后端增加 setSelfInfo 接口防止越权操作

piexlmax · piexlmax · commit 41728617adb0 · 2022-01-07T19:27:26.000+08:00
diff --git a/server/api/v1/system/sys_user.go b/server/api/v1/system/sys_user.go
@@ -286,6 +286,26 @@ func (b *BaseApi) SetUserInfo(c *gin.Context) {
 	}
 }
 
+// @Tags SysUser
+// @Summary 设置用户信息
+// @Security ApiKeyAuth
+// @accept application/json
+// @Produce application/json
+// @Param data body system.SysUser true "ID, 用户名, 昵称, 头像链接"
+// @Success 200 {string} string "{"success":true,"data":{},"msg":"设置成功"}"
+// @Router /user/SetSelfInfo [put]
+func (b *BaseApi) SetSelfInfo(c *gin.Context) {
+	var user system.SysUser
+	_ = c.ShouldBindJSON(&user)
+	user.ID = utils.GetUserID(c)
+	if err, ReqUser := userService.SetUserInfo(user); err != nil {
+		global.GVA_LOG.Error("设置失败!", zap.Error(err))
+		response.FailWithMessage("设置失败", c)
+	} else {
+		response.OkWithDetailed(gin.H{"userInfo": ReqUser}, "设置成功", c)
+	}
+}
+
 // @Tags SysUser
 // @Summary 获取用户信息
 // @Security ApiKeyAuth
diff --git a/server/router/system/sys_user.go b/server/router/system/sys_user.go
@@ -18,6 +18,7 @@ func (s *UserRouter) InitUserRouter(Router *gin.RouterGroup) {
 		userRouter.POST("setUserAuthority", baseApi.SetUserAuthority)     // 设置用户权限
 		userRouter.DELETE("deleteUser", baseApi.DeleteUser)               // 删除用户
 		userRouter.PUT("setUserInfo", baseApi.SetUserInfo)                // 设置用户信息
+		userRouter.PUT("setSelfInfo", baseApi.SetSelfInfo)                // 设置自身信息
 		userRouter.POST("setUserAuthorities", baseApi.SetUserAuthorities) // 设置用户权限组
 		userRouter.POST("resetPassword", baseApi.ResetPassword)           // 设置用户权限组
 	}
diff --git a/server/source/system/api.go b/server/source/system/api.go
@@ -24,7 +24,8 @@ func (a *api) Initialize() error {
 		{ApiGroup: "系统用户", Method: "DELETE", Path: "/user/deleteUser", Description: "删除用户"},
 		{ApiGroup: "系统用户", Method: "POST", Path: "/user/register", Description: "用户注册(必选)"},
 		{ApiGroup: "系统用户", Method: "POST", Path: "/user/getUserList", Description: "获取用户列表"},
-		{ApiGroup: "系统用户", Method: "PUT", Path: "/user/setUserInfo", Description: "设置用户信息(必选)"},
+		{ApiGroup: "系统用户", Method: "PUT", Path: "/user/setUserInfo", Description: "设置用户信息"},
+		{ApiGroup: "系统用户", Method: "PUT", Path: "/user/setSelfInfo", Description: "设置自身信息(必选)"},
 		{ApiGroup: "系统用户", Method: "GET", Path: "/user/getUserInfo", Description: "获取自身信息(必选)"},
 		{ApiGroup: "系统用户", Method: "POST", Path: "/user/setUserAuthorities", Description: "设置权限组"},
 		{ApiGroup: "系统用户", Method: "POST", Path: "/user/changePassword", Description: "修改密码（建(选择)"},
diff --git a/server/source/system/casbin.go b/server/source/system/casbin.go
@@ -48,6 +48,7 @@ func (c *casbin) Initialize() error {
 
 		{PType: "p", V0: "888", V1: "/user/getUserInfo", V2: "GET"},
 		{PType: "p", V0: "888", V1: "/user/setUserInfo", V2: "PUT"},
+		{PType: "p", V0: "888", V1: "/user/setSelfInfo", V2: "PUT"},
 		{PType: "p", V0: "888", V1: "/user/getUserList", V2: "POST"},
 		{PType: "p", V0: "888", V1: "/user/deleteUser", V2: "DELETE"},
 		{PType: "p", V0: "888", V1: "/user/changePassword", V2: "POST"},

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ func (s UserRouter) InitUserRouter(Router gin.RouterGroup) {`
`18`	`18`	`userRouter.POST("setUserAuthority", baseApi.SetUserAuthority) // 设置用户权限`
`19`	`19`	`userRouter.DELETE("deleteUser", baseApi.DeleteUser) // 删除用户`
`20`	`20`	`userRouter.PUT("setUserInfo", baseApi.SetUserInfo) // 设置用户信息`
	`21`	`+ userRouter.PUT("setSelfInfo", baseApi.SetSelfInfo) // 设置自身信息`
`21`	`22`	`userRouter.POST("setUserAuthorities", baseApi.SetUserAuthorities) // 设置用户权限组`
`22`	`23`	`userRouter.POST("resetPassword", baseApi.ResetPassword) // 设置用户权限组`
`23`	`24`	`}`