update 优化 重构系统业务数据权限 避免可能存在的越权风险

ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysRoleController.java

@@ -22,7 +22,6 @@ import com.ruoyi.system.domain.vo.DeptTreeSelectVo;
 import com.ruoyi.system.domain.vo.SysRoleVo;
 import com.ruoyi.system.domain.vo.SysUserVo;
 import com.ruoyi.system.service.ISysDeptService;
-import com.ruoyi.system.service.ISysPermissionService;
 import com.ruoyi.system.service.ISysRoleService;
 import com.ruoyi.system.service.ISysUserService;
 import jakarta.servlet.http.HttpServletResponse;
@@ -46,7 +45,6 @@ public class SysRoleController extends BaseController {
     private final ISysRoleService roleService;
     private final ISysUserService userService;
     private final ISysDeptService deptService;
-    private final ISysPermissionService permissionService;
 
     /**
      * 获取角色信息列表
@@ -103,7 +101,7 @@ public class SysRoleController extends BaseController {
     @Log(title = "角色管理", businessType = BusinessType.UPDATE)
     @PutMapping
     public R<Void> edit(@Validated @RequestBody SysRoleBo role) {
-        roleService.checkRoleAllowed(role);
+        roleService.checkRoleAllowed(role.getRoleId());
         roleService.checkRoleDataScope(role.getRoleId());
         if (!roleService.checkRoleNameUnique(role)) {
             return R.fail("修改角色'" + role.getRoleName() + "'失败，角色名称已存在");
@@ -143,7 +141,7 @@ public class SysRoleController extends BaseController {
     @Log(title = "角色管理", businessType = BusinessType.UPDATE)
     @PutMapping("/dataScope")
     public R<Void> dataScope(@RequestBody SysRoleBo role) {
-        roleService.checkRoleAllowed(role);
+        roleService.checkRoleAllowed(role.getRoleId());
         roleService.checkRoleDataScope(role.getRoleId());
         return toAjax(roleService.authDataScope(role));
     }
@@ -155,9 +153,9 @@ public class SysRoleController extends BaseController {
     @Log(title = "角色管理", businessType = BusinessType.UPDATE)
     @PutMapping("/changeStatus")
     public R<Void> changeStatus(@RequestBody SysRoleBo role) {
-        roleService.checkRoleAllowed(role);
+        roleService.checkRoleAllowed(role.getRoleId());
         roleService.checkRoleDataScope(role.getRoleId());
-        return toAjax(roleService.updateRoleStatus(role));
+        return toAjax(roleService.updateRoleStatus(role.getRoleId(), role.getStatus()));
     }
 
     /**

ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java

@@ -145,7 +145,7 @@ public class SysUserController extends BaseController {
     @Log(title = "用户管理", businessType = BusinessType.UPDATE)
     @PutMapping
     public R<Void> edit(@Validated @RequestBody SysUserBo user) {
-        userService.checkUserAllowed(user);
+        userService.checkUserAllowed(user.getUserId());
         userService.checkUserDataScope(user.getUserId());
         if (!userService.checkUserNameUnique(user)) {
             return R.fail("修改用户'" + user.getUserName() + "'失败，登录账号已存在");
@@ -179,10 +179,10 @@ public class SysUserController extends BaseController {
     @Log(title = "用户管理", businessType = BusinessType.UPDATE)
     @PutMapping("/resetPwd")
     public R<Void> resetPwd(@RequestBody SysUserBo user) {
-        userService.checkUserAllowed(user);
+        userService.checkUserAllowed(user.getUserId());
         userService.checkUserDataScope(user.getUserId());
         user.setPassword(BCrypt.hashpw(user.getPassword()));
-        return toAjax(userService.resetUserPwd(user.getUserId(),user.getPassword()));
+        return toAjax(userService.resetUserPwd(user.getUserId(), user.getPassword()));
     }
 
     /**
@@ -192,9 +192,9 @@ public class SysUserController extends BaseController {
     @Log(title = "用户管理", businessType = BusinessType.UPDATE)
     @PutMapping("/changeStatus")
     public R<Void> changeStatus(@RequestBody SysUserBo user) {
-        userService.checkUserAllowed(user);
+        userService.checkUserAllowed(user.getUserId());
         userService.checkUserDataScope(user.getUserId());
-        return toAjax(userService.updateUserStatus(user));
+        return toAjax(userService.updateUserStatus(user.getUserId(), user.getStatus()));
     }
 
     /**

ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/listener/SysUserImportListener.java

