diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysProfileController.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysProfileController.java
index cb567882..aa713320 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysProfileController.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysProfileController.java
@@ -75,7 +75,16 @@ public class SysProfileController extends BaseController
         {
             return AjaxResult.error("修改用户'" + user.getUserName() + "'失败，邮箱账号已存在");
         }
+
+        //安全漏洞测试fix，这里 不法分子，可能通过修改 userid 和 password 实现对 任意用户密码修改
         LoginUser loginUser = tokenService.getLoginUser();
+        if (loginUser == null) {
+            return AjaxResult.error("用户未登录!");
+        }
+        if (!loginUser.getUserid().equals(user.getUserId())) {
+            return AjaxResult.error("userId参数不正确，请勿非法操作！");
+        }
+
         SysUser sysUser = loginUser.getSysUser();
         user.setUserId(sysUser.getUserId());
         user.setPassword(null);