配分事项录入排序

airport-admin/src/main/java/com/sundot/airport/web/controller/score/ScoreEventController.java

@@ -11,6 +11,7 @@ import com.sundot.airport.common.core.page.TableDataInfo;
 import com.sundot.airport.common.enums.BusinessType;
 import com.sundot.airport.common.enums.ScoreTypeEnum;
 import com.sundot.airport.common.utils.DateUtils;
+import com.sundot.airport.common.utils.NameUtils;
 import com.sundot.airport.common.utils.poi.ExcelUtil;
 import com.sundot.airport.ledger.domain.ScoreEvent;
 import com.sundot.airport.ledger.domain.ScoreIndicator;
@@ -28,7 +29,12 @@ import org.springframework.web.multipart.MultipartFile;
 import javax.servlet.http.HttpServletResponse;
 import java.math.BigDecimal;
 import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
 import java.util.List;
+import java.util.Map;
+import java.util.Set;
 import java.util.UUID;
 
 /**
@@ -38,6 +44,16 @@ import java.util.UUID;
 @RequestMapping("/score/event")
 public class ScoreEventController extends BaseController {
 
+    // 排序字段白名单（防 SQL 注入）
+    private static final Set<String> ALLOWED_SORT_COLUMNS;
+
+    static {
+        Set<String> set = new HashSet<>();
+        set.add("create_time");
+        set.add("event_time");
+        ALLOWED_SORT_COLUMNS = Collections.unmodifiableSet(set);
+    }
+
     @Autowired
     private IScoreEventService service;
 
@@ -51,6 +67,9 @@ public class ScoreEventController extends BaseController {
     @GetMapping("/list")
     public TableDataInfo list(ScoreEvent query) {
         startPage();
+        // 排序字段白名单过滤
+        Map<String, String> safeSort = buildSafeSort(query.getSorts());
+        query.setSorts(safeSort);
         return getDataTable(service.selectList(query));
     }
 
@@ -75,10 +94,10 @@ public class ScoreEventController extends BaseController {
         entity.setSourceType("1");
         entity.setCreateBy(getUsername());
         entity.setCreateTime(DateUtils.getNowDate());
-        
+
         // 通过指标名称查找并设置ID
         resolveIndicatorIds(entity);
-        
+
         // 计算 totalScore
         BigDecimal score = entity.getScoreValue() != null ? entity.getScoreValue() : BigDecimal.ZERO;
         BigDecimal cascade = entity.getCascadeScore() != null ? entity.getCascadeScore() : BigDecimal.ZERO;
@@ -99,10 +118,10 @@ public class ScoreEventController extends BaseController {
     public AjaxResult edit(@Validated @RequestBody ScoreEvent entity) {
         entity.setUpdateBy(getUsername());
         entity.setUpdateTime(DateUtils.getNowDate());
-        
+
         // 通过指标名称查找并设置ID
         resolveIndicatorIds(entity);
-        
+
         BigDecimal score = entity.getScoreValue() != null ? entity.getScoreValue() : BigDecimal.ZERO;
         BigDecimal cascade = entity.getCascadeScore() != null ? entity.getCascadeScore() : BigDecimal.ZERO;
         entity.setTotalScore(score.add(cascade));
@@ -156,7 +175,7 @@ public class ScoreEventController extends BaseController {
                 entity.setLevel2Id(level2Id);
             }
         }
-        
+
         // 通过三级指标名称查找ID
         if (entity.getLevel3Name() != null && !entity.getLevel3Name().trim().isEmpty() && entity.getLevel3Id() == null) {
             Long level3Id = findIndicatorIdByName(entity.getLevel3Name().trim());
@@ -164,7 +183,7 @@ public class ScoreEventController extends BaseController {
                 entity.setLevel3Id(level3Id);
             }
         }
-        
+
         // 通过四级指标名称查找ID
         if (entity.getLevel4Name() != null && !entity.getLevel4Name().trim().isEmpty() && entity.getLevel4Id() == null) {
             Long level4Id = findIndicatorIdByName(entity.getLevel4Name().trim());
@@ -210,4 +229,26 @@ public class ScoreEventController extends BaseController {
         }
         return basePositionService.selectBasePositionById(regional.getParentId());
     }
+
+    /**
+     * 构建安全的排序参数
+     */
+    private Map<String, String> buildSafeSort(Map<String, String> sorts) {
+        Map<String, String> result = new LinkedHashMap<>();
+
+        if (sorts == null) {
+            return result;
+        }
+
+        for (Map.Entry<String, String> entry : sorts.entrySet()) {
+            String field = NameUtils.camelToUnderscore(entry.getKey());
+            if (!ALLOWED_SORT_COLUMNS.contains(field)) {
+                continue;
+            }
+            String direction = "desc".equalsIgnoreCase(String.valueOf(entry.getValue())) ? "desc" : "asc";
+
+            result.put(field, direction);
+        }
+        return result;
+    }
 }

airport-common/src/main/java/com/sundot/airport/common/core/domain/BaseEntity.java

@@ -59,6 +59,13 @@ public class BaseEntity implements Serializable {
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     private Map<String, Object> params;
 
+    /**
+     * 排序参数
+     */
+    @TableField(exist = false)
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    private Map<String, String> sorts;
+
     public String getSearchValue() {
         return searchValue;
     }
@@ -117,4 +124,12 @@ public class BaseEntity implements Serializable {
     public void setParams(Map<String, Object> params) {
         this.params = params;
     }
+
+    public Map<String, String> getSorts() {
+        return sorts;
+    }
+
+    public void setSorts(Map<String, String> sorts) {
+        this.sorts = sorts;
+    }
 }

airport-common/src/main/java/com/sundot/airport/common/utils/NameUtils.java

@@ -0,0 +1,28 @@
+package com.sundot.airport.common.utils;
+
+/**
+ * 字段名称工具类
+ */
+public class NameUtils {
+
+    /**
+     * 驼峰转下划线
+     * @param name
+     * @return
+     */
+    public static String camelToUnderscore(String name) {
+        if (name == null || name.isEmpty()) {
+            return name;
+        }
+        StringBuilder sb = new StringBuilder();
+        for (char c : name.toCharArray()) {
+            if (Character.isUpperCase(c)) {
+                sb.append("_").append(Character.toLowerCase(c));
+            } else {
+                sb.append(c);
+            }
+        }
+        return sb.toString();
+    }
+
+}

airport-ledger/src/main/resources/mapper/ledger/ScoreEventMapper.xml

@@ -62,6 +62,23 @@
         WHERE del_flag = '0'
     </sql>
 
+    <sql id="order_by">
+        <choose>
+            <when test="sorts != null and sorts.size() > 0">
+                order by
+                <foreach collection="sorts.entrySet()"
+                         index="field"
+                         item="dir"
+                         separator=",">
+                    ${field} ${dir}
+                </foreach>
+            </when>
+            <otherwise>
+                order by event_time desc
+            </otherwise>
+        </choose>
+    </sql>
+
     <select id="selectList" parameterType="com.sundot.airport.ledger.domain.ScoreEvent"
             resultMap="ScoreEventResult">
         <include refid="selectVo"/>
@@ -96,7 +113,7 @@
         <if test="params != null and params.endTime != null and params.endTime != ''">
             AND event_time &lt;= #{params.endTime}
         </if>
-        ORDER BY event_time DESC, id DESC
+        <include refid="order_by"/>
     </select>
 
 </mapper>