fix:Issue #I42GRW 修复任意账户越权漏洞

This commit is contained in:
江强 2021-07-27 09:33:12 +08:00
parent 9b1883988b
commit 3347ca4d74

View File

@ -71,9 +71,12 @@ public class SysProfileController extends BaseController
{ {
return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在"); return AjaxResult.error("修改用户'" + user.getUserName() + "'失败,邮箱账号已存在");
} }
LoginUser loginUser = tokenService.getLoginUser(ServletUtils.getRequest());
SysUser sysUser = loginUser.getUser();
user.setUserId(sysUser.getUserId());
user.setPassword(null);
if (userService.updateUserProfile(user) > 0) if (userService.updateUserProfile(user) > 0)
{ {
LoginUser loginUser = tokenService.getLoginUser(ServletUtils.getRequest());
// 更新缓存用户信息 // 更新缓存用户信息
loginUser.getUser().setNickName(user.getNickName()); loginUser.getUser().setNickName(user.getNickName());
loginUser.getUser().setPhonenumber(user.getPhonenumber()); loginUser.getUser().setPhonenumber(user.getPhonenumber());