【修复】IDOR越权问题修复，提升任务操作及日志管理安全性；

xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobInfoController.java

@@ -75,14 +75,19 @@ public class JobInfoController {
 
 	@RequestMapping("/pageList")
 	@ResponseBody
-	public Map<String, Object> pageList(@RequestParam(value = "start", required = false, defaultValue = "0") int start,
+	public Map<String, Object> pageList(HttpServletRequest request,
+										@RequestParam(value = "start", required = false, defaultValue = "0") int start,
 										@RequestParam(value = "length", required = false, defaultValue = "10") int length,
 										@RequestParam("jobGroup") int jobGroup,
 										@RequestParam("triggerStatus") int triggerStatus,
 										@RequestParam("jobDesc") String jobDesc,
 										@RequestParam("executorHandler") String executorHandler,
 										@RequestParam("author") String author) {
-		
+
+		// valid jobGroup permission
+		validJobGroupPermission(request, jobGroup);
+
+		// page
 		return xxlJobService.pageList(start, length, jobGroup, triggerStatus, jobDesc, executorHandler, author);
 	}
 	
@@ -108,20 +113,23 @@ public class JobInfoController {
 	
 	@RequestMapping("/remove")
 	@ResponseBody
-	public ReturnT<String> remove(@RequestParam("id") int id) {
-		return xxlJobService.remove(id);
+	public ReturnT<String> remove(HttpServletRequest request, @RequestParam("id") int id) {
+		Response<LoginInfo> loginInfoResponse = XxlSsoHelper.loginCheckWithAttr(request);
+		return xxlJobService.remove(id, loginInfoResponse.getData());
 	}
 	
 	@RequestMapping("/stop")
 	@ResponseBody
-	public ReturnT<String> pause(@RequestParam("id") int id) {
-		return xxlJobService.stop(id);
+	public ReturnT<String> pause(HttpServletRequest request, @RequestParam("id") int id) {
+		Response<LoginInfo> loginInfoResponse = XxlSsoHelper.loginCheckWithAttr(request);
+		return xxlJobService.stop(id, loginInfoResponse.getData());
 	}
 	
 	@RequestMapping("/start")
 	@ResponseBody
-	public ReturnT<String> start(@RequestParam("id") int id) {
-		return xxlJobService.start(id);
+	public ReturnT<String> start(HttpServletRequest request, @RequestParam("id") int id) {
+		Response<LoginInfo> loginInfoResponse = XxlSsoHelper.loginCheckWithAttr(request);
+		return xxlJobService.start(id, loginInfoResponse.getData());
 	}
 	
 	@RequestMapping("/trigger")
@@ -130,11 +138,7 @@ public class JobInfoController {
 									  @RequestParam("id") int id,
 									  @RequestParam("executorParam") String executorParam,
 									  @RequestParam("addressList") String addressList) {
-
-		// login user
 		Response<LoginInfo> loginInfoResponse = XxlSsoHelper.loginCheckWithAttr(request);
-
-		// trigger
 		return xxlJobService.trigger(loginInfoResponse.getData(), id, executorParam, addressList);
 	}
 
@@ -186,7 +190,7 @@ public class JobInfoController {
 	 * valid jobGroup permission
 	 */
 	public static LoginInfo validJobGroupPermission(HttpServletRequest request, int jobGroup) {
-		Response<LoginInfo>  loginInfoResponse = XxlSsoHelper.loginCheckWithAttr(request);
+		Response<LoginInfo> loginInfoResponse = XxlSsoHelper.loginCheckWithAttr(request);
 		if (!(loginInfoResponse.isSuccess() && hasJobGroupPermission(loginInfoResponse.getData(), jobGroup))) {
 			throw new RuntimeException(I18nUtil.getString("system_permission_limit") + "[username="+ loginInfoResponse.getData().getUserName() +"]");
 		}

xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java

@@ -51,7 +51,7 @@ public interface XxlJobService {
 	 * @param id
 	 * @return
 	 */
-	public ReturnT<String> remove(int id);
+	public ReturnT<String> remove(int id, LoginInfo loginInfo);
 
 	/**
 	 * start job
@@ -59,7 +59,7 @@ public interface XxlJobService {
 	 * @param id
 	 * @return
 	 */
-	public ReturnT<String> start(int id);
+	public ReturnT<String> start(int id, LoginInfo loginInfo);
 
