fix：网关传递 login-user 可能存在 usertype 不正确的问题

(cherry picked from commit 04bd6bff043f66273d0786ab42f97494a0498fc3)
2025-04-30 16:03:50 +08:00 · 2025-04-30 16:03:50 +08:00 · c15145a87a
commit c15145a87a
parent ea3888a02f
1 changed files with 11 additions and 1 deletions
--- a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java
+++ b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java
@ -135,7 +135,17 @@ public class TokenAuthenticationFilter extends OncePerRequestFilter {
        }
        try {
            loginUserStr = URLDecoder.decode(loginUserStr, StandardCharsets.UTF_8); // 解码，解决中文乱码问题
-            return JsonUtils.parseObject(loginUserStr, LoginUser.class);
+            LoginUser loginUser = JsonUtils.parseObject(loginUserStr, LoginUser.class);
+            // 用户类型不匹配，无权限
+            // 注意：只有 /admin-api/* 和 /app-api/* 有 userType，才需要比对用户类型
+            // 类似 WebSocket 的 /ws/* 连接地址，是不需要比对用户类型的
+            Integer userType = WebFrameworkUtils.getLoginUserType(request);
+            if (userType != null
+                    && loginUser != null
+                    && ObjectUtil.notEqual(loginUser.getUserType(), userType)) {
+                throw new AccessDeniedException("错误的用户类型");
+            }
+            return loginUser;
        } catch (Exception ex) {
            log.error("[buildLoginUserByHeader][解析 LoginUser({}) 发生异常]", loginUserStr, ex);  ;
            throw ex;