fix: 文件下载越权漏洞修复

src/components/app-file-upload/app-file-upload.vue

@@ -47,19 +47,20 @@
         </ul>
       </modal>
     </div>
-  </template>
+</template>
   
-  <script lang="ts">
-  import { Component, Vue, Prop, Watch } from 'vue-property-decorator';
-  import { Environment } from '@/environments/environment';
-  import { CreateElement } from 'vue';
-  import { Subject, Unsubscribable } from 'rxjs';
-  import Axios from 'axios';
-  import { Message } from 'element-ui';
+<script lang="ts">
+import { Component, Vue, Prop, Watch } from 'vue-property-decorator';
+import { Environment } from '@/environments/environment';
+import { CreateElement } from 'vue';
+import { Subject, Unsubscribable } from 'rxjs';
+import Axios from 'axios';
+import { Message } from 'element-ui';
+import EntityService from '@/service/entity-service';
 
-  @Component({
-  })
-  export default class AppFileUpload extends Vue {
+@Component({
+})
+export default class AppFileUpload extends Vue {
 
     /**
      * 表单状态
@@ -175,6 +176,22 @@
      */
     @Prop() public exportparams?: any;
 
+    /**
+     * 实体服务
+     *
+     * @type {EntityService}
+     * @memberof AppFileUpload
+     */
+    @Prop() public appEntityService!: EntityService;
+
+    /**
+     * 默认为当前实体主键id，有指定则按表单参数
+     *
+     * @type {string}
+     * @memberof AppFileUpload
+     */
+    @Prop() public ownerid!: string;
+
     /**
      * 文件列表
      *
@@ -470,7 +487,10 @@
         let _this: any = this;
         const id = typeof file.id == "string" ? file.id : JSON.stringify(file.id);
         const name = typeof file.name == "string" ? file.name : JSON.stringify(file.filename);
-          const downloadUrl = `${(window as any).Environment.ExportFile}`+ '/' + id + '/' + name;
+        // const downloadUrl = '/ibizutilrpm/download/' + this.getFolder() + '/' + id + '/' + encodeURIComponent(name);
+        const entityName = this.appEntityService.APPDENAME;
+        const base64 = `${id}|${entityName}|${this.ownerid}|${this.context.srfpersonid || this.context.srfuserid}`;
+        const downloadUrl =`http://downloadpath?key=${window.btoa(base64)}`
             // 发送get请求
             Axios.get(downloadUrl, {
                 responseType: 'arraybuffer',
@@ -546,9 +566,9 @@
     public showActions: boolean = false;
 
 
-  }
-  </script>
+}
+</script>
 
-  <style lang='less'>
-  @import './app-file-upload.less';
-  </style>
\ No newline at end of file
+<style lang='less'>
+@import './app-file-upload.less';
+</style>
\ No newline at end of file

src/components/app-upload-file-info/app-upload-file-info.vue

@@ -9,6 +9,7 @@ import { Component, Vue, Prop, Watch } from 'vue-property-decorator';
 import { Environment } from '@/environments/environment';
 import { CreateElement } from 'vue';
 import { Subject, Unsubscribable } from 'rxjs';
+import EntityService from '@/service/entity-service';
 
 @Component({
 })
@@ -42,6 +43,30 @@ export default class AppUploadFileInfo extends Vue {
      */
     @Prop() public name!: string;
 
+    /**
+     * 应用上下文
+     *
+     * @type {*}
+     * @memberof AppUploadFileInfo
+     */
+    @Prop() public context!: any;
+
+    /**
+     * 实体服务
+     *
+     * @type {EntityService}
+     * @memberof AppUploadFileInfo
+     */
+    @Prop() public appEntityService!: EntityService;
+
+    /**
+     * 默认为当前实体主键id，有指定则按表单参数
+     *
+     * @type {string}
+     * @memberof AppUploadFileInfo
+     */
+    @Prop() public ownerid!: string;
+
     /**
      * 上传文件路径
      *
@@ -74,8 +99,11 @@ export default class AppUploadFileInfo extends Vue {
             let files = JSON.parse(this.value);
             if(files.length){
                 files.forEach((file: any) => {
-                    let url = `${this.downloadUrl}/${file.id}`;
-                    file.url = url;
+                    // let url = `${this.downloadUrl}/${file.id}`;
+                    const entityName = this.appEntityService.APPDENAME;
+                    const base64 = `${file.id}|${entityName}|${this.ownerid}|${this.context.srfpersonid || this.context.srfuserid}`;
+                    const downloadUrl =`http://downloadpath?key=${window.btoa(base64)}`
+                    file.url = downloadUrl;
                 });
             }else{
               files = []

src/components/disk-file-upload/disk-file-upload.vue

@@ -71,6 +71,7 @@ import Axios from 'axios';
 import { Unsubscribable } from 'rxjs';
 import { Environment } from '@/environments/environment';
 import { encode } from "js-base64";
+import EntityService from '@/service/entity-service';
 
 @Component({})
 export default class DiskFileUpload extends Vue {
@@ -195,6 +196,22 @@ export default class DiskFileUpload extends Vue {
      */
     @Prop({ default: false }) public showOcrview?: boolean;
 
+    /**
+     * 实体服务
+     *
+     * @type {EntityService}
+     * @memberof DiskFileUpload
+     */
+    @Prop() public appEntityService!: EntityService;
+
+    /**
+     * 应用上下文
+     *
+     * @type {*}
+     * @memberof DiskFileUpload
+     */
+    @Prop() public context!: any;
+
     /**
      * 表单是否处于编辑状态（有真实主键,srfuf='1';srfuf='0'时处于新建未保存）
      *
@@ -519,7 +536,10 @@ export default class DiskFileUpload extends Vue {
         let _this: any = this;
         const id = typeof item.id == "string" ? item.id : JSON.stringify(item.id);
         const name = typeof item.name == "string" ? item.name : JSON.stringify(item.filename);
-        const downloadUrl = '/ibizutilrpm/download/' + this.getFolder() + '/' + id + '/' + encodeURIComponent(name);
+        // const downloadUrl = '/ibizutilrpm/download/' + this.getFolder() + '/' + id + '/' + encodeURIComponent(name);
+        const entityName = this.appEntityService.APPDENAME;
+        const base64 = `${id}|${entityName}|${this.getOwnerid()}|${this.context.srfpersonid || this.context.srfuserid}`;
+        const downloadUrl =`http://downloadpath?key=${window.btoa(base64)}`
         // 发送get请求
         Axios.get(downloadUrl, {
             headers: {