Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#3657 Fix Admin have insecure permissions #3658

Merged
merged 3 commits into from
Jul 29, 2022
Merged

#3657 Fix Admin have insecure permissions #3658

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b86ef5b
#3657 Fix Admin have insecure permissions
nuo-promise Jul 3, 2022
e15362b
merge upstream master
nuo-promise Jul 29, 2022
4d7f64b
add user not login return message
nuo-promise Jul 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.shenyu.admin.mapper.DashboardUserMapper;
import org.apache.shenyu.admin.model.custom.UserInfo;
import org.apache.shenyu.admin.model.dto.DashboardUserDTO;
import org.apache.shenyu.admin.model.page.CommonPager;
import org.apache.shenyu.admin.model.page.PageParameter;
Expand All @@ -32,6 +33,7 @@
import org.apache.shenyu.admin.utils.ShenyuResultMessage;
import org.apache.shenyu.admin.validation.annotation.Existed;
import org.apache.shenyu.common.utils.ShaUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.DeleteMapping;
Expand All @@ -50,6 +52,7 @@
import javax.validation.constraints.NotNull;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;

/**
Expand Down Expand Up @@ -158,6 +161,13 @@ public ShenyuAdminResult modifyPassword(@PathVariable("id")
@Existed(provider = DashboardUserMapper.class,
message = "user is not found") final String id,
@Valid @RequestBody final DashboardUserDTO dashboardUserDTO) {
UserInfo userInfo = (UserInfo) SecurityUtils.getSubject().getPrincipal();
if (Objects.isNull(userInfo)) {
return ShenyuAdminResult.error(ShenyuResultMessage.DASHBOARD_USER_LOGIN_ERROR);
}
if (!userInfo.getUserId().equals(id) && !userInfo.getUserName().equals(dashboardUserDTO.getUserName())) {
return ShenyuAdminResult.error(ShenyuResultMessage.DASHBOARD_MODIFY_PASSWORD_ERROR);
}
return updateDashboardUser(id, dashboardUserDTO);
}

Expand Down
4 changes: 4 additions & 0 deletions shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,12 @@ public final class ShenyuResultMessage {

public static final String ROLE_CREATE_ERROR = "can not create super role";

public static final String DASHBOARD_USER_LOGIN_ERROR = "user not login please login first";

public static final String DASHBOARD_QUERY_ERROR = "user info is empty";

public static final String DASHBOARD_MODIFY_PASSWORD_ERROR = "can not modify other user password";

public static final String DASHBOARD_CREATE_USER_ERROR = "empty user info, please confirm";

public static final String PLATFORM_LOGIN_SUCCESS = "login dashboard user success";
Expand Down