校验权限，避免权限提升

2024-01-03 10:33:19 +08:00
parent b9faf02f2a
commit f60ed652b6
2 changed files with 6 additions and 2 deletions
--- a/maxkey-webs/maxkey-web-maxkey/src/main/java/org/dromara/maxkey/web/contorller/ChangePasswodController.java
+++ b/maxkey-webs/maxkey-web-maxkey/src/main/java/org/dromara/maxkey/web/contorller/ChangePasswodController.java
@@ -69,7 +69,9 @@ public class ChangePasswodController {
 	public ResponseEntity<?> changePasswod(
 			@RequestBody ChangePassword changePassword,
 			@CurrentUser UserInfo currentUser) {
-
+		if(!currentUser.getId().equals(changePassword.getId())){
+			return null;
+		}
 		changePassword.setUserId(currentUser.getId());
 		changePassword.setUsername(currentUser.getUsername());
 		changePassword.setInstId(currentUser.getInstId());
--- a/maxkey-webs/maxkey-web-maxkey/src/main/java/org/dromara/maxkey/web/contorller/ProfileController.java
+++ b/maxkey-webs/maxkey-web-maxkey/src/main/java/org/dromara/maxkey/web/contorller/ProfileController.java
@@ -66,7 +66,9 @@ public class ProfileController {
 				@CurrentUser UserInfo currentUser,
                BindingResult result) {
        logger.debug(userInfo.toString());
-
+        if(!currentUser.getId().equals(userInfo.getId())){
+            return null;
+        }
 //		if(userInfo.getExtraAttributeValue()!=null){
 //			String []extraAttributeLabel=userInfo.getExtraAttributeName().split(",");
 //			String []extraAttributeValue=userInfo.getExtraAttributeValue().split(",");