@@ -67,7 +67,7 @@ public class SysUserImportListener extends AnalysisEventListener<SysUserImportVo
                 SysUserBo user = BeanUtil.toBean(userVo, SysUserBo.class);
                 user.setUserId(userId);
                 ValidatorUtils.validate(user);
-                userService.checkUserAllowed(user);
+                userService.checkUserAllowed(user.getUserId());
                 userService.checkUserDataScope(user.getUserId());
                 user.setUpdateBy(operUserId);
                 userService.updateUser(user);

ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysDeptMapper.java

@@ -29,6 +29,11 @@ public interface SysDeptMapper extends BaseMapperPlus<SysDeptMapper, SysDept, Sy
     })
     List<SysDeptVo> selectDeptList(@Param(Constants.WRAPPER) Wrapper<SysDept> queryWrapper);
 
+    @DataPermission({
+        @DataColumn(key = "deptName", value = "dept_id")
+    })
+    SysDeptVo selectDeptById(Long deptId);
+
     /**
      * 根据角色ID查询部门树信息
      *

ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysRoleMapper.java

@@ -5,8 +5,8 @@ import com.baomidou.mybatisplus.core.toolkit.Constants;
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
 import com.ruoyi.common.mybatis.annotation.DataColumn;
 import com.ruoyi.common.mybatis.annotation.DataPermission;
-import com.ruoyi.system.domain.SysRole;
 import com.ruoyi.common.mybatis.core.mapper.BaseMapperPlus;
+import com.ruoyi.system.domain.SysRole;
 import com.ruoyi.system.domain.vo.SysRoleVo;
 import org.apache.ibatis.annotations.Param;
 
@@ -35,6 +35,11 @@ public interface SysRoleMapper extends BaseMapperPlus<SysRoleMapper, SysRole, Sy
     })
     List<SysRoleVo> selectRoleList(@Param(Constants.WRAPPER) Wrapper<SysRole> queryWrapper);
 
+    @DataPermission({
+        @DataColumn(key = "deptName", value = "d.dept_id")
+    })
+    SysRoleVo selectRoleById(Long roleId);
+
     /**
      * 根据用户ID查询角色
      *

ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java

@@ -104,6 +104,10 @@ public interface SysUserMapper extends BaseMapperPlus<SysUserMapper, SysUser, Sy
      * @param userId 用户ID
      * @return 用户对象信息
      */
+    @DataPermission({
+        @DataColumn(key = "deptName", value = "d.dept_id"),
+        @DataColumn(key = "userName", value = "u.user_id")
+    })
     SysUserVo selectUserById(Long userId);
 
     @Override
@@ -111,7 +115,7 @@ public interface SysUserMapper extends BaseMapperPlus<SysUserMapper, SysUser, Sy
         @DataColumn(key = "deptName", value = "dept_id"),
         @DataColumn(key = "userName", value = "user_id")
     })
-    int update(@Param(Constants.ENTITY) SysUser user,@Param(Constants.WRAPPER) Wrapper<SysUser> updateWrapper);
+    int update(@Param(Constants.ENTITY) SysUser user, @Param(Constants.WRAPPER) Wrapper<SysUser> updateWrapper);
 
     @Override
     @DataPermission({

ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysRoleService.java

@@ -85,9 +85,9 @@ public interface ISysRoleService {
     /**
      * 校验角色是否允许操作
      *
-     * @param role 角色信息
+     * @param roleId 角色ID
      */
-    void checkRoleAllowed(SysRoleBo role);
+    void checkRoleAllowed(Long roleId);
 
     /**
      * 校验角色是否有数据权限
@@ -123,10 +123,11 @@ public interface ISysRoleService {
     /**
      * 修改角色状态
      *
-     * @param bo 角色信息
+     * @param roleId 角色ID
+     * @param status 角色状态
      * @return 结果
      */
-    int updateRoleStatus(SysRoleBo bo);
+    int updateRoleStatus(Long roleId, String status);
 
     /**
      * 修改数据权限信息

ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java

@@ -108,9 +108,9 @@ public interface ISysUserService {
     /**
      * 校验用户是否允许操作
      *
-     * @param user 用户信息
+     * @param userId 用户ID
      */
-    void checkUserAllowed(SysUserBo user);
+    void checkUserAllowed(Long userId);
 
