增加调查问卷访问详情/提交问卷结果的权限校验

4 years ago · 5b76920e5b
2 changed files with 20 additions and 2 deletions
--- a/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectController.java
+++ b/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectController.java
@ -253,7 +253,15 @@ public class UserProjectController {
     * @param key
     */
    @GetMapping("/user/project/details/{key}")
-    public Result queryProjectDetails(@PathVariable @NotBlank String key) {
+    public Result queryProjectDetails(@PathVariable @NotBlank String key,
+                                      @RequestParam(value = "access_key", required = true) String accessKey,
+                                      @RequestHeader(value = "userId", required = true) String userId) {
+        // 先校验有没有访问该问卷的权限
+        String accessKeyFromCache = (String) redisUtils.get(String.format("epmet:questionnaire:accesskey:%s:%s", userId, key));
+        if (StringUtils.isBlank(accessKeyFromCache) || !accessKeyFromCache.equals(accessKey)) {
+            throw new RuntimeException("您没有访问权限");
+        }
+
        UserProjectEntity project = projectService.getByKey(key);
        List<UserProjectItemEntity> projectItemList = projectItemService.listByProjectKey(key);
        UserProjectThemeVo themeVo = userProjectThemeService.getUserProjectDetails(key);
--- a/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectResultController.java
+++ b/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectResultController.java
@ -27,6 +27,7 @@ import com.tduck.cloud.project.vo.ExportProjectResultVO;
 import com.tduck.cloud.wx.mp.service.WxMpUserMsgService;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.web.bind.annotation.*;

 import javax.servlet.ServletOutputStream;
@ -75,12 +76,21 @@ public class UserProjectResultController {
     *
     * @param entity
     * @param request
+     * @param accessKey 访问key，当前用户是否允许填写问卷
     * @return
     */
    @NoRepeatSubmit
    @PostMapping("/create")
-    public Result createProjectResult(@RequestBody UserProjectResultEntity entity, @RequestAttribute String userId, HttpServletRequest request) {
+    public Result createProjectResult(@RequestBody UserProjectResultEntity entity, @RequestAttribute String userId, HttpServletRequest request,
+                                      @RequestParam(value = "access_key", required = true) String accessKey) {
        ValidatorUtils.validateEntity(entity);
+
+        // 先校验有没有访问该问卷的权限
+        String accessKeyFromCache = (String) redisUtils.get(String.format("epmet:questionnaire:accesskey:%s:%s", userId, entity.getProjectKey()));
+        if (StringUtils.isBlank(accessKeyFromCache) || !accessKeyFromCache.equals(accessKey)) {
+            throw new RuntimeException("您没有访问权限");
+        }
+
        entity.setUserId(userId);
        entity.setSubmitRequestIp(HttpUtils.getIpAddr(request));
        Result<UserProjectSettingEntity> userProjectSettingStatus = userProjectSettingService.getUserProjectSettingStatus(entity.getProjectKey(), entity.getSubmitRequestIp(), entity.getWxOpenId());