Commit d6e82622 authored by WebPuY's avatar WebPuY

fix: 解决请求用户信息接口的越权漏洞

parent 4a6fdd3b
......@@ -411,6 +411,10 @@ class userController extends baseController {
let userInst = yapi.getInst(userModel);
let id = ctx.request.query.id;
if (this.getRole() !== 'admin' && id != this.getUid()) {
return (ctx.body = yapi.commons.resReturn(null, 401, '没有权限'));
}
if (!id) {
return (ctx.body = yapi.commons.resReturn(null, 400, 'uid不能为空'));
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment