This is an automated email from the ASF dual-hosted git repository.
zhangzicheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shenyu.git
The following commit(s) were added to refs/heads/master by this push:
new f9c56889d #3657 Fix Admin have insecure permissions (#3658)
f9c56889d is described below
commit f9c56889dcd9604a50ef4c1aca3e30170f128091
Author: nuo-promise <[email protected]>
AuthorDate: Fri Jul 29 14:06:58 2022 +0800
#3657 Fix Admin have insecure permissions (#3658)
* #3657 Fix Admin have insecure permissions
* add user not login return message
---
.../shenyu/admin/controller/DashboardUserController.java | 10 ++++++++++
.../org/apache/shenyu/admin/utils/ShenyuResultMessage.java | 4 ++++
2 files changed, 14 insertions(+)
diff --git
a/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
b/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
index d0b93044e..2ceef896d 100644
---
a/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
+++
b/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
@@ -20,6 +20,7 @@ package org.apache.shenyu.admin.controller;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.shenyu.admin.mapper.DashboardUserMapper;
+import org.apache.shenyu.admin.model.custom.UserInfo;
import org.apache.shenyu.admin.model.dto.DashboardUserDTO;
import org.apache.shenyu.admin.model.page.CommonPager;
import org.apache.shenyu.admin.model.page.PageParameter;
@@ -32,6 +33,7 @@ import org.apache.shenyu.admin.utils.Assert;
import org.apache.shenyu.admin.utils.ShenyuResultMessage;
import org.apache.shenyu.admin.validation.annotation.Existed;
import org.apache.shenyu.common.utils.ShaUtils;
+import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.DeleteMapping;
@@ -50,6 +52,7 @@ import javax.validation.constraints.NotEmpty;
import javax.validation.constraints.NotNull;
import java.util.HashSet;
import java.util.List;
+import java.util.Objects;
import java.util.Optional;
/**
@@ -158,6 +161,13 @@ public class DashboardUserController {
@Existed(provider =
DashboardUserMapper.class,
message = "user is not
found") final String id,
@Valid @RequestBody final
DashboardUserDTO dashboardUserDTO) {
+ UserInfo userInfo = (UserInfo)
SecurityUtils.getSubject().getPrincipal();
+ if (Objects.isNull(userInfo)) {
+ return
ShenyuAdminResult.error(ShenyuResultMessage.DASHBOARD_USER_LOGIN_ERROR);
+ }
+ if (!userInfo.getUserId().equals(id) &&
!userInfo.getUserName().equals(dashboardUserDTO.getUserName())) {
+ return
ShenyuAdminResult.error(ShenyuResultMessage.DASHBOARD_MODIFY_PASSWORD_ERROR);
+ }
return updateDashboardUser(id, dashboardUserDTO);
}
diff --git
a/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
b/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
index 760cec15b..6fa38871c 100644
---
a/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
+++
b/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
@@ -46,8 +46,12 @@ public final class ShenyuResultMessage {
public static final String ROLE_CREATE_ERROR = "can not create super role";
+ public static final String DASHBOARD_USER_LOGIN_ERROR = "user not login
please login first";
+
public static final String DASHBOARD_QUERY_ERROR = "user info is empty";
+ public static final String DASHBOARD_MODIFY_PASSWORD_ERROR = "can not
modify other user password";
+
public static final String DASHBOARD_CREATE_USER_ERROR = "empty user info,
please confirm";
public static final String PLATFORM_LOGIN_SUCCESS = "login dashboard user
success";
