fix: 文件下载越权漏洞修复

9f7879f2 · Cano1997 · c65dc5f0 · 9f7879f2 · 9f7879f2 · 9f7879f2
--- a/src/components/app-file-upload/app-file-upload.vue
+++ b/src/components/app-file-upload/app-file-upload.vue
--- a/src/components/app-upload-file-info/app-upload-file-info.vue
+++ b/src/components/app-upload-file-info/app-upload-file-info.vue
@@ -9,6 +9,7 @@ import { Component, Vue, Prop, Watch } from 'vue-property-decorator';
 import { Environment } from '@/environments/environment';
 import { CreateElement } from 'vue';
 import { Subject, Unsubscribable } from 'rxjs';
+import EntityService from '@/service/entity-service';
 @Component({
 })
@@ -42,6 +43,30 @@ export default class AppUploadFileInfo extends Vue {
     */
    @Prop() public name!: string;
+    /**
+     * 应用上下文
+     *
+     * @type {*}
+     * @memberof AppUploadFileInfo
+     */
+    @Prop() public context!: any;
+    /**
+     * 实体服务
+     *
+     * @type {EntityService}
+     * @memberof AppUploadFileInfo
+     */
+    @Prop() public appEntityService!: EntityService;
+    /**
+     * 默认为当前实体主键id，有指定则按表单参数
+     *
+     * @type {string}
+     * @memberof AppUploadFileInfo
+     */
+    @Prop() public ownerid!: string;
    /**
     * 上传文件路径
     *
@@ -74,8 +99,11 @@ export default class AppUploadFileInfo extends Vue {
            let files = JSON.parse(this.value);
            if(files.length){
                files.forEach((file: any) => {
-                    let url = `${this.downloadUrl}/${file.id}`;
+                    // let url = `${this.downloadUrl}/${file.id}`;
-                    file.url = url;
+                    const entityName = this.appEntityService.APPDENAME;
+                    const base64 = `${file.id}|${entityName}|${this.ownerid}|${this.context.srfpersonid || this.context.srfuserid}`;
+                    const downloadUrl =`http://downloadpath?key=${window.btoa(base64)}`
+                    file.url = downloadUrl;
                });
            }else{
              files = []

--- a/src/components/disk-file-upload/disk-file-upload.vue
+++ b/src/components/disk-file-upload/disk-file-upload.vue
@@ -71,6 +71,7 @@ import Axios from 'axios';
 import { Unsubscribable } from 'rxjs';
 import { Environment } from '@/environments/environment';
 import { encode } from "js-base64";
+import EntityService from '@/service/entity-service';
 @Component({})
 export default class DiskFileUpload extends Vue {
@@ -195,6 +196,22 @@ export default class DiskFileUpload extends Vue {
     */
    @Prop({ default: false }) public showOcrview?: boolean;
+    /**
+     * 实体服务
+     *
+     * @type {EntityService}
+     * @memberof DiskFileUpload
+     */
+    @Prop() public appEntityService!: EntityService;
+    /**
+     * 应用上下文
+     *
+     * @type {*}
+     * @memberof DiskFileUpload
+     */
+    @Prop() public context!: any;
    /**
     * 表单是否处于编辑状态（有真实主键,srfuf='1';srfuf='0'时处于新建未保存）
     *
@@ -519,7 +536,10 @@ export default class DiskFileUpload extends Vue {
        let _this: any = this;
        const id = typeof item.id == "string" ? item.id : JSON.stringify(item.id);
        const name = typeof item.name == "string" ? item.name : JSON.stringify(item.filename);
-        const downloadUrl = '/ibizutilrpm/download/' + this.getFolder() + '/' + id + '/' + encodeURIComponent(name);
+        // const downloadUrl = '/ibizutilrpm/download/' + this.getFolder() + '/' + id + '/' + encodeURIComponent(name);
+        const entityName = this.appEntityService.APPDENAME;
+        const base64 = `${id}|${entityName}|${this.getOwnerid()}|${this.context.srfpersonid || this.context.srfuserid}`;
+        const downloadUrl =`http://downloadpath?key=${window.btoa(base64)}`
        // 发送get请求
        Axios.get(downloadUrl, {
            headers: {