From 198db8fce68d39822f572aeec2f035430f3fa71a Mon Sep 17 00:00:00 2001
From: yashen <yashen@gmail.com>
Date: Fri, 23 Sep 2016 17:40:10 +0800
Subject: [PATCH] =?UTF-8?q?=E2=80=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 B3WeChat/Rpcs/WeChatUserRpc.cs | 32 ++++++++++++++++++++++++--------
 B3WeChat/WeChatUserContext.cs  |  4 ++++
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/B3WeChat/Rpcs/WeChatUserRpc.cs b/B3WeChat/Rpcs/WeChatUserRpc.cs
index ad81058..8a939ea 100644
--- a/B3WeChat/Rpcs/WeChatUserRpc.cs
+++ b/B3WeChat/Rpcs/WeChatUserRpc.cs
@@ -1,6 +1,7 @@
 using BWP.B3WeChat.BL;
 using BWP.B3WeChat.BO;
 using BWP.B3WeChat.BO.NamedValueTemplate;
+using Forks.EnterpriseServices.DomainObjects2;
 using Forks.EnterpriseServices.DomainObjects2.DQuery;
 using Forks.EnterpriseServices.JsonRpc;
 using System;
@@ -14,34 +15,49 @@ namespace BWP.B3WeChat.Rpcs
   [Rpc]
   public static class WeChatUserRpc
   {
-    [Rpc(RpcFlags.SkipAuth)]
+    [Rpc]
     public static ApproveMessage LoadMessage(string messageID)
     {
-      return ApproveMessageBL.Instance.Load(messageID);
+      var message = ApproveMessageBL.Instance.Load(messageID);
+
+      if (message != null && message.OpenID != WeChatUserContext.Current.OpenID)
+      {
+        throw new Exception("此消息不属于你");
+      }
+
+      return message;
     }
 
     [Rpc]
     public static ApproveMessage[] MyMessages()
     {
-      var query = new DmoQuery(typeof(ApproveMessage));
-
+      var query = new DQueryDom(new JoinAlias(typeof(ApproveMessage)));
       query.Where.Conditions.Add(DQCondition.EQ("OpenID", WeChatUserContext.Current.OpenID));
       query.OrderBy.Expressions.Add(DQOrderByExpression.Create("CreateTime", true));
-
-      return query.EExecuteList().Cast<ApproveMessage>().ToArray();
+      return query.EExecuteDmoList<ApproveMessage>("ID", "Title", "CreateTime", "ApproveResult").ToArray();
     }
 
-    [Rpc(RpcFlags.SkipAuth)]
+    [Rpc]
     public static void Approve(ApproveMessage message)
     {
+      if (message.OpenID != WeChatUserContext.Current.OpenID)
+      {
+        throw new Exception("此消息不属于你");
+      }
+
       ApproveMessageBL.Instance.Approve(message);
    
     }
 
 
-    [Rpc(RpcFlags.SkipAuth)]
+    [Rpc]
     public static void Reject(ApproveMessage message)
     {
+      if (message.OpenID != WeChatUserContext.Current.OpenID)
+      {
+        throw new Exception("此消息不属于你");
+      }
+
       ApproveMessageBL.Instance.Reject(message);
 
     }
diff --git a/B3WeChat/WeChatUserContext.cs b/B3WeChat/WeChatUserContext.cs
index 6cf62b6..9d2f9b6 100644
--- a/B3WeChat/WeChatUserContext.cs
+++ b/B3WeChat/WeChatUserContext.cs
@@ -40,6 +40,10 @@ namespace BWP.B3WeChat
         else
         {
           var user = BLContext.User;
+          if (!user.Name.StartsWith("wechat_"))
+          {
+            throw new Exception("not a wechat user");
+          }
           var context = new WeChatUserContext();
           context.mOpenID = user.Name.Substring(7);
           var query = new DmoQuery(typeof(CustomerUser));