From 2b3484d4cf322906044acdb6758ccce9ae1dc079 Mon Sep 17 00:00:00 2001 From: ikmkj <1@qq,com> Date: Sat, 2 Aug 2025 12:12:59 +0800 Subject: [PATCH] =?UTF-8?q?feat(security):=20=E4=BC=98=E5=8C=96=E6=9D=83?= =?UTF-8?q?=E9=99=90=E6=8E=A7=E5=88=B6=E5=B9=B6=E6=B7=BB=E5=8A=A0=E7=94=A8?= =?UTF-8?q?=E6=88=B7=E5=88=A0=E9=99=A4=E5=8A=9F=E8=83=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 更新 SecurityConfig,增加精确控制的公开阅读端点 - 实现用户删除功能,仅允许删除当前登录用户 - 优化用户删除接口,增加安全性检查 --- .../bijihoudaun/config/SecurityConfig.java | 26 ++++++++++++++++--- .../controller/UserController.java | 19 +++++++++----- 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java b/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java index 78538ae..4291759 100644 --- a/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java +++ b/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java @@ -52,8 +52,28 @@ public class SecurityConfig { .csrf(csrf -> csrf.disable()) .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .authorizeHttpRequests(authz -> authz - .requestMatchers("/doc.html", "/webjars/**", "/v3/api-docs/**", "/api/user/login", "/api/user/register").permitAll() - .requestMatchers(org.springframework.http.HttpMethod.GET).permitAll() + // 1. 始终允许的核心公共端点 (登录、注册、API文档) + .requestMatchers( + "/doc.html", + "/webjars/**", + "/v3/api-docs/**", + "/api/user/login", + "/api/user/register" + ).permitAll() + + // 2. 精确允许用于“公开阅读”的 GET 请求 + .requestMatchers(org.springframework.http.HttpMethod.GET, + "/api/groupings/**", // 获取分组 + "/api/images/preview/**", // 预览图片 + "/api/markdown/files", // 获取所有文件 + "/api/markdown/search", // 搜索文件 + "/api/markdown/grouping/**", // 按分组获取文件 + "/api/markdown/recent", // 获取最近文件 + "/api/markdown/{id}", // 获取单个文件内容 + "/api/system/registration/status" // 检查注册是否开启 + ).permitAll() + + // 3. 除上述白名单外,所有其他请求都需要认证 .anyRequest().authenticated() ) // 添加自定义的异常处理器 @@ -67,4 +87,4 @@ public class SecurityConfig { return http.build(); } -} \ No newline at end of file +} diff --git a/biji-houdaun/src/main/java/com/test/bijihoudaun/controller/UserController.java b/biji-houdaun/src/main/java/com/test/bijihoudaun/controller/UserController.java index c86a9fd..acf74af 100644 --- a/biji-houdaun/src/main/java/com/test/bijihoudaun/controller/UserController.java +++ b/biji-houdaun/src/main/java/com/test/bijihoudaun/controller/UserController.java @@ -62,14 +62,19 @@ public class UserController { return R.success(tokenMap); } - @Operation(summary = "用户删除") - @Parameters({ - @Parameter(name = "id", description = "用户id",required = true) - }) + @Operation(summary = "删除当前登录的用户") @DeleteMapping("/deleteUser") - public R deleteUser(Integer id){ - userService.deleteUser(id); - return R.success("删除成功"); + public R deleteUser(){ + UserDetails userDetails = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); + String username = userDetails.getUsername(); + User user = userService.getOne(new com.baomidou.mybatisplus.core.conditions.query.QueryWrapper().eq("username", username)); + + if (user == null) { + return R.fail("无法获取用户信息,删除失败"); + } + + userService.deleteUser(user.getId().intValue()); + return R.success("用户删除成功"); } @Operation(summary = "验证Token有效性")