You've already forked FrameTour-BE
feat(mobile): 增强人脸数据访问控制并优化订单查询逻辑
- 在删除人脸数据前增加用户权限校验,确保操作安全 - 移除订单详情接口中的用户身份强制绑定,简化查询流程 - 更新视频与图片资源查询方法,去除冗余的用户ID参数 - 调整Mapper层SQL语句,解耦人脸关联数据对用户的依赖 - 优化服务层代码结构,提升数据获取效率与一致性
This commit is contained in:
@@ -1,13 +1,16 @@
|
||||
package com.ycwl.basic.controller.mobile;
|
||||
|
||||
import com.ycwl.basic.exception.BaseException;
|
||||
import com.ycwl.basic.model.jwt.JwtInfo;
|
||||
import com.ycwl.basic.model.mobile.face.FaceRecognizeResp;
|
||||
import com.ycwl.basic.model.mobile.face.FaceStatusResp;
|
||||
import com.ycwl.basic.model.mobile.scenic.content.ContentPageVO;
|
||||
import com.ycwl.basic.model.mobile.face.FaceRecognitionUpdateReq;
|
||||
import com.ycwl.basic.model.mobile.face.FaceRecognitionDetailVO;
|
||||
import com.ycwl.basic.model.pc.face.entity.FaceEntity;
|
||||
import com.ycwl.basic.model.pc.face.resp.FaceRespVO;
|
||||
import com.ycwl.basic.model.pc.faceSample.entity.FaceSampleEntity;
|
||||
import com.ycwl.basic.repository.FaceRepository;
|
||||
import com.ycwl.basic.service.pc.FaceService;
|
||||
import com.ycwl.basic.utils.ApiResponse;
|
||||
import com.ycwl.basic.utils.JwtTokenUtil;
|
||||
@@ -28,6 +31,8 @@ public class AppFaceController {
|
||||
|
||||
@Autowired
|
||||
private FaceService faceService;
|
||||
@Autowired
|
||||
private FaceRepository faceRepository;
|
||||
|
||||
/**
|
||||
* 1、上传人脸照片
|
||||
@@ -65,6 +70,18 @@ public class AppFaceController {
|
||||
|
||||
@DeleteMapping("/{faceId}")
|
||||
public ApiResponse<String> deleteFace(@PathVariable("faceId") Long faceId) {
|
||||
// 添加权限检查:验证当前用户是否拥有该 face
|
||||
JwtInfo worker = JwtTokenUtil.getWorker();
|
||||
Long userId = worker.getUserId();
|
||||
|
||||
FaceEntity face = faceRepository.getFace(faceId);
|
||||
if (face == null) {
|
||||
throw new BaseException("人脸数据不存在");
|
||||
}
|
||||
if (!face.getMemberId().equals(userId)) {
|
||||
throw new BaseException("无权删除此人脸");
|
||||
}
|
||||
|
||||
return faceService.deleteFace(faceId);
|
||||
}
|
||||
|
||||
|
||||
@@ -262,36 +262,21 @@ public class AppOrderV2Controller {
|
||||
}
|
||||
|
||||
/**
|
||||
* 用户查询自己的订单详情
|
||||
* 查询订单详情
|
||||
*/
|
||||
@GetMapping("/detail/{orderId}")
|
||||
public ApiResponse<OrderV2DetailResponse> getUserOrderDetail(@PathVariable("orderId") Long orderId) {
|
||||
String currentUserIdStr = BaseContextHandler.getUserId();
|
||||
if (currentUserIdStr == null) {
|
||||
log.warn("用户未登录");
|
||||
return ApiResponse.fail("用户未登录");
|
||||
}
|
||||
|
||||
Long currentUserId = Long.valueOf(currentUserIdStr);
|
||||
|
||||
log.info("用户查询订单详情: userId={}, orderId={}", currentUserId, orderId);
|
||||
|
||||
log.info("查询订单详情: orderId={}", orderId);
|
||||
|
||||
try {
|
||||
OrderV2DetailResponse detail = orderService.getOrderDetail(orderId);
|
||||
if (detail == null) {
|
||||
return ApiResponse.fail("订单不存在");
|
||||
}
|
||||
|
||||
// 验证订单是否属于当前用户
|
||||
if (!currentUserId.equals(detail.getMemberId())) {
|
||||
log.warn("用户尝试访问他人订单: userId={}, orderId={}, orderOwner={}",
|
||||
currentUserId, orderId, detail.getMemberId());
|
||||
return ApiResponse.fail("无权访问该订单");
|
||||
}
|
||||
|
||||
|
||||
return ApiResponse.success(detail);
|
||||
} catch (Exception e) {
|
||||
log.error("查询用户订单详情失败: userId={}, orderId={}", currentUserId, orderId, e);
|
||||
log.error("查询订单详情失败: orderId={}", orderId, e);
|
||||
return ApiResponse.fail("查询失败:" + e.getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user