diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java
index db88224d..c2b87a60 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysUserController.java
@@ -146,6 +146,11 @@ public class SysUserController extends BaseController
     @GetMapping(value = { "/", "/{userId}" })
     public AjaxResult getInfo(@PathVariable(value = "userId", required = false) Long userId)
     {
+        //安全漏洞测试fix，增加防止越权的操作；不法分子，可能通过修改 userid 抓取、修改、删除、重置 任意用户敏感信息 (1 getInfo)
+        if (!userService.checkUserIdAllowed(userId)) {
+            return AjaxResult.error("请勿非法操作，你无权操作该用户，userId = " + userId );
+        }
+
         AjaxResult ajax = AjaxResult.success();
         List<SysRole> roles = roleService.selectRoleAll();
         ajax.put("roles", SysUser.isAdmin(userId) ? roles : roles.stream().filter(r -> !r.isAdmin()).collect(Collectors.toList()));
@@ -195,6 +200,15 @@ public class SysUserController extends BaseController
     public AjaxResult edit(@Validated @RequestBody SysUser user)
     {
         userService.checkUserAllowed(user);
+
+        if (user.getUserId() == null) {
+            return AjaxResult.error("userId不能为空！");
+        }
+        //安全漏洞测试fix，增加防止越权的操作；不法分子，可能通过修改 userid 抓取、修改、删除、重置 任意用户敏感信息 (2 edit)
+        if (!userService.checkUserIdAllowed(user.getUserId())) {
+            return AjaxResult.error("请勿非法操作，你无权操作该用户，userId = " + user.getUserId() );
+        }
+
         if (StringUtils.isNotEmpty(user.getPhonenumber())
                 && UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
         {
@@ -229,6 +243,15 @@ public class SysUserController extends BaseController
     public AjaxResult resetPwd(@RequestBody SysUser user)
     {
         userService.checkUserAllowed(user);
+
+        if (user.getUserId() == null) {
+            return AjaxResult.error("userId不能为空！");
+        }
+        //安全漏洞测试fix，增加防止越权的操作；不法分子，可能通过修改 userid 抓取、修改、删除、重置 任意用户敏感信息 (3 resetPwd)
+        if (!userService.checkUserIdAllowed(user.getUserId())) {
+            return AjaxResult.error("请勿非法操作，你无权操作该用户，userId = " + user.getUserId() );
+        }
+
         user.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
         user.setUpdateBy(SecurityUtils.getUsername());
         return toAjax(userService.resetPwd(user));
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java
index 869fbcc3..91c345af 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java
@@ -97,6 +97,14 @@ public interface ISysUserService
      */
     public void checkUserAllowed(SysUser user);
 
+    /**
+     * @author dazer
+     * 检查userId,当前的管理员是否有权限操作
+     * @param userId 被修改的userId
+     * @return true: 当前管理员有操作该 userId的权限
+     */
+    public boolean checkUserIdAllowed(Long userId);
+
     /**
      * 新增用户信息
      * 
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
index cbbf35a7..52667a8d 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
@@ -2,6 +2,8 @@ package com.ruoyi.system.service.impl;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.stream.Collectors;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -227,6 +229,22 @@ public class SysUserServiceImpl implements ISysUserService
         }
     }
 
+    /**
+     * @author dazer
+     * 检查userId,当前的管理员是否有权限操作
+     * @param userId 被修改的userId
+     */
+    @Override
+    public boolean checkUserIdAllowed(Long userId) {
+        if (userId == null) {
+            throw new CustomException("checkUserIdAllowed中：【userId】不能为空");
+        }
+        SysUser user = new SysUser();
+        user.setUserId(userId);
+        List<SysUser> sysUsers = this.selectUserList(user);
+        return sysUsers.stream().map(SysUser::getUserId).collect(Collectors.toSet()).contains(userId);
+    }
+
     /**
      * 新增保存用户信息
      * 
diff --git a/ruoyi-modules/ruoyi-system/src/main/resources/mapper/system/SysUserMapper.xml b/ruoyi-modules/ruoyi-system/src/main/resources/mapper/system/SysUserMapper.xml
index 9dddd39b..a0ae90f9 100644
--- a/ruoyi-modules/ruoyi-system/src/main/resources/mapper/system/SysUserMapper.xml
+++ b/ruoyi-modules/ruoyi-system/src/main/resources/mapper/system/SysUserMapper.xml
@@ -62,6 +62,9 @@ PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
 		<if test="userName != null and userName != ''">
 			AND u.user_name like concat('%', #{userName}, '%')
 		</if>
+		<if test="userId != null">
+			AND u.user_id = #{userId}
+		</if>
 		<if test="status != null and status != ''">
 			AND u.status = #{status}
 		</if>