后端增加 setSelfInfo 接口防止越权操作

3 years ago · a8adf85cfd
4 changed files with 24 additions and 1 deletions
--- a/server/api/v1/system/sys_user.go
+++ b/server/api/v1/system/sys_user.go
@ -286,6 +286,26 @@ func (b *BaseApi) SetUserInfo(c *gin.Context) {
 	}
 }
 // @Tags SysUser
 // @Summary 设置用户信息
 // @Security ApiKeyAuth
 // @accept application/json
 // @Produce application/json
 // @Param data body system.SysUser true "ID, 用户名, 昵称, 头像链接"
 // @Success 200 {string} string "{"success":true,"data":{},"msg":"设置成功"}"
 // @Router /user/SetSelfInfo [put]
 func (b *BaseApi) SetSelfInfo(c *gin.Context) {
 	var user system.SysUser
 	_ = c.ShouldBindJSON(&user)
 	user.ID = utils.GetUserID(c)
 	if err, ReqUser := userService.SetUserInfo(user); err != nil {
 		global.GVA_LOG.Error("设置失败!", zap.Error(err))
 		response.FailWithMessage("设置失败", c)
 	} else {
 		response.OkWithDetailed(gin.H{"userInfo": ReqUser}, "设置成功", c)
 	}
 }
 // @Tags SysUser
 // @Summary 获取用户信息
 // @Security ApiKeyAuth
--- a/server/router/system/sys_user.go
+++ b/server/router/system/sys_user.go
@ -18,6 +18,7 @@ func (s *UserRouter) InitUserRouter(Router *gin.RouterGroup) {
 		userRouter.POST("setUserAuthority", baseApi.SetUserAuthority)     // 设置用户权限
 		userRouter.DELETE("deleteUser", baseApi.DeleteUser)               // 删除用户
 		userRouter.PUT("setUserInfo", baseApi.SetUserInfo)                // 设置用户信息
 		userRouter.PUT("setSelfInfo", baseApi.SetSelfInfo)                // 设置自身信息
 		userRouter.POST("setUserAuthorities", baseApi.SetUserAuthorities) // 设置用户权限组
 		userRouter.POST("resetPassword", baseApi.ResetPassword)           // 设置用户权限组
 	}
--- a/server/source/system/api.go
+++ b/server/source/system/api.go
@ -24,7 +24,8 @@ func (a *api) Initialize() error {
 		{ApiGroup: "系统用户", Method: "DELETE", Path: "/user/deleteUser", Description: "删除用户"},
 		{ApiGroup: "系统用户", Method: "POST", Path: "/user/register", Description: "用户注册(必选)"},
 		{ApiGroup: "系统用户", Method: "POST", Path: "/user/getUserList", Description: "获取用户列表"},
 		{ApiGroup: "系统用户", Method: "PUT", Path: "/user/setUserInfo", Description: "设置用户信息(必选)"},
 		{ApiGroup: "系统用户", Method: "PUT", Path: "/user/setUserInfo", Description: "设置用户信息"},
 		{ApiGroup: "系统用户", Method: "PUT", Path: "/user/setSelfInfo", Description: "设置自身信息(必选)"},
 		{ApiGroup: "系统用户", Method: "GET", Path: "/user/getUserInfo", Description: "获取自身信息(必选)"},
 		{ApiGroup: "系统用户", Method: "POST", Path: "/user/setUserAuthorities", Description: "设置权限组"},
 		{ApiGroup: "系统用户", Method: "POST", Path: "/user/changePassword", Description: "修改密码（建(选择)"},
--- a/server/source/system/casbin.go
+++ b/server/source/system/casbin.go
@ -48,6 +48,7 @@ func (c *casbin) Initialize() error {
 		{PType: "p", V0: "888", V1: "/user/getUserInfo", V2: "GET"},
 		{PType: "p", V0: "888", V1: "/user/setUserInfo", V2: "PUT"},
 		{PType: "p", V0: "888", V1: "/user/setSelfInfo", V2: "PUT"},
 		{PType: "p", V0: "888", V1: "/user/getUserList", V2: "POST"},
 		{PType: "p", V0: "888", V1: "/user/deleteUser", V2: "DELETE"},
 		{PType: "p", V0: "888", V1: "/user/changePassword", V2: "POST"},