     /**
      * 校验用户是否有数据权限
@@ -154,10 +154,11 @@ public interface ISysUserService {
     /**
      * 修改用户状态
      *
-     * @param user 用户信息
+     * @param userId 用户ID
+     * @param status 帐号状态
      * @return 结果
      */
-    int updateUserStatus(SysUserBo user);
+    int updateUserStatus(Long userId, String status);
 
     /**
      * 修改用户基本信息
@@ -171,7 +172,7 @@ public interface ISysUserService {
      * 修改用户头像
      *
      * @param userId 用户ID
-     * @param avatar   头像地址
+     * @param avatar 头像地址
      * @return 结果
      */
     boolean updateUserAvatar(Long userId, Long avatar);
@@ -179,7 +180,7 @@ public interface ISysUserService {
     /**
      * 重置用户密码
      *
-     * @param userId 用户ID
+     * @param userId   用户ID
      * @param password 密码
      * @return 结果
      */

ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysDeptServiceImpl.java

@@ -212,13 +212,15 @@ public class SysDeptServiceImpl implements ISysDeptService, DeptService {
      */
     @Override
     public void checkDeptDataScope(Long deptId) {
-        if (!LoginHelper.isSuperAdmin()) {
-            SysDeptBo dept = new SysDeptBo();
-            dept.setDeptId(deptId);
-            List<SysDeptVo> depts = this.selectDeptList(dept);
-            if (CollUtil.isEmpty(depts)) {
-                throw new ServiceException("没有权限访问部门数据！");
-            }
+        if (ObjectUtil.isNull(deptId)) {
+            return;
+        }
+        if (LoginHelper.isSuperAdmin()) {
+            return;
+        }
+        SysDeptVo dept = baseMapper.selectDeptById(deptId);
+        if (ObjectUtil.isNull(dept)) {
+            throw new ServiceException("没有权限访问部门数据！");
         }
     }
 
@@ -250,13 +252,17 @@ public class SysDeptServiceImpl implements ISysDeptService, DeptService {
     @Override
     public int updateDept(SysDeptBo bo) {
         SysDept dept = MapstructUtils.convert(bo, SysDept.class);
-        SysDept newParentDept = baseMapper.selectById(dept.getParentId());
         SysDept oldDept = baseMapper.selectById(dept.getDeptId());
-        if (ObjectUtil.isNotNull(newParentDept) && ObjectUtil.isNotNull(oldDept)) {
-            String newAncestors = newParentDept.getAncestors() + StringUtils.SEPARATOR + newParentDept.getDeptId();
-            String oldAncestors = oldDept.getAncestors();
-            dept.setAncestors(newAncestors);
-            updateDeptChildren(dept.getDeptId(), newAncestors, oldAncestors);
+        if (!oldDept.getParentId().equals(dept.getParentId())) {
+            // 如果是新父部门 则校验是否具有新父部门权限 避免越权
+            this.checkDeptDataScope(dept.getParentId());
+            SysDept newParentDept = baseMapper.selectById(dept.getParentId());
+            if (ObjectUtil.isNotNull(newParentDept) && ObjectUtil.isNotNull(oldDept)) {
+                String newAncestors = newParentDept.getAncestors() + StringUtils.SEPARATOR + newParentDept.getDeptId();
+                String oldAncestors = oldDept.getAncestors();
+                dept.setAncestors(newAncestors);
+                updateDeptChildren(dept.getDeptId(), newAncestors, oldAncestors);
+            }
         }
         int result = baseMapper.updateById(dept);
         if (UserConstants.DEPT_NORMAL.equals(dept.getStatus()) && StringUtils.isNotEmpty(dept.getAncestors())

ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysRoleServiceImpl.java

@@ -5,17 +5,18 @@ import cn.hutool.core.util.ObjectUtil;
 import com.baomidou.mybatisplus.core.conditions.Wrapper;
 import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
 import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
+import com.baomidou.mybatisplus.core.conditions.update.LambdaUpdateWrapper;
 import com.baomidou.mybatisplus.core.toolkit.Wrappers;
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
 import com.ruoyi.common.core.constant.UserConstants;
+import com.ruoyi.common.core.exception.ServiceException;
 import com.ruoyi.common.core.utils.MapstructUtils;
 import com.ruoyi.common.core.utils.StreamUtils;
 import com.ruoyi.common.core.utils.StringUtils;
 import com.ruoyi.common.mybatis.core.page.PageQuery;
-import com.ruoyi.system.domain.SysRole;
 import com.ruoyi.common.mybatis.core.page.TableDataInfo;
-import com.ruoyi.common.core.exception.ServiceException;
 import com.ruoyi.common.satoken.utils.LoginHelper;
+import com.ruoyi.system.domain.SysRole;
 import com.ruoyi.system.domain.SysRoleDept;
 import com.ruoyi.system.domain.SysRoleMenu;
 import com.ruoyi.system.domain.SysUserRole;
@@ -145,7 +146,7 @@ public class SysRoleServiceImpl implements ISysRoleService {
      */
     @Override
     public SysRoleVo selectRoleById(Long roleId) {
-        return baseMapper.selectVoById(roleId);
+        return baseMapper.selectRoleById(roleId);
     }
 
     /**
@@ -179,11 +180,11 @@ public class SysRoleServiceImpl implements ISysRoleService {
     /**
      * 校验角色是否允许操作
      *
-     * @param role 角色信息
+     * @param roleId 角色ID
      */
     @Override
-    public void checkRoleAllowed(SysRoleBo role) {
-        if (ObjectUtil.isNotNull(role.getRoleId()) && role.isSuperAdmin()) {
+    public void checkRoleAllowed(Long roleId) {
+        if (ObjectUtil.isNotNull(roleId) && LoginHelper.isSuperAdmin(roleId)) {
             throw new ServiceException("不允许操作超级管理员角色");
         }
     }
@@ -195,14 +196,17 @@ public class SysRoleServiceImpl implements ISysRoleService {
      */
     @Override
     public void checkRoleDataScope(Long roleId) {
-        if (!LoginHelper.isSuperAdmin()) {
-            SysRoleBo role = new SysRoleBo();
-            role.setRoleId(roleId);
-            List<SysRoleVo> roles = this.selectRoleList(role);
-            if (CollUtil.isEmpty(roles)) {
-                throw new ServiceException("没有权限访问角色数据！");
-            }
+        if (ObjectUtil.isNull(roleId)) {
+            return;
         }
+        if (LoginHelper.isSuperAdmin()) {
+            return;
+        }
+        List<SysRoleVo> roles = this.selectRoleList(new SysRoleBo(roleId));
+        if (CollUtil.isEmpty(roles)) {
+            throw new ServiceException("没有权限访问角色数据！");
+        }
+
     }
 
     /**
@@ -252,13 +256,16 @@ public class SysRoleServiceImpl implements ISysRoleService {
     /**
      * 修改角色状态
      *
-     * @param bo 角色信息
+     * @param roleId 角色ID
+     * @param status 角色状态
      * @return 结果
      */
     @Override
-    public int updateRoleStatus(SysRoleBo bo) {
-        SysRole role = MapstructUtils.convert(bo, SysRole.class);
-        return baseMapper.updateById(role);
+    public int updateRoleStatus(Long roleId, String status) {
+        return baseMapper.update(null,
+            new LambdaUpdateWrapper<SysRole>()
+                .set(SysRole::getStatus, status)
+                .eq(SysRole::getRoleId, roleId));
     }
 
     /**
@@ -347,7 +354,7 @@ public class SysRoleServiceImpl implements ISysRoleService {
     @Transactional(rollbackFor = Exception.class)
     public int deleteRoleByIds(Long[] roleIds) {
         for (Long roleId : roleIds) {
-            checkRoleAllowed(new SysRoleBo(roleId));
+            checkRoleAllowed(roleId);
             checkRoleDataScope(roleId);
             SysRole role = baseMapper.selectById(roleId);
             if (countUserRoleByRoleId(roleId) > 0) {

ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java

@@ -36,10 +36,8 @@ import org.springframework.cache.annotation.Cacheable;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
-import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
-import java.util.stream.Collectors;
 
 /**
  * 用户 业务层处理
@@ -239,11 +237,11 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
     /**
      * 校验用户是否允许操作
      *
-     * @param user 用户信息
+     * @param userId 用户ID
      */
     @Override
-    public void checkUserAllowed(SysUserBo user) {
-        if (ObjectUtil.isNotNull(user.getUserId()) && user.isSuperAdmin()) {
+    public void checkUserAllowed(Long userId) {
+        if (ObjectUtil.isNotNull(userId) && LoginHelper.isSuperAdmin(userId)) {
             throw new ServiceException("不允许操作超级管理员用户");
         }
     }
@@ -255,13 +253,14 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
      */
     @Override
     public void checkUserDataScope(Long userId) {
-        if (!LoginHelper.isSuperAdmin()) {
-            SysUserBo user = new SysUserBo();
-            user.setUserId(userId);
-            List<SysUserVo> users = this.selectUserList(user);
-            if (CollUtil.isEmpty(users)) {
-                throw new ServiceException("没有权限访问用户数据！");
-            }
+        if (ObjectUtil.isNull(userId)) {
+            return;
+        }
+        if (LoginHelper.isSuperAdmin()) {
+            return;
+        }
+        if (ObjectUtil.isNull(baseMapper.selectUserById(userId))) {
+            throw new ServiceException("没有权限访问用户数据！");
         }
     }
 
