优化退费时需要金额对比，避免前端修改金额漏洞

2026-03-06 17:07:50 +08:00
parent 9282ef6ada
commit 4ea8bc523d
3 changed files with 68 additions and 0 deletions
--- a/src/main/java/com/guahao/api/walkinto/controller/ApiPayController.java
+++ b/src/main/java/com/guahao/api/walkinto/controller/ApiPayController.java
@@ -14,6 +14,7 @@ import com.guahao.api.walkinto.model.PayQueryDTO;
 import com.guahao.api.walkinto.service.WxPayService;
 import com.guahao.common.config.WxPayConfig;
 import com.guahao.common.response.ResponseResult;
+import com.guahao.common.util.AmountUtil;
 import com.guahao.common.util.SoapUtil;
 import com.guahao.common.util.XmlUtil;
 import com.guahao.h5.hsjc.mapper.HsjcMapper;
@@ -21,7 +22,9 @@ import com.guahao.h5.hsjc.service.HsjcService;
 import com.guahao.h5.hsjc.service.TXSendMsg;
 import com.guahao.h5.hsjc.vo.HsjcVo;
 import com.guahao.h5.message.service.MessageCenterService;
+import com.guahao.h5.reserve.mapper.BinganMapper;
 import com.guahao.h5.reserve.mapper.Reserve8Mapper;
+import com.guahao.h5.reserve.vo.BingAnVO;
 import com.guahao.h5.reserve.vo.HisRefundVo;
 import com.guahao.h5.reserve.vo.Reserve8Vo;
 import com.guahao.h5.user.mapper.UserCardMapper;
@@ -31,6 +34,7 @@ import com.guahao.h5.user.model.UserOrder;
 import com.guahao.h5.user.model.UserVo;
 import com.guahao.h5.user.service.UserOrderService;
 import com.guahao.h5.user.service.UserService;
+import com.guahao.h5.yb.model.OrderInfoVO;
 import lombok.extern.slf4j.Slf4j;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -104,6 +108,8 @@ public class ApiPayController {

    @Autowired
    UserOrderMapper userOrderMapper;
+    @Autowired
+    BinganMapper BinganMapper;


    @Autowired
@@ -207,6 +213,63 @@ public class ApiPayController {
        String paramTip = "";
        try {
            paramTip = String.format(" >>> requestObj:%s", JSONUtil.toJsonStr(powertranid));
+            log.info("退款开始校验订单金额");
+            //安全校验订单和金额是否对应
+            String StartName = powertranid.substring(0,2).toUpperCase();
+            switch (StartName){
+                case "TL":
+                    List<Reserve8Vo> vos = reserve8Mapper.getReserveListByhisorderno(powertranid);
+                    if(vos.size()>0){
+                        if(!vos.get(0).getZfamount().equals(AmountUtil.parseAmount( money))){
+                            return ResponseResult.sysError("订单金额与退费金额不一致");
+                        }
+                    }else {
+                        return ResponseResult.sysError("挂号订单不存在");
+                    }
+                    break;
+                case "YB":
+                    OrderInfoVO orderInfoVO = hsjcMapper.selectByhospOrder(powertranid);
+                    if (orderInfoVO!=null){
+                        if(!orderInfoVO.getOwnPayAmt().equals(AmountUtil.parseAmount( money))){
+                            return ResponseResult.sysError("订单金额与退费金额不一致");
+                        }
+                    }else {
+                        return ResponseResult.sysError("医保订单不存在");
+                    }
+                    break;
+                case "YC":
+                    UserOrder userOrder = userOrderMapper.selectInfoByCode(powertranid);
+                    if (userOrder != null) {
+                        if(!money.equals(AmountUtil.doubleToStr(userOrder.getMoney()))){
+                            return ResponseResult.sysError("订单金额与退费金额不一致");
+                        }
+                    }else {
+                        return ResponseResult.sysError("住院预交订单不存在");
+                    }
+                    break;
+                case "BA":
+                    BingAnVO bingAnVO = BinganMapper.selectByOrderNo(powertranid);
+                    if (bingAnVO != null) {
+                        if(!bingAnVO.getAmount().equals(AmountUtil.parseAmount(money))){
+                            return ResponseResult.sysError("订单金额与退费金额不一致");
+                        }
+                    }else {
+                        return ResponseResult.sysError("病案订单不存在");
+                    }
+                    break;
+                case "MZ":
+                    HsjcVo vo = hsjcMapper.getMzjfListByFlow2(powertranid);
+                    if (vo != null) {
+                        if(!vo.getZfamount().equals(money)){
+                            return ResponseResult.sysError("订单金额与退费金额不一致");
+                        }
+                    }else {
+                        return ResponseResult.sysError("门诊缴费订单不存在");
+                    }
+                    break;
+                 default:
+                     return ResponseResult.sysError("订单类型不存在");
+            }

            Map map = wxPayService.refundOrder(powertranid,money,type);
            return ResponseResult.success(map);
--- a/src/main/java/com/guahao/h5/user/mapper/UserOrderMapper.java
+++ b/src/main/java/com/guahao/h5/user/mapper/UserOrderMapper.java
@@ -16,4 +16,6 @@ public interface UserOrderMapper extends BaseMapper<UserOrder> {
    void SelectUserOrderByCode(String outTradeNo, int type);

    Integer yjjXeQuery(String patientId, String hisDate);
+
+    UserOrder selectInfoByCode(String powertranid);
 }
--- a/src/main/resources/mybatis/mapper/user/UserOrderMapper.xml
+++ b/src/main/resources/mybatis/mapper/user/UserOrderMapper.xml
@@ -18,4 +18,7 @@
          AND type = 1
          AND card_no = #{patientId};
    </select>
+    <select id="selectInfoByCode" resultType="com.guahao.h5.user.model.UserOrder">
+        select * from user_order where code = #{code}
+    </select>
 </mapper>