clunt
/
RuoYi-Cloud
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

user/profile 安全漏洞测试fix,这里 不法分子,可能通过修改 userid 和 password 实现对 任意用户密码修改

This commit is contained in:
duandazhi 2021-07-27 16:09:45 +08:00
parent 7e72849d05
commit 792d468d9c
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysProfileController.java
View File

@ -75,9 +75,18 @@ public class SysProfileController extends BaseController
{ {
return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在"); return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在");
} }
//安全漏洞测试fix这里 不法分子可能通过修改 userid password 实现对 任意用户密码修改
LoginUser loginUser = tokenService.getLoginUser();
if (loginUser == null) {
return AjaxResult.error("用户未登录!");
}
if (!loginUser.getUserid().equals(user.getUserId())) {
return AjaxResult.error("只能修改自己的用户信息!");
}
if (userService.updateUserProfile(user) > 0) if (userService.updateUserProfile(user) > 0)
{ {
LoginUser loginUser = tokenService.getLoginUser();
// 更新缓存用户信息 // 更新缓存用户信息
loginUser.getSysUser().setNickName(user.getNickName()); loginUser.getSysUser().setNickName(user.getNickName());
loginUser.getSysUser().setPhonenumber(user.getPhonenumber()); loginUser.getSysUser().setPhonenumber(user.getPhonenumber());