@@ -279,9 +278,9 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
         int rows = baseMapper.insert(sysUser);
         user.setUserId(sysUser.getUserId());
         // 新增用户岗位关联
-        insertUserPost(user);
+        insertUserPost(user, false);
         // 新增用户与角色管理
-        insertUserRole(user);
+        insertUserRole(user, false);
         return rows;
     }
 
@@ -309,20 +308,15 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
     @Override
     @Transactional(rollbackFor = Exception.class)
     public int updateUser(SysUserBo user) {
-        Long userId = user.getUserId();
-        // 删除用户与角色关联
-        userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
         // 新增用户与角色管理
-        insertUserRole(user);
-        // 删除用户与岗位关联
-        userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
+        insertUserRole(user, true);
         // 新增用户与岗位管理
-        insertUserPost(user);
+        insertUserPost(user, true);
         SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
-        //防止错误更新后导致的数据误删除
+        // 防止错误更新后导致的数据误删除
         int flag = baseMapper.updateById(sysUser);
-        if (flag <= 0){
-            throw new ServiceException("修改用户"+user.getUserName()+"信息失败");
+        if (flag < 1) {
+            throw new ServiceException("修改用户" + user.getUserName() + "信息失败");
         }
         return flag;
     }
@@ -338,21 +332,22 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
     public void insertUserAuth(Long userId, Long[] roleIds) {
         userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>()
             .eq(SysUserRole::getUserId, userId));
-        insertUserRole(userId, roleIds);
+        insertUserRole(userId, roleIds, false);
     }
 
     /**
      * 修改用户状态
      *
-     * @param user 用户信息
+     * @param userId 用户ID
+     * @param status 帐号状态
      * @return 结果
      */
     @Override
-    public int updateUserStatus(SysUserBo user) {
+    public int updateUserStatus(Long userId, String status) {
         return baseMapper.update(null,
             new LambdaUpdateWrapper<SysUser>()
-                .set(SysUser::getStatus, user.getStatus())
-                .eq(SysUser::getUserId, user.getUserId()));
+                .set(SysUser::getStatus, status)
+                .eq(SysUser::getUserId, userId));
     }
 
     /**
@@ -376,7 +371,7 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
      * 修改用户头像
      *
      * @param userId 用户ID
-     * @param avatar   头像地址
+     * @param avatar 头像地址
      * @return 结果
      */
     @Override
@@ -390,7 +385,7 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
     /**
      * 重置用户密码
      *
-     * @param userId 用户ID
+     * @param userId   用户ID
      * @param password 密码
      * @return 结果
      */
@@ -405,34 +400,29 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
     /**
      * 新增用户角色信息
      *
-     * @param user 用户对象
+     * @param user  用户对象
+     * @param clear 清除已存在的关联数据
      */
-    public void insertUserRole(SysUserBo user) {
-        this.insertUserRole(user.getUserId(), user.getRoleIds());
+    public void insertUserRole(SysUserBo user, boolean clear) {
+        this.insertUserRole(user.getUserId(), user.getRoleIds(), clear);
     }
 
