Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
F
fgqyxxlr
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
yaru
fgqyxxlr
Commits
dd37524b
Commit
dd37524b
authored
Jan 08, 2019
by
RuoYi
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
修复个人信息修改漏洞
parent
0c76d453
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
48 additions
and
37 deletions
+48
-37
ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java
+41
-27
ruoyi-admin/src/main/resources/templates/system/user/profile/avatar.html
+0
-2
ruoyi-admin/src/main/resources/templates/system/user/profile/profile.html
+3
-4
ruoyi-admin/src/main/resources/templates/system/user/profile/resetPwd.html
+4
-4
No files found.
ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java
View file @
dd37524b
package
com
.
ruoyi
.
web
.
controller
.
system
;
import
org.apache.shiro.crypto.hash.Md5Hash
;
import
org.slf4j.Logger
;
import
org.slf4j.LoggerFactory
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
org.springframework.stereotype.Controller
;
import
org.springframework.ui.ModelMap
;
import
org.springframework.web.bind.annotation.GetMapping
;
import
org.springframework.web.bind.annotation.PathVariable
;
import
org.springframework.web.bind.annotation.PostMapping
;
import
org.springframework.web.bind.annotation.RequestMapping
;
import
org.springframework.web.bind.annotation.RequestParam
;
...
...
@@ -17,6 +15,7 @@ import com.ruoyi.common.annotation.Log;
import
com.ruoyi.common.base.AjaxResult
;
import
com.ruoyi.common.config.Global
;
import
com.ruoyi.common.enums.BusinessType
;
import
com.ruoyi.common.utils.StringUtils
;
import
com.ruoyi.framework.shiro.service.SysPasswordService
;
import
com.ruoyi.framework.util.FileUploadUtils
;
import
com.ruoyi.framework.util.ShiroUtils
;
...
...
@@ -66,54 +65,63 @@ public class SysProfileController extends BaseController
public
boolean
checkPassword
(
String
password
)
{
SysUser
user
=
getSysUser
();
String
encrypt
=
new
Md5Hash
(
user
.
getLoginName
()
+
password
+
user
.
getSalt
()).
toHex
().
toString
();
if
(
user
.
getPassword
().
equals
(
encrypt
))
if
(
passwordService
.
matches
(
user
,
password
))
{
return
true
;
}
return
false
;
}
@GetMapping
(
"/resetPwd
/{userId}
"
)
public
String
resetPwd
(
@PathVariable
(
"userId"
)
Long
userId
,
ModelMap
mmap
)
@GetMapping
(
"/resetPwd"
)
public
String
resetPwd
(
ModelMap
mmap
)
{
mmap
.
put
(
"user"
,
userService
.
selectUserById
(
userId
));
SysUser
user
=
getSysUser
();
mmap
.
put
(
"user"
,
userService
.
selectUserById
(
user
.
getUserId
()));
return
prefix
+
"/resetPwd"
;
}
@Log
(
title
=
"重置密码"
,
businessType
=
BusinessType
.
UPDATE
)
@PostMapping
(
"/resetPwd"
)
@ResponseBody
public
AjaxResult
resetPwd
(
S
ysUser
user
)
public
AjaxResult
resetPwd
(
S
tring
oldPassword
,
String
newPassword
)
{
user
.
setSalt
(
ShiroUtils
.
randomSalt
());
user
.
setPassword
(
passwordService
.
encryptPassword
(
user
.
getLoginName
(),
user
.
getPassword
(),
user
.
getSalt
()));
int
rows
=
userService
.
resetUserPwd
(
user
);
if
(
rows
>
0
)
SysUser
user
=
getSysUser
();
if
(
StringUtils
.
isNotEmpty
(
newPassword
)
&&
passwordService
.
matches
(
user
,
oldPassword
))
{
setSysUser
(
userService
.
selectUserById
(
user
.
getUserId
()));
return
success
();
user
.
setSalt
(
ShiroUtils
.
randomSalt
());
user
.
setPassword
(
passwordService
.
encryptPassword
(
user
.
getLoginName
(),
newPassword
,
user
.
getSalt
()));
if
(
userService
.
resetUserPwd
(
user
)
>
0
)
{
setSysUser
(
userService
.
selectUserById
(
user
.
getUserId
()));
return
success
();
}
return
error
();
}
else
{
return
error
(
"修改密码失败,旧密码错误"
);
}
return
error
();
}
/**
* 修改用户
*/
@GetMapping
(
"/edit
/{userId}
"
)
public
String
edit
(
@PathVariable
(
"userId"
)
Long
userId
,
ModelMap
mmap
)
@GetMapping
(
"/edit"
)
public
String
edit
(
ModelMap
mmap
)
{
mmap
.
put
(
"user"
,
userService
.
selectUserById
(
userId
));
SysUser
user
=
getSysUser
();
mmap
.
put
(
"user"
,
userService
.
selectUserById
(
user
.
getUserId
()));
return
prefix
+
"/edit"
;
}
/**
* 修改头像
*/
@GetMapping
(
"/avatar
/{userId}
"
)
public
String
avatar
(
@PathVariable
(
"userId"
)
Long
userId
,
ModelMap
mmap
)
@GetMapping
(
"/avatar"
)
public
String
avatar
(
ModelMap
mmap
)
{
mmap
.
put
(
"user"
,
userService
.
selectUserById
(
userId
));
SysUser
user
=
getSysUser
();
mmap
.
put
(
"user"
,
userService
.
selectUserById
(
user
.
getUserId
()));
return
prefix
+
"/avatar"
;
}
...
