feat(security): 优化权限控制并添加用户删除功能

- 更新 SecurityConfig，增加精确控制的公开阅读端点 - 实现用户删除功能，仅允许删除当前登录用户 - 优化用户删除接口，增加安全性检查
2025-08-02 12:12:59 +08:00
parent 7d8297bb96
commit 2b3484d4cf
2 changed files with 35 additions and 10 deletions
--- a/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java
+++ b/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java
@@ -52,8 +52,28 @@ public class SecurityConfig {
                .csrf(csrf -> csrf.disable())
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(authz -> authz
-                        .requestMatchers("/doc.html", "/webjars/**", "/v3/api-docs/**", "/api/user/login", "/api/user/register").permitAll()
-                        .requestMatchers(org.springframework.http.HttpMethod.GET).permitAll()
+                        // 1. 始终允许的核心公共端点 (登录、注册、API文档)
+                        .requestMatchers(
+                                "/doc.html",
+                                "/webjars/**",
+                                "/v3/api-docs/**",
+                                "/api/user/login",
+                                "/api/user/register"
+                        ).permitAll()
+
+                        // 2. 精确允许用于“公开阅读”的 GET 请求
+                        .requestMatchers(org.springframework.http.HttpMethod.GET,
+                                "/api/groupings/**",          // 获取分组
+                                "/api/images/preview/**",      // 预览图片
+                                "/api/markdown/files",         // 获取所有文件
+                                "/api/markdown/search",        // 搜索文件
+                                "/api/markdown/grouping/**",   // 按分组获取文件
+                                "/api/markdown/recent",        // 获取最近文件
+                                "/api/markdown/{id}",          // 获取单个文件内容
+                                "/api/system/registration/status" // 检查注册是否开启
+                        ).permitAll()
+
+                        // 3. 除上述白名单外，所有其他请求都需要认证
                        .anyRequest().authenticated()
                )
                // 添加自定义的异常处理器
@@ -67,4 +87,4 @@ public class SecurityConfig {

        return http.build();
    }
-}
+}
--- a/biji-houdaun/src/main/java/com/test/bijihoudaun/controller/UserController.java
+++ b/biji-houdaun/src/main/java/com/test/bijihoudaun/controller/UserController.java
@@ -62,14 +62,19 @@ public class UserController {
        return R.success(tokenMap);
    }

-    @Operation(summary = "用户删除")
-    @Parameters({
-            @Parameter(name = "id", description = "用户id",required = true)
-    })
+    @Operation(summary = "删除当前登录的用户")
    @DeleteMapping("/deleteUser")
-    public R<String> deleteUser(Integer id){
-        userService.deleteUser(id);
-        return R.success("删除成功");
+    public R<String> deleteUser(){
+        UserDetails userDetails = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        String username = userDetails.getUsername();
+        User user = userService.getOne(new com.baomidou.mybatisplus.core.conditions.query.QueryWrapper<User>().eq("username", username));
+
+        if (user == null) {
+            return R.fail("无法获取用户信息，删除失败");
+        }
+
+        userService.deleteUser(user.getId().intValue());
+        return R.success("用户删除成功");
    }

    @Operation(summary = "验证Token有效性")