     /**
      * 新增用户岗位信息
      *
-     * @param user 用户对象
+     * @param user  用户对象
+     * @param clear 清除已存在的关联数据
      */
-    public void insertUserPost(SysUserBo user) {
+    public void insertUserPost(SysUserBo user, boolean clear) {
         Long[] posts = user.getPostIds();
         if (ArrayUtil.isNotEmpty(posts)) {
-            //判断是否具有此角色的岗位权限
-            List<Long> postList = postMapper.selectPostListByUserId(LoginHelper.getUserId());
-            if (postList.isEmpty()){
-                throw new ServiceException("您不具有操作岗位的权限");
-            }
-            List<Long> postIdList = Arrays.asList(posts);
-            List<Long> canDoPostList = postIdList.stream()
-                .filter(postList::contains)
-                .collect(Collectors.toList());
-            if (canDoPostList.isEmpty()){
-                throw new ServiceException("您不具有操作当前岗位的权限");
+            Long userId = LoginHelper.getUserId();
+            if (clear) {
+                // 删除用户与岗位关联
+                userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
             }
             // 新增用户与岗位管理
-            List<SysUserPost> list = StreamUtils.toList(canDoPostList, postId -> {
+            List<SysUserPost> list = StreamUtils.toList(List.of(posts), postId -> {
                 SysUserPost up = new SysUserPost();
                 up.setUserId(user.getUserId());
                 up.setPostId(postId);
@@ -447,20 +437,26 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
      *
      * @param userId  用户ID
      * @param roleIds 角色组
+     * @param clear   清除已存在的关联数据
      */
-    public void insertUserRole(Long userId, Long[] roleIds) {
+    public void insertUserRole(Long userId, Long[] roleIds, boolean clear) {
         if (ArrayUtil.isNotEmpty(roleIds)) {
-            //判断是否具有此角色的操作权限
-            List<Long> roleList = roleMapper.selectRoleListByUserId(LoginHelper.getUserId());
-            if (roleList.isEmpty()){
-                throw new ServiceException("您不具有操作角色的权限");
+            // 判断是否具有此角色的操作权限
+            List<SysRoleVo> roles = roleMapper.selectRoleList(new LambdaQueryWrapper<>());
+            if (CollUtil.isEmpty(roles)) {
+                throw new ServiceException("没有权限访问角色的数据");
+            }
+            List<Long> roleList = StreamUtils.toList(roles, SysRoleVo::getRoleId);
+            if (!LoginHelper.isSuperAdmin(userId)) {
+                roleList.remove(UserConstants.SUPER_ADMIN_ID);
+            }
+            List<Long> canDoRoleList = StreamUtils.filter(List.of(roleIds), roleList::contains);
+            if (CollUtil.isEmpty(canDoRoleList)) {
+                throw new ServiceException("没有权限访问角色的数据");
             }
-            List<Long> roleIdList = Arrays.asList(roleIds);
-            List<Long> canDoRoleList = roleIdList.stream()
-                .filter(roleList::contains)
-                .collect(Collectors.toList());
-            if (canDoRoleList.isEmpty()){
-                throw new ServiceException("您不具有操作当前角色的权限");
+            if (clear) {
+                // 删除用户与角色关联
+                userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
             }
             // 新增用户与角色管理
             List<SysUserRole> list = StreamUtils.toList(canDoRoleList, roleId -> {
@@ -488,8 +484,8 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
         userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
         // 防止更新失败导致的数据删除
         int flag = baseMapper.deleteById(userId);
-        if (flag <= 0){
-            throw new ServiceException("删除用户发生异常");
+        if (flag < 1) {
+            throw new ServiceException("删除用户失败!");
         }
         return flag;
     }
@@ -504,7 +500,7 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
     @Transactional(rollbackFor = Exception.class)
     public int deleteUserByIds(Long[] userIds) {
         for (Long userId : userIds) {
-            checkUserAllowed(new SysUserBo(userId));
+            checkUserAllowed(userId);
             checkUserDataScope(userId);
         }
         List<Long> ids = List.of(userIds);
@@ -514,8 +510,8 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
         userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().in(SysUserPost::getUserId, ids));
         // 防止更新失败导致的数据删除
         int flag = baseMapper.deleteBatchIds(ids);
-        if (flag <= 0){
-            throw new ServiceException("删除用户发生异常");
+        if (flag < 1) {
+            throw new ServiceException("删除用户失败!");
         }
         return flag;
     }

ruoyi-modules/ruoyi-system/src/main/resources/mapper/system/SysDeptMapper.xml

@@ -11,6 +11,10 @@
         select * from sys_dept ${ew.getCustomSqlSegment}
     </select>
 
+    <select id="selectDeptById" resultMap="SysDeptResult">
+        select * from sys_dept where del_flag = '0' and dept_id = #{deptId}
+    </select>
+
     <select id="selectDeptListByRoleId" resultType="Long">
         select d.dept_id
         from sys_dept d

ruoyi-modules/ruoyi-system/src/main/resources/mapper/system/SysRoleMapper.xml

@@ -53,4 +53,9 @@
         WHERE r.del_flag = '0' and u.user_name = #{userName}
     </select>
 
+    <select id="selectRoleById" resultMap="SysRoleResult">
+        <include refid="selectRoleVo"/>
+        WHERE r.del_flag = '0' and r.role_id = #{roleId}
+    </select>
+
 </mapper>