From 4095a1b6ee3ed943a228bca40304fe8dd6afb0ad Mon Sep 17 00:00:00 2001
From: Ricky <hk_ricky@163.com>
Date: 星期二, 27 七月 2021 10:08:04 +0800
Subject: [PATCH] !275 fix Issue #I42GRW 任意账户越权漏洞 Merge pull request !275 from lagXkjy/master

---
 ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java
index a9dcce8..899c60e 100644
--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java
@@ -71,9 +71,12 @@
         {
             return AjaxResult.error("淇敼鐢ㄦ埛'" + user.getUserName() + "'澶辫触锛岄偖绠辫处鍙峰凡瀛樺湪");
         }
+        LoginUser loginUser = tokenService.getLoginUser(ServletUtils.getRequest());
+        SysUser sysUser = loginUser.getUser();
+        user.setUserId(sysUser.getUserId());
+        user.setPassword(null);
         if (userService.updateUserProfile(user) > 0)
         {
-            LoginUser loginUser = tokenService.getLoginUser(ServletUtils.getRequest());
             // 鏇存柊缂撳瓨鐢ㄦ埛淇℃伅
             loginUser.getUser().setNickName(user.getNickName());
             loginUser.getUser().setPhonenumber(user.getPhonenumber());

--
Gitblit v1.9.3