diff --git "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" index df6a6a6..59d2e6f 100644 --- "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" +++ "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" @@ -2363,9 +2363,10 @@ - 2、【修复】"CVE-2022-43402" groovy低版本漏洞修复。 - 3、【修复】"CVE-2024-29025" netty低版本漏洞修复。 - 4、【修复】"CVE-2024-3366" freemarker模板注入漏洞修复。 -- 5、【修复】调度日志页面XSS漏洞修复(ISSUE-3360)。 -- 6、【优化】执行器注册节点显示优化,解决注册节点过多时无法展示问题。 -- 7、[规划中]登陆态Token声称逻辑优化,混淆登陆时间属性,降低token泄漏风险。 +- 5、【修复】"CVE-2022-43183" 越权漏洞修复。 +- 6、【修复】调度日志页面XSS漏洞修复(ISSUE-3360)。 +- 7、【优化】执行器注册节点显示优化,解决注册节点过多时无法展示问题。 +- 8、[规划中]登陆态Token声称逻辑优化,混淆登陆时间属性,降低token泄漏风险。 ### TODO LIST - 1、调度隔离:调度中心针对不同执行器,各自维护不同的调度和远程触发组件。 diff --git "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" index df6a6a6..59d2e6f 100644 --- "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" +++ "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" @@ -2363,9 +2363,10 @@ - 2、【修复】"CVE-2022-43402" groovy低版本漏洞修复。 - 3、【修复】"CVE-2024-29025" netty低版本漏洞修复。 - 4、【修复】"CVE-2024-3366" freemarker模板注入漏洞修复。 -- 5、【修复】调度日志页面XSS漏洞修复(ISSUE-3360)。 -- 6、【优化】执行器注册节点显示优化,解决注册节点过多时无法展示问题。 -- 7、[规划中]登陆态Token声称逻辑优化,混淆登陆时间属性,降低token泄漏风险。 +- 5、【修复】"CVE-2022-43183" 越权漏洞修复。 +- 6、【修复】调度日志页面XSS漏洞修复(ISSUE-3360)。 +- 7、【优化】执行器注册节点显示优化,解决注册节点过多时无法展示问题。 +- 8、[规划中]登陆态Token声称逻辑优化,混淆登陆时间属性,降低token泄漏风险。 ### TODO LIST - 1、调度隔离:调度中心针对不同执行器,各自维护不同的调度和远程触发组件。 diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java index ea314b3..516dce4 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java @@ -1,6 +1,5 @@ package com.xxl.job.admin.controller; -import com.xxl.job.admin.core.cron.CronExpression; import com.xxl.job.admin.core.exception.XxlJobException; import com.xxl.job.admin.core.model.XxlJobGroup; import com.xxl.job.admin.core.model.XxlJobInfo; @@ -9,8 +8,6 @@ import com.xxl.job.admin.core.scheduler.MisfireStrategyEnum; import com.xxl.job.admin.core.scheduler.ScheduleTypeEnum; import com.xxl.job.admin.core.thread.JobScheduleHelper; -import com.xxl.job.admin.core.thread.JobTriggerPoolHelper; -import com.xxl.job.admin.core.trigger.TriggerTypeEnum; import com.xxl.job.admin.core.util.I18nUtil; import com.xxl.job.admin.dao.XxlJobGroupDao; import com.xxl.job.admin.service.LoginService; @@ -29,7 +26,6 @@ import javax.annotation.Resource; import javax.servlet.http.HttpServletRequest; -import java.text.ParseException; import java.util.*; /** @@ -139,15 +135,11 @@ @RequestMapping("/trigger") @ResponseBody - //@PermissionLimit(limit = false) - public ReturnT triggerJob(int id, String executorParam, String addressList) { - // force cover job param - if (executorParam == null) { - executorParam = ""; - } - - JobTriggerPoolHelper.trigger(id, TriggerTypeEnum.MANUAL, -1, null, executorParam, addressList); - return ReturnT.SUCCESS; + public ReturnT triggerJob(HttpServletRequest request, int id, String executorParam, String addressList) { + // login user + XxlJobUser loginUser = (XxlJobUser) request.getAttribute(LoginService.LOGIN_IDENTITY_KEY); + // trigger + return xxlJobService.trigger(loginUser, id, executorParam, addressList); } @RequestMapping("/nextTriggerTime") diff --git "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" index df6a6a6..59d2e6f 100644 --- "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" +++ "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" @@ -2363,9 +2363,10 @@ - 2、【修复】"CVE-2022-43402" groovy低版本漏洞修复。 - 3、【修复】"CVE-2024-29025" netty低版本漏洞修复。 - 4、【修复】"CVE-2024-3366" freemarker模板注入漏洞修复。 -- 5、【修复】调度日志页面XSS漏洞修复(ISSUE-3360)。 -- 6、【优化】执行器注册节点显示优化,解决注册节点过多时无法展示问题。 -- 7、[规划中]登陆态Token声称逻辑优化,混淆登陆时间属性,降低token泄漏风险。 +- 5、【修复】"CVE-2022-43183" 越权漏洞修复。 +- 6、【修复】调度日志页面XSS漏洞修复(ISSUE-3360)。 +- 7、【优化】执行器注册节点显示优化,解决注册节点过多时无法展示问题。 +- 8、[规划中]登陆态Token声称逻辑优化,混淆登陆时间属性,降低token泄漏风险。 ### TODO LIST - 1、调度隔离:调度中心针对不同执行器,各自维护不同的调度和远程触发组件。 diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java index ea314b3..516dce4 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java @@ -1,6 +1,5 @@ package com.xxl.job.admin.controller; -import com.xxl.job.admin.core.cron.CronExpression; import com.xxl.job.admin.core.exception.XxlJobException; import com.xxl.job.admin.core.model.XxlJobGroup; import com.xxl.job.admin.core.model.XxlJobInfo; @@ -9,8 +8,6 @@ import com.xxl.job.admin.core.scheduler.MisfireStrategyEnum; import com.xxl.job.admin.core.scheduler.ScheduleTypeEnum; import com.xxl.job.admin.core.thread.JobScheduleHelper; -import com.xxl.job.admin.core.thread.JobTriggerPoolHelper; -import com.xxl.job.admin.core.trigger.TriggerTypeEnum; import com.xxl.job.admin.core.util.I18nUtil; import com.xxl.job.admin.dao.XxlJobGroupDao; import com.xxl.job.admin.service.LoginService; @@ -29,7 +26,6 @@ import javax.annotation.Resource; import javax.servlet.http.HttpServletRequest; -import java.text.ParseException; import java.util.*; /** @@ -139,15 +135,11 @@ @RequestMapping("/trigger") @ResponseBody - //@PermissionLimit(limit = false) - public ReturnT triggerJob(int id, String executorParam, String addressList) { - // force cover job param - if (executorParam == null) { - executorParam = ""; - } - - JobTriggerPoolHelper.trigger(id, TriggerTypeEnum.MANUAL, -1, null, executorParam, addressList); - return ReturnT.SUCCESS; + public ReturnT triggerJob(HttpServletRequest request, int id, String executorParam, String addressList) { + // login user + XxlJobUser loginUser = (XxlJobUser) request.getAttribute(LoginService.LOGIN_IDENTITY_KEY); + // trigger + return xxlJobService.trigger(loginUser, id, executorParam, addressList); } @RequestMapping("/nextTriggerTime") diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java index 61da3a2..60b4bb8 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java @@ -2,6 +2,7 @@ import com.xxl.job.admin.core.model.XxlJobInfo; +import com.xxl.job.admin.core.model.XxlJobUser; import com.xxl.job.core.biz.model.ReturnT; import java.util.Date; @@ -68,6 +69,17 @@ public ReturnT stop(int id); /** + * trigger + * + * @param loginUser + * @param jobId + * @param executorParam + * @param addressList + * @return + */ + public ReturnT trigger(XxlJobUser loginUser, int jobId, String executorParam, String addressList); + + /** * dashboard info * * @return diff --git "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" index df6a6a6..59d2e6f 100644 --- "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" +++ "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" @@ -2363,9 +2363,10 @@ - 2、【修复】"CVE-2022-43402" groovy低版本漏洞修复。 - 3、【修复】"CVE-2024-29025" netty低版本漏洞修复。 - 4、【修复】"CVE-2024-3366" freemarker模板注入漏洞修复。 -- 5、【修复】调度日志页面XSS漏洞修复(ISSUE-3360)。 -- 6、【优化】执行器注册节点显示优化,解决注册节点过多时无法展示问题。 -- 7、[规划中]登陆态Token声称逻辑优化,混淆登陆时间属性,降低token泄漏风险。 +- 5、【修复】"CVE-2022-43183" 越权漏洞修复。 +- 6、【修复】调度日志页面XSS漏洞修复(ISSUE-3360)。 +- 7、【优化】执行器注册节点显示优化,解决注册节点过多时无法展示问题。 +- 8、[规划中]登陆态Token声称逻辑优化,混淆登陆时间属性,降低token泄漏风险。 ### TODO LIST - 1、调度隔离:调度中心针对不同执行器,各自维护不同的调度和远程触发组件。 diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java index ea314b3..516dce4 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java @@ -1,6 +1,5 @@ package com.xxl.job.admin.controller; -import com.xxl.job.admin.core.cron.CronExpression; import com.xxl.job.admin.core.exception.XxlJobException; import com.xxl.job.admin.core.model.XxlJobGroup; import com.xxl.job.admin.core.model.XxlJobInfo; @@ -9,8 +8,6 @@ import com.xxl.job.admin.core.scheduler.MisfireStrategyEnum; import com.xxl.job.admin.core.scheduler.ScheduleTypeEnum; import com.xxl.job.admin.core.thread.JobScheduleHelper; -import com.xxl.job.admin.core.thread.JobTriggerPoolHelper; -import com.xxl.job.admin.core.trigger.TriggerTypeEnum; import com.xxl.job.admin.core.util.I18nUtil; import com.xxl.job.admin.dao.XxlJobGroupDao; import com.xxl.job.admin.service.LoginService; @@ -29,7 +26,6 @@ import javax.annotation.Resource; import javax.servlet.http.HttpServletRequest; -import java.text.ParseException; import java.util.