 	/**
 	 * stop job
@@ -67,7 +67,7 @@ public interface XxlJobService {
 	 * @param id
 	 * @return
 	 */
-	public ReturnT<String> stop(int id);
+	public ReturnT<String> stop(int id, LoginInfo loginInfo);
 
 	/**
 	 * trigger

xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java

@@ -313,12 +313,18 @@ public class XxlJobServiceImpl implements XxlJobService {
 	}
 
 	@Override
-	public ReturnT<String> remove(int id) {
+	public ReturnT<String> remove(int id, LoginInfo loginInfo) {
+		// valid job
 		XxlJobInfo xxlJobInfo = xxlJobInfoMapper.loadById(id);
 		if (xxlJobInfo == null) {
 			return ReturnT.ofSuccess();
 		}
 
+		// valid jobGroup permission
+		if (!JobInfoController.hasJobGroupPermission(loginInfo, xxlJobInfo.getJobGroup())) {
+			return ReturnT.ofFail(I18nUtil.getString("system_permission_limit"));
+		}
+
 		xxlJobInfoMapper.delete(id);
 		xxlJobLogMapper.delete(id);
 		xxlJobLogGlueMapper.deleteByJobId(id);
@@ -326,13 +332,18 @@ public class XxlJobServiceImpl implements XxlJobService {
 	}
 
 	@Override
-	public ReturnT<String> start(int id) {
+	public ReturnT<String> start(int id, LoginInfo loginInfo) {
 		// load and valid
 		XxlJobInfo xxlJobInfo = xxlJobInfoMapper.loadById(id);
 		if (xxlJobInfo == null) {
 			return ReturnT.ofFail(I18nUtil.getString("jobinfo_glue_jobid_unvalid"));
 		}
 
+		// valid jobGroup permission
+		if (!JobInfoController.hasJobGroupPermission(loginInfo, xxlJobInfo.getJobGroup())) {
+			return ReturnT.ofFail(I18nUtil.getString("system_permission_limit"));
+		}
+
 		// valid
 		ScheduleTypeEnum scheduleTypeEnum = ScheduleTypeEnum.match(xxlJobInfo.getScheduleType(), ScheduleTypeEnum.NONE);
 		if (ScheduleTypeEnum.NONE == scheduleTypeEnum) {
@@ -362,13 +373,18 @@ public class XxlJobServiceImpl implements XxlJobService {
 	}
 
 	@Override
-	public ReturnT<String> stop(int id) {
+	public ReturnT<String> stop(int id, LoginInfo loginInfo) {
 		// load and valid
         XxlJobInfo xxlJobInfo = xxlJobInfoMapper.loadById(id);
 		if (xxlJobInfo == null) {
 			return ReturnT.ofFail(I18nUtil.getString("jobinfo_glue_jobid_unvalid"));
 		}
 
+		// valid jobGroup permission
+		if (!JobInfoController.hasJobGroupPermission(loginInfo, xxlJobInfo.getJobGroup())) {
+			return ReturnT.ofFail(I18nUtil.getString("system_permission_limit"));
+		}
+
 		// stop
 		xxlJobInfo.setTriggerStatus(0);
 		xxlJobInfo.setTriggerLastTime(0);
@@ -383,15 +399,13 @@ public class XxlJobServiceImpl implements XxlJobService {
 
 	@Override
 	public ReturnT<String> trigger(LoginInfo loginInfo, int jobId, String executorParam, String addressList) {
-		// permission
-		if (loginInfo == null) {
-			return ReturnT.ofFail(I18nUtil.getString("system_permission_limit"));
-		}
+		// valid job
 		XxlJobInfo xxlJobInfo = xxlJobInfoMapper.loadById(jobId);
 		if (xxlJobInfo == null) {
 			return ReturnT.ofFail(I18nUtil.getString("jobinfo_glue_jobid_unvalid"));
 		}
 
+		// valid jobGroup permission
 		if (!JobInfoController.hasJobGroupPermission(loginInfo, xxlJobInfo.getJobGroup())) {
 			return ReturnT.ofFail(I18nUtil.getString("system_permission_limit"));
 		}