From 04bd6bff043f66273d0786ab42f97494a0498fc3 Mon Sep 17 00:00:00 2001
From: YunaiV <zhijiantianya@gmail.com>
Date: Wed, 30 Apr 2025 16:03:50 +0800
Subject: [PATCH] =?UTF-8?q?fix=EF=BC=9A=E7=BD=91=E5=85=B3=E4=BC=A0?=
 =?UTF-8?q?=E9=80=92=20login-user=20=E5=8F=AF=E8=83=BD=E5=AD=98=E5=9C=A8?=
 =?UTF-8?q?=20usertype=20=E4=B8=8D=E6=AD=A3=E7=A1=AE=E7=9A=84=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../core/filter/TokenAuthenticationFilter.java       | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java
index 88ce4e178..071e1a0cd 100644
--- a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java
+++ b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java
@@ -135,7 +135,17 @@ public class TokenAuthenticationFilter extends OncePerRequestFilter {
         }
         try {
             loginUserStr = URLDecoder.decode(loginUserStr, StandardCharsets.UTF_8); // 解码，解决中文乱码问题
-            return JsonUtils.parseObject(loginUserStr, LoginUser.class);
+            LoginUser loginUser = JsonUtils.parseObject(loginUserStr, LoginUser.class);
+            // 用户类型不匹配，无权限
+            // 注意：只有 /admin-api/* 和 /app-api/* 有 userType，才需要比对用户类型
+            // 类似 WebSocket 的 /ws/* 连接地址，是不需要比对用户类型的
+            Integer userType = WebFrameworkUtils.getLoginUserType(request);
+            if (userType != null
+                    && loginUser != null
+                    && ObjectUtil.notEqual(loginUser.getUserType(), userType)) {
+                throw new AccessDeniedException("错误的用户类型");
+            }
+            return loginUser;
         } catch (Exception ex) {
             log.error("[buildLoginUserByHeader][解析 LoginUser({}) 发生异常]", loginUserStr, ex);  ;
             throw ex;