*; /** @@ -139,15 +135,11 @@ @RequestMapping("/trigger") @ResponseBody - //@PermissionLimit(limit = false) - public ReturnT triggerJob(int id, String executorParam, String addressList) { - // force cover job param - if (executorParam == null) { - executorParam = ""; - } - - JobTriggerPoolHelper.trigger(id, TriggerTypeEnum.MANUAL, -1, null, executorParam, addressList); - return ReturnT.SUCCESS; + public ReturnT triggerJob(HttpServletRequest request, int id, String executorParam, String addressList) { + // login user + XxlJobUser loginUser = (XxlJobUser) request.getAttribute(LoginService.LOGIN_IDENTITY_KEY); + // trigger + return xxlJobService.trigger(loginUser, id, executorParam, addressList); } @RequestMapping("/nextTriggerTime") diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java index 61da3a2..60b4bb8 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java @@ -2,6 +2,7 @@ import com.xxl.job.admin.core.model.XxlJobInfo; +import com.xxl.job.admin.core.model.XxlJobUser; import com.xxl.job.core.biz.model.ReturnT; import java.util.Date; @@ -68,6 +69,17 @@ public ReturnT stop(int id); /** + * trigger + * + * @param loginUser + * @param jobId + * @param executorParam + * @param addressList + * @return + */ + public ReturnT trigger(XxlJobUser loginUser, int jobId, String executorParam, String addressList); + + /** * dashboard info * * @return diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java index 530ee41..b7d9688 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java @@ -4,10 +4,13 @@ import com.xxl.job.admin.core.model.XxlJobGroup; import com.xxl.job.admin.core.model.XxlJobInfo; import com.xxl.job.admin.core.model.XxlJobLogReport; +import com.xxl.job.admin.core.model.XxlJobUser; import com.xxl.job.admin.core.route.ExecutorRouteStrategyEnum; import com.xxl.job.admin.core.scheduler.MisfireStrategyEnum; import com.xxl.job.admin.core.scheduler.ScheduleTypeEnum; import com.xxl.job.admin.core.thread.JobScheduleHelper; +import com.xxl.job.admin.core.thread.JobTriggerPoolHelper; +import com.xxl.job.admin.core.trigger.TriggerTypeEnum; import com.xxl.job.admin.core.util.I18nUtil; import com.xxl.job.admin.dao.*; import com.xxl.job.admin.service.XxlJobService; @@ -345,6 +348,42 @@ return ReturnT.SUCCESS; } + + + @Override + public ReturnT trigger(XxlJobUser loginUser, int jobId, String executorParam, String addressList) { + // permission + if (loginUser == null) { + return new ReturnT(ReturnT.FAIL.getCode(), I18nUtil.getString("system_permission_limit")); + } + XxlJobInfo xxlJobInfo = xxlJobInfoDao.loadById(jobId); + if (xxlJobInfo == null) { + return new ReturnT(ReturnT.FAIL.getCode(), I18nUtil.getString("jobinfo_glue_jobid_unvalid")); + } + if (!hasPermission(loginUser, xxlJobInfo.getJobGroup())) { + return new ReturnT(ReturnT.FAIL.getCode(), I18nUtil.getString("system_permission_limit")); + } + + // force cover job param + if (executorParam == null) { + executorParam = ""; + } + + JobTriggerPoolHelper.trigger(jobId, TriggerTypeEnum.MANUAL, -1, null, executorParam, addressList); + return ReturnT.SUCCESS; + } + + private boolean hasPermission(XxlJobUser loginUser, int jobGroup){ + if (loginUser.getRole() == 1) { + return true; + } + List groupIdStrs = new ArrayList<>(); + if (loginUser.getPermission()!=null && loginUser.getPermission().trim().length()>0) { + groupIdStrs = Arrays.asList(loginUser.getPermission().trim().split(",")); + } + return groupIdStrs.contains(String.valueOf(jobGroup)); + } + @Override public Map dashboardInfo() {