From cdb509a4fa10bf32fd1341e04dee7c9c9c7f8c20 Mon Sep 17 00:00:00 2001
From: jenn <244251889@qq.com>
Date: 星期五, 10 三月 2023 21:15:54 +0800
Subject: [PATCH] fix 修复用户相关更新操作会越权的问题
---
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java | 55 +++++++++++++++++++++++++++----------------------------
1 files changed, 27 insertions(+), 28 deletions(-)
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java
index 5ce365d..34aaae5 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java
@@ -1,17 +1,21 @@
package com.ruoyi.system.controller.system;
import cn.dev33.satoken.secure.BCrypt;
+import cn.hutool.core.bean.BeanUtil;
import cn.hutool.core.io.FileUtil;
-import com.ruoyi.common.core.constant.UserConstants;
import com.ruoyi.common.core.domain.R;
import com.ruoyi.common.core.utils.StringUtils;
import com.ruoyi.common.core.utils.file.MimeTypeUtils;
-import com.ruoyi.common.core.web.controller.BaseController;
import com.ruoyi.common.log.annotation.Log;
import com.ruoyi.common.log.enums.BusinessType;
import com.ruoyi.common.satoken.utils.LoginHelper;
-import com.ruoyi.system.domain.SysUser;
+import com.ruoyi.common.web.core.BaseController;
+import com.ruoyi.system.domain.bo.SysUserBo;
+import com.ruoyi.system.domain.bo.SysUserProfileBo;
+import com.ruoyi.system.domain.vo.AvatarVo;
+import com.ruoyi.system.domain.vo.ProfileVo;
import com.ruoyi.system.domain.vo.SysOssVo;
+import com.ruoyi.system.domain.vo.SysUserVo;
import com.ruoyi.system.service.ISysOssService;
import com.ruoyi.system.service.ISysUserService;
import lombok.RequiredArgsConstructor;
@@ -21,7 +25,6 @@
import org.springframework.web.multipart.MultipartFile;
import java.util.Arrays;
-import java.util.Map;
/**
* 涓汉淇℃伅 涓氬姟澶勭悊
@@ -35,19 +38,19 @@
public class SysProfileController extends BaseController {
private final ISysUserService userService;
- private final ISysOssService iSysOssService;
+ private final ISysOssService sysOssService;
/**
* 涓汉淇℃伅
*/
@GetMapping
- public R<Map<String, Object>> profile() {
- SysUser user = userService.selectUserById(LoginHelper.getUserId());
- return R.ok(Map.of(
- "user", user,
- "roleGroup", userService.selectUserRoleGroup(user.getUserName()),
- "postGroup", userService.selectUserPostGroup(user.getUserName())
- ));
+ public R<ProfileVo> profile() {
+ SysUserVo user = userService.selectUserById(LoginHelper.getUserId());
+ ProfileVo profileVo = new ProfileVo();
+ profileVo.setUser(user);
+ profileVo.setRoleGroup(userService.selectUserRoleGroup(user.getUserName()));
+ profileVo.setPostGroup(userService.selectUserPostGroup(user.getUserName()));
+ return R.ok(profileVo);
}
/**
@@ -55,20 +58,15 @@
*/
@Log(title = "涓汉淇℃伅", businessType = BusinessType.UPDATE)
@PutMapping
- public R<Void> updateProfile(@RequestBody SysUser user) {
- if (StringUtils.isNotEmpty(user.getPhonenumber())
- && UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user))) {
+ public R<Void> updateProfile(@RequestBody SysUserProfileBo profile) {
+ SysUserBo user = BeanUtil.toBean(profile, SysUserBo.class);
+ if (StringUtils.isNotEmpty(user.getPhonenumber()) && !userService.checkPhoneUnique(user)) {
return R.fail("淇敼鐢ㄦ埛'" + user.getUserName() + "'澶辫触锛屾墜鏈哄彿鐮佸凡瀛樺湪");
}
- if (StringUtils.isNotEmpty(user.getEmail())
- && UserConstants.NOT_UNIQUE.equals(userService.checkEmailUnique(user))) {
+ if (StringUtils.isNotEmpty(user.getEmail()) && !userService.checkEmailUnique(user)) {
return R.fail("淇敼鐢ㄦ埛'" + user.getUserName() + "'澶辫触锛岄偖绠辫处鍙峰凡瀛樺湪");
}
user.setUserId(LoginHelper.getUserId());
- user.setUserName(null);
- user.setPassword(null);
- user.setAvatar(null);
- user.setDeptId(null);
if (userService.updateUserProfile(user) > 0) {
return R.ok();
}
@@ -84,8 +82,7 @@
@Log(title = "涓汉淇℃伅", businessType = BusinessType.UPDATE)
@PutMapping("/updatePwd")
public R<Void> updatePwd(String oldPassword, String newPassword) {
- SysUser user = userService.selectUserById(LoginHelper.getUserId());
- String userName = user.getUserName();
+ SysUserVo user = userService.selectUserById(LoginHelper.getUserId());
String password = user.getPassword();
if (!BCrypt.checkpw(oldPassword, password)) {
return R.fail("淇敼瀵嗙爜澶辫触锛屾棫瀵嗙爜閿欒");
@@ -94,7 +91,7 @@
return R.fail("鏂板瘑鐮佷笉鑳戒笌鏃у瘑鐮佺浉鍚�");
}
- if (userService.resetUserPwd(userName, BCrypt.hashpw(newPassword)) > 0) {
+ if (userService.resetUserPwd(user.getUserId(), BCrypt.hashpw(newPassword)) > 0) {
return R.ok();
}
return R.fail("淇敼瀵嗙爜寮傚父锛岃鑱旂郴绠$悊鍛�");
@@ -107,16 +104,18 @@
*/
@Log(title = "鐢ㄦ埛澶村儚", businessType = BusinessType.UPDATE)
@PostMapping(value = "/avatar", consumes = MediaType.MULTIPART_FORM_DATA_VALUE)
- public R<Map<String, Object>> avatar(@RequestPart("avatarfile") MultipartFile avatarfile) {
+ public R<AvatarVo> avatar(@RequestPart("avatarfile") MultipartFile avatarfile) {
if (!avatarfile.isEmpty()) {
String extension = FileUtil.extName(avatarfile.getOriginalFilename());
if (!StringUtils.equalsAnyIgnoreCase(extension, MimeTypeUtils.IMAGE_EXTENSION)) {
return R.fail("鏂囦欢鏍煎紡涓嶆纭紝璇蜂笂浼�" + Arrays.toString(MimeTypeUtils.IMAGE_EXTENSION) + "鏍煎紡");
}
- SysOssVo oss = iSysOssService.upload(avatarfile);
+ SysOssVo oss = sysOssService.upload(avatarfile);
String avatar = oss.getUrl();
- if (userService.updateUserAvatar(LoginHelper.getUsername(), avatar)) {
- return R.ok(Map.of("imgUrl", avatar));
+ if (userService.updateUserAvatar(LoginHelper.getUserId(), oss.getOssId())) {
+ AvatarVo avatarVo = new AvatarVo();
+ avatarVo.setImgUrl(avatar);
+ return R.ok(avatarVo);
}
}
return R.fail("涓婁紶鍥剧墖寮傚父锛岃鑱旂郴绠$悊鍛�");
--
Gitblit v1.9.3