加入页面地址越权访问后记录日志，退出用户登录。

backend/src/main/java/com/jiayue/ssi/controller/SysPolicyController.java

@@ -5,20 +5,24 @@ import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import com.jiayue.ssi.annotation.OperateLog;
 import com.jiayue.ssi.annotation.PreventReplay;
 import com.jiayue.ssi.backenum.AuditType;
+import com.jiayue.ssi.backenum.BusinessStatus;
 import com.jiayue.ssi.backenum.BusinessType;
 import com.jiayue.ssi.constant.CustomException;
 import com.jiayue.ssi.entity.ElectricField;
+import com.jiayue.ssi.entity.SysOperLog;
 import com.jiayue.ssi.entity.SysPolicy;
+import com.jiayue.ssi.factory.OperateLogFactory;
 import com.jiayue.ssi.service.SysPolicyService;
-import com.jiayue.ssi.util.IdUtils;
-import com.jiayue.ssi.util.LocalCache;
-import com.jiayue.ssi.util.ResponseVO;
+import com.jiayue.ssi.util.*;
+import io.jsonwebtoken.Claims;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -176,4 +180,65 @@ public class SysPolicyController {
             throw new CustomException("获取授权码异常", e);
         }
     }
+
+    /**
+     * 越权访问
+     */
+    @PostMapping(value = "/brokenAccessControl")
+//    @OperateLog(title = "越权访问", businessType = BusinessType.BAC, auditType = AuditType.SYS,operdesc = "越权访问")
+    public ResponseVO brokenAccessControl(HttpServletRequest request, HttpServletResponse response) throws CustomException {
+        try {
+            String token = request.getHeader("Authorization");
+            JwtTokenUtil jwtTokenUtil = new JwtTokenUtil();
+            Claims claims = jwtTokenUtil.getClaimsFromToken(token);
+            String username="";
+            if (claims==null){
+                username = "未知用户";
+            }
+            else{
+                username = claims.getSubject();
+            }
+            SysOperLog operLog = new SysOperLog();
+            operLog.setStatus(BusinessStatus.FAIL.ordinal());
+            // 请求的地址
+            String ip = IPUtils.getIpAddr();
+            operLog.setOperIp(ip);
+            operLog.setOperUrl(request.getParameter("accessUrl"));
+            operLog.setOperName(username);
+            // 设置请求方式
+            operLog.setRequestMethod("");
+            operLog.setCreateBy(username);
+            // 设置action动作
+            operLog.setBusinessType(BusinessType.BAC.ordinal());
+            // 设置标题
+            operLog.setTitle("越权访问");
+            // 操作描述
+            operLog.setOperdesc("越权访问");
+            // 审计类型
+            operLog.setAuditType(AuditType.SYS.ordinal());
+            // 保存数据库
+            OperateLogFactory.recordOper(operLog);
+            SysPolicy sysPolicy = sysPolicyService.getOne(new QueryWrapper<>());
+            String noticeWay = "";
+            if ("0".equals(sysPolicy.getExcLevelLogin())){
+                noticeWay = sysPolicy.getExcNoticeWayA();
+            } else if ("1".equals(sysPolicy.getExcLevelLogin())){
+                noticeWay = sysPolicy.getExcNoticeWayB();
+            }
+
+            // 通知系统管理员
+            if ("0".equals(noticeWay)){
+                log.info("发送邮箱通知系统管理员后台输出======> "+"账号【"+username+"】越权访问"+org.apache.commons.lang3.StringUtils.substring(ServletUtils.getRequest().getRequestURI(), 0, 255));
+            }
+            else if ("1".equals(noticeWay)){
+                // 告警先不用了，系统里只用一种邮箱告警
+            }
+
+
+
+            return ResponseVO.success();
+        } catch (Exception e) {
+            throw new CustomException("越权访问记录异常", e);
+        }
+    }
 }

ui/src/permission.js

@@ -24,8 +24,31 @@ router.beforeEach(async (to, from, next) => {
       NProgress.done()
     } else {
       if (to.matched.length === 0) {
-        next('/dashboard')
-        // next('/404') // 判断此跳转路由的来源路由是否存在，存在的情况跳转到来源路由，否则跳转到404页面
+        Message({
+          message: '越权访问页面不存在！',
+          type: 'error',
+          duration: 5 * 1000
+        })
+        let sysTime2;
+        let lk2;
+        await service.get('/sysPolicyController/getLicenseKey').then((res) => {
+          sysTime2 = res.data.sysTime
+          lk2 = res.data.lk
+        }).catch((error) => {
+        })
+        const searchParams2 = {
+          sysTime: sysTime2,
+          lk: lk2,
+          accessUrl: window.location.href
+        }
+        // 保存越权访问
+        await service.post('/sysPolicyController/brokenAccessControl', searchParams2).then((res) => {
+          next('/404') // 判断此跳转路由的来源路由是否存在，存在的情况跳转到来源路由，否则跳转到404页面
+        }).catch((error) => {
+          this.$message.error('越权访问记录出错' + error)
+        })
+        // next('/dashboard')
+
       }
       // 登录成功时将路由置空
       if (store.getters.permission_routes.length==0) {

ui/src/views/sysManager/userManager/index.vue

@@ -1047,7 +1047,7 @@ export default {
         if (res.code == 0) {
           this.$message({
             type: 'success',
-            message: '解锁成功!'
+            message: res.data
           });
           this.getList();
         } else {