修复普通用户或其他权限用户能在swagger下更改系统管理员角色状态,获取用户表单数据,更改菜单显示状态的安全漏洞

2025-06-18 17:24:15 +08:00
parent 48ec38e076
commit 86a9b3e212
2 changed files with 3 additions and 0 deletions
--- a/src/main/java/com/youlai/boot/system/controller/MenuController.java
+++ b/src/main/java/com/youlai/boot/system/controller/MenuController.java
@@ -102,6 +102,7 @@ public class MenuController {

    @Operation(summary = "修改菜单显示状态")
    @PatchMapping("/{menuId}")
+    @PreAuthorize("@ss.hasPerm('sys:menu:edit')")
    public Result<?> updateMenuVisible(
            @Parameter(description = "菜单ID") @PathVariable Long menuId,
            @Parameter(description = "显示状态(1:显示;0:隐藏)") Integer visible
--- a/src/main/java/com/youlai/boot/system/controller/UserController.java
+++ b/src/main/java/com/youlai/boot/system/controller/UserController.java
@@ -80,6 +80,7 @@ public class UserController {

    @Operation(summary = "获取用户表单数据")
    @GetMapping("/{userId}/form")
+    @PreAuthorize("@ss.hasPerm('sys:user:edit')")
    @Log(value = "用户表单数据", module = LogModuleEnum.USER)
    public Result<UserForm> getUserForm(
            @Parameter(description = "用户ID") @PathVariable Long userId
@@ -113,6 +114,7 @@ public class UserController {

    @Operation(summary = "修改用户状态")
    @PatchMapping(value = "/{userId}/status")
+    @PreAuthorize("@ss.hasPerm('sys:user:edit')")
    @Log(value = "修改用户状态", module = LogModuleEnum.USER)
    public Result<Void> updateUserStatus(
            @Parameter(description = "用户ID") @PathVariable Long userId,