 at @MonkeyCode-AI 来呼唤我。
任务执行细节请参考: https://monkeycode-ai.com/tasks/public?id=b9f842f8-0253-43e0-8a2e-2abd2b696424
代码审查结果
变更方向正确:开启多租户时按 tenantId 过滤权限避免跨租户,但 tenantId 校验/默认值与类型一致性存在风险,需修复后合并。
✨ 代码亮点
- 在服务层根据 OPEN_SYSTEM_TENANT_CONTROL 切换查询路径,兼容未开启多租户的旧逻辑
- SQL 层通过 tenant_id 过滤套餐权限来源,直击“多租户混返回权限”的根因
| 🚨 Critical | 💡 Suggestion | |
|---|---|---|
| 1 | 0 | 0 |
| List<SysPermission> permissionList = new ArrayList<>(); | ||
| // 查询租户对应的权限 | ||
| if (MybatisPlusSaasConfig.OPEN_SYSTEM_TENANT_CONTROL) { | ||
| int tenantId = oConvertUtils.getInt(TokenUtils.getTenantIdByRequest(SpringContextUtils.getHttpServletRequest()), 0); |
There was a problem hiding this comment.
Caution
🚨 tenantId 默认值为 0 可能导致权限查询异常或越权(取决于数据)
开启多租户时,tenantId 通过 TokenUtils 从 Request 获取,并用 oConvertUtils.getInt(..., 0) 兜底为 0。若实际 tenantId 缺失/解析失败,会用 tenantId=0 去查 queryByUserWithTenantId:
- 可能导致查不到套餐权限(tenant_id=0 不存在)从而权限缺失;
- 若数据库存在 tenant_id=0 的历史/测试数据,可能错误返回该租户的权限,形成越权风险。
多租户场景下 tenantId 缺失更应明确失败或降级到安全策略(例如返回空权限并要求重新登录/补全租户上下文)。
建议: 在 OPEN_SYSTEM_TENANT_CONTROL=true 时,tenantId 必须有效;若缺失应抛出异常或至少返回空权限并记录告警日志,避免用 0 继续查询。
Suggested change
| int tenantId = oConvertUtils.getInt(TokenUtils.getTenantIdByRequest(SpringContextUtils.getHttpServletRequest()), 0); | |
| List<SysPermission> permissionList; | |
| // 查询租户对应的权限 | |
| if (MybatisPlusSaasConfig.OPEN_SYSTEM_TENANT_CONTROL) { | |
| Integer tenantId = oConvertUtils.getInt(TokenUtils.getTenantIdByRequest(SpringContextUtils.getHttpServletRequest()), null); | |
| if (tenantId == null || tenantId <= 0) { | |
| throw new JeecgBootException("TenantId is missing or invalid when tenant control is enabled"); | |
| } | |
| permissionList = this.sysPermissionMapper.queryByUserWithTenantId(userId, tenantId); | |
| } else { | |
| permissionList = this.sysPermissionMapper.queryByUser(userId); | |
| } |
|
请补充以下信息以便更好地分析问题:
这样可以帮助我们更快地定位和解决问题,谢谢!🙏 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
如果一个用户存在多个租户时,会将用户租户所有权限全部返回;导致与实际租户配置的菜单不一致