mirror/yapi
2
0
Fork 0
mirror of https://github.com/YMFE/yapi.git synced 2025-03-31 14:50:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 解决请求用户信息接口的越权漏洞

Browse Source
This commit is contained in:
WebPuY 2020-09-20 10:28:15 +08:00
parent 4a6fdd3b5c
commit d6e82622c0
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
server/controllers/user.js
View File

@ -411,6 +411,10 @@ class userController extends baseController {
let userInst = yapi.getInst(userModel);
let id = ctx.request.query.id;
if (this.getRole() !== 'admin' && id != this.getUid()) {
return (ctx.body = yapi.commons.resReturn(null, 401, '没有权限'));
}
if (!id) {
return (ctx.body = yapi.commons.resReturn(null, 400, 'uid不能为空'));
}