Skip to content

Commit

Permalink
#3657 Fix Admin have insecure permissions (#3658)
Browse files Browse the repository at this point in the history 
* #3657 Fix Admin have insecure permissions

* add user not login return message
  • Loading branch information
@nuo-promise
nuo-promise authored Jul 29, 2022
1 parent eba0808 commit f9c5688
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
10 changes: 10 additions & 0 deletions shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.shenyu.admin.mapper.DashboardUserMapper;
import org.apache.shenyu.admin.model.custom.UserInfo;
import org.apache.shenyu.admin.model.dto.DashboardUserDTO;
import org.apache.shenyu.admin.model.page.CommonPager;
import org.apache.shenyu.admin.model.page.PageParameter;
Expand All @@ -32,6 +33,7 @@
import org.apache.shenyu.admin.utils.ShenyuResultMessage;
import org.apache.shenyu.admin.validation.annotation.Existed;
import org.apache.shenyu.common.utils.ShaUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.DeleteMapping;
Expand All @@ -50,6 +52,7 @@
import javax.validation.constraints.NotNull;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;

/**
Expand Down Expand Up @@ -158,6 +161,13 @@ public ShenyuAdminResult modifyPassword(@PathVariable("id")
@Existed(provider = DashboardUserMapper.class,
message = "user is not found") final String id,
@Valid @RequestBody final DashboardUserDTO dashboardUserDTO) {
UserInfo userInfo = (UserInfo) SecurityUtils.getSubject().getPrincipal();
if (Objects.isNull(userInfo)) {
return ShenyuAdminResult.error(ShenyuResultMessage.DASHBOARD_USER_LOGIN_ERROR);
}
if (!userInfo.getUserId().equals(id) && !userInfo.getUserName().equals(dashboardUserDTO.getUserName())) {
return ShenyuAdminResult.error(ShenyuResultMessage.DASHBOARD_MODIFY_PASSWORD_ERROR);
}
return updateDashboardUser(id, dashboardUserDTO);
}

Expand Down
4 changes: 4 additions & 0 deletions shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,12 @@ public final class ShenyuResultMessage {

public static final String ROLE_CREATE_ERROR = "can not create super role";

public static final String DASHBOARD_USER_LOGIN_ERROR = "user not login please login first";

public static final String DASHBOARD_QUERY_ERROR = "user info is empty";

public static final String DASHBOARD_MODIFY_PASSWORD_ERROR = "can not modify other user password";

public static final String DASHBOARD_CREATE_USER_ERROR = "empty user info, please confirm";

public static final String PLATFORM_LOGIN_SUCCESS = "login dashboard user success";
Expand Down

0 comments on commit f9c5688

Please sign in to comment.