!275 fix Issue #I42GRW 任意账户越权漏洞

Merge pull request !275 from lagXkjy/master

!275 fix Issue #I42GRW 任意账户越权漏洞
Merge pull request !275 from lagXkjy/master
4095a1b6 · Ricky · Gitee · 9b188398 · 3347ca4d · 4095a1b6
Commit 4095a1b6 authored Jul 27, 2021 by Ricky Committed by Gitee Jul 27, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java ...com/ruoyi/web/controller/system/SysProfileController.java +4 -1

No files found.
--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java
@@ -71,9 +71,12 @@ public class SysProfileController extends BaseController
        {
            return AjaxResult.error("修改用户'" + user.getUserName() + "'失败，邮箱账号已存在");
        }
+        LoginUser loginUser = tokenService.getLoginUser(ServletUtils.getRequest());
+        SysUser sysUser = loginUser.getUser();
+        user.setUserId(sysUser.getUserId());
+        user.setPassword(null);
        if (userService.updateUserProfile(user) > 0)
        {
-            LoginUser loginUser = tokenService.getLoginUser(ServletUtils.getRequest());
            // 更新缓存用户信息
            loginUser.getUser().setNickName(user.getNickName());
            loginUser.getUser().setPhonenumber(user.getPhonenumber());