From 792d468d9cadf44d3719fdfb6641daf4058f0a92 Mon Sep 17 00:00:00 2001 From: duandazhi Date: Tue, 27 Jul 2021 16:09:45 +0800 Subject: [PATCH] =?UTF-8?q?user/profile=20=E5=AE=89=E5=85=A8=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E=E6=B5=8B=E8=AF=95fix=EF=BC=8C=E8=BF=99=E9=87=8C=20?= =?UTF-8?q?=E4=B8=8D=E6=B3=95=E5=88=86=E5=AD=90=EF=BC=8C=E5=8F=AF=E8=83=BD?= =?UTF-8?q?=E9=80=9A=E8=BF=87=E4=BF=AE=E6=94=B9=20userid=20=E5=92=8C=20pas?= =?UTF-8?q?sword=20=E5=AE=9E=E7=8E=B0=E5=AF=B9=20=E4=BB=BB=E6=84=8F?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E5=AF=86=E7=A0=81=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ruoyi/system/controller/SysProfileController.java | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysProfileController.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysProfileController.java index 82339d1b..fe9ea734 100644 --- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysProfileController.java +++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysProfileController.java @@ -75,9 +75,18 @@ public class SysProfileController extends BaseController { return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在"); } + + //安全漏洞测试fix,这里 不法分子,可能通过修改 userid 和 password 实现对 任意用户密码修改 + LoginUser loginUser = tokenService.getLoginUser(); + if (loginUser == null) { + return AjaxResult.error("用户未登录!"); + } + if (!loginUser.getUserid().equals(user.getUserId())) { + return AjaxResult.error("只能修改自己的用户信息!"); + } + if (userService.updateUserProfile(user) > 0) { - LoginUser loginUser = tokenService.getLoginUser(); // 更新缓存用户信息 loginUser.getSysUser().setNickName(user.getNickName()); loginUser.getSysUser().setPhonenumber(user.getPhonenumber());