clunt
/
RuoYi-Cloud
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Pre Merge pull request !87 from dazer007/security-fix-user-profile-update

This commit is contained in:
dazer007 2021-07-27 08:14:01 +00:00 committed by Gitee
parent 0dff71bd4d e40369803a
commit bb2e4ee85c
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysProfileController.java
View File

@ -75,7 +75,16 @@ public class SysProfileController extends BaseController
{ {
return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在"); return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在");
} }
//安全漏洞测试fix这里 不法分子可能通过修改 userid password 实现对 任意用户密码修改
LoginUser loginUser = tokenService.getLoginUser(); LoginUser loginUser = tokenService.getLoginUser();
if (loginUser == null) {
return AjaxResult.error("用户未登录!");
}
if (!loginUser.getUserid().equals(user.getUserId())) {
return AjaxResult.error("userId参数不正确请勿非法操作");
}
SysUser sysUser = loginUser.getSysUser(); SysUser sysUser = loginUser.getSysUser();
user.setUserId(sysUser.getUserId()); user.setUserId(sysUser.getUserId());
user.setPassword(null); user.setPassword(null);