Security Guardian Skill

This skill ensures the application complies with the RuoYi Security Model and general Web Security standards.

🛡️ Core Principles

• Zero Trust: Never trust frontend input. Validate everything on the server.

• Permission First: Every Controller method (except public ones) MUST have @PreAuthorize .

• Data Isolation: Users should only see their own data.

🛠️ Common Workflows

1. Data Scoping (Multi-Tenancy/Isolation)

Context: A user should only see their OWN cart or orders. Pattern:

// Controller public TableDataInfo list(AgOrder order) { // FORCE the query to be filtered by current User ID order.setUserId(SecurityUtils.getUserId()); startPage(); // ... }

Audit: Check if any select method inadvertently returns all records because userId wasn't set.

2. Permission Annotations

Context: Creating a new API. Pattern:

• Add: @PreAuthorize("@ss.hasPermi('agri:order:add')")

• Edit: @PreAuthorize("@ss.hasPermi('agri:order:edit')")

• Query: @PreAuthorize("@ss.hasPermi('agri:order:list')")

Rule: Define these permissions in the Menu/Database first.

3. SQL Injection Prevention

Rule:

• Always use #{param} (Prepared Statement).

• NEVER use ${param} (String Concatenation) unless absolutely necessary (e.g., dynamic sort columns) and strictly sanitized.

How to use

Invoke this skill when:

• Creating new API endpoints (to ensure @PreAuthorize ).

• Writing SQL queries (to check for injection risks).

• Implementing logic that accesses sensitive user data.