...
@@ -125,9 +133,14 @@ public class SysProfileController extends BaseController
@ResponseBody
public
AjaxResult
update
(
SysUser
user
)
{
if
(
userService
.
updateUserInfo
(
user
)
>
0
)
SysUser
currentUser
=
getSysUser
();
currentUser
.
setUserName
(
user
.
getUserName
());
currentUser
.
setEmail
(
user
.
getEmail
());
currentUser
.
setPhonenumber
(
user
.
getPhonenumber
());
currentUser
.
setSex
(
user
.
getSex
());
if
(
userService
.
updateUserInfo
(
currentUser
)
>
0
)
{
setSysUser
(
userService
.
selectUserById
(
u
ser
.
getUserId
()));
setSysUser
(
userService
.
selectUserById
(
currentU
ser
.
getUserId
()));
return
success
();
}
return
error
();
...
...
@@ -139,17 +152,18 @@ public class SysProfileController extends BaseController
@Log
(
title
=
"个人信息"
,
businessType
=
BusinessType
.
UPDATE
)
@PostMapping
(
"/updateAvatar"
)
@ResponseBody
public
AjaxResult
updateAvatar
(
SysUser
user
,
@RequestParam
(
"avatarfile"
)
MultipartFile
file
)
public
AjaxResult
updateAvatar
(
@RequestParam
(
"avatarfile"
)
MultipartFile
file
)
{
SysUser
currentUser
=
getSysUser
();
try
{
if
(!
file
.
isEmpty
())
{
String
avatar
=
FileUploadUtils
.
upload
(
Global
.
getAvatarPath
(),
file
);
u
ser
.
setAvatar
(
avatar
);
if
(
userService
.
updateUserInfo
(
u
ser
)
>
0
)
currentU
ser
.
setAvatar
(
avatar
);
if
(
userService
.
updateUserInfo
(
currentU
ser
)
>
0
)
{
setSysUser
(
userService
.
selectUserById
(
u
ser
.
getUserId
()));
setSysUser
(
userService
.
selectUserById
(
currentU
ser
.
getUserId
()));
return
success
();
}
}
...
...
ruoyi-admin/src/main/resources/templates/system/user/profile/avatar.html
View file @
dd37524b
...
...
@@ -4,7 +4,6 @@
<title>
用户头像修改
</title>
<link
th:href=
"@{/ajax/libs/cropbox/cropbox.css}"
rel=
"stylesheet"
/>
<body
class=
"white-bg"
>
<input
name=
"userId"
id=
"userId"
type=
"hidden"
th:value=
"${user.userId}"
/>
<div
class=
"container"
>
<div
class=
"imageBox"
>
<div
class=
"thumbBox"
></div>
...
...
@@ -68,7 +67,6 @@ function submitHandler() {
var
img
=
cropper
.
getBlob
();
var
formdata
=
new
FormData
();
formdata
.
append
(
"avatarfile"
,
img
);
formdata
.
append
(
"userId"
,
$
(
"#userId"
).
val
());
$
.
ajax
({
url
:
ctx
+
"system/user/profile/updateAvatar"
,
data
:
formdata
,
...
...
ruoyi-admin/src/main/resources/templates/system/user/profile/profile.html
View file @
dd37524b
...
...
@@ -58,20 +58,19 @@
<div
th:include=
"include::footer"
></div>
<script>
var
userId
=
[[
$
{
user
.
userId
}]];
/*用户信息-修改*/
function
edit
()
{
var
url
=
ctx
+
"system/user/profile/edit/"
+
userId
;
var
url
=
ctx
+
'system/user/profile/edit'
;
$
.
modal
.
open
(
"修改用户"
,
url
);
}
/*用户管理-重置密码*/
function
resetPwd
()
{
var
url
=
ctx
+
'system/user/profile/resetPwd
/'
+
userId
;
var
url
=
ctx
+
'system/user/profile/resetPwd
'
;
$
.
modal
.
open
(
"重置密码"
,
url
,
'800'
,
'500'
);
}
/*用户管理-头像*/
function
avatar
()
{
var
url
=
ctx
+
'system/user/profile/avatar
/'
+
userId
;
var
url
=
ctx
+
'system/user/profile/avatar
'
;
$
.
modal
.
open
(
"修改头像"
,
url
);
}
</script>
...
...
ruoyi-admin/src/main/resources/templates/system/user/profile/resetPwd.html
View file @
dd37524b
...
...
@@ -21,7 +21,7 @@
<div
class=
"form-group"
>
<label
class=
"col-sm-3 control-label"
>
新密码:
</label>
<div
class=
"col-sm-8"
>
<input
class=
"form-control"
type=
"password"
name=
"
password"
id=
"p
assword"
>
<input
class=
"form-control"
type=
"password"
name=
"
newPassword"
id=
"newP
assword"
>
</div>
</div>
<div
class=
"form-group"
>
...
...
@@ -51,14 +51,14 @@
}
}
},
p
assword
:
{
newP
assword
:
{
required
:
true
,
minlength
:
5
,
maxlength
:
20
},
confirm
:
{
required
:
true
,
equalTo
:
"#
p
assword"
equalTo
:
"#
newP
assword"
}
},
messages
:
{
...
...
@@ -66,7 +66,7 @@
required
:
"请输入原密码"
,
remote
:
"原密码错误"
},
p
assword
:
{
newP
assword
:
{
required
:
"请输入新密码"
,
minlength
:
"密码不能小于6个字符"
,
maxlength
:
"密码不能大于20个字符"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment