msb-public-java
/
RuoYi-Cloud
mirror of https://gitee.com/y_project/RuoYi-Cloud.git
1
0
Code Issues Projects Releases Wiki Activity

Pre Merge pull request !87 from dazer007/security-fix-user-profile-update

Browse Source
pull/87/MERGE
dazer007 4 years ago committed by Gitee
parent 0dff71bd4d e40369803a
commit bb2e4ee85c
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File

9
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/SysProfileController.java
Unescape View File

@ -75,7 +75,16 @@ public class SysProfileController extends BaseController
{ {
return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在"); return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在");
} }
//安全漏洞测试fix这里 不法分子,可能通过修改 userid 和 password 实现对 任意用户密码修改
LoginUser loginUser = tokenService.getLoginUser(); LoginUser loginUser = tokenService.getLoginUser();
if (loginUser == null) {
return AjaxResult.error("用户未登录!");
}
if (!loginUser.getUserid().equals(user.getUserId())) {
return AjaxResult.error("userId参数不正确请勿非法操作");
}
SysUser sysUser = loginUser.getSysUser(); SysUser sysUser = loginUser.getSysUser();
user.setUserId(sysUser.getUserId()); user.setUserId(sysUser.getUserId());
user.setPassword(null); user.setPassword(null);

Write Preview
Loading…
Cancel
Save