security guardian

📁 chrysaliscat/designgraduation 📅 Jan 1, 1970

总安装量

周安装量

#44845

全站排名

安装命令

npx skills add https://github.com/chrysaliscat/designgraduation --skill Security Guardian

Skill 文档

Security Guardian Skill

This skill ensures the application complies with the RuoYi Security Model and general Web Security standards.

ð¡ï¸ Core Principles

Zero Trust: Never trust frontend input. Validate everything on the server.
Permission First: Every Controller method (except public ones) MUST have @PreAuthorize.
Data Isolation: Users should only see their own data.

ð ï¸ Common Workflows

1. Data Scoping (Multi-Tenancy/Isolation)

Context: A user should only see their OWN cart or orders. Pattern:

// Controller
public TableDataInfo list(AgOrder order) {
    // FORCE the query to be filtered by current User ID
    order.setUserId(SecurityUtils.getUserId()); 
    startPage();
    // ...
}

Audit: Check if any select method inadvertently returns all records because userId wasn’t set.

2. Permission Annotations

Context: Creating a new API. Pattern:

Add: @PreAuthorize("@ss.hasPermi('agri:order:add')")
Edit: @PreAuthorize("@ss.hasPermi('agri:order:edit')")
Query: @PreAuthorize("@ss.hasPermi('agri:order:list')") Rule: Define these permissions in the Menu/Database first.

3. SQL Injection Prevention

Rule:

Always use #{param} (Prepared Statement).
NEVER use ${param} (String Concatenation) unless absolutely necessary (e.g., dynamic sort columns) and strictly sanitized.

How to use

Invoke this skill when:

Creating new API endpoints (to ensure @PreAuthorize).
Writing SQL queries (to check for injection risks).
Implementing logic that accesses sensitive user data.

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台