修复普通用户或其他权限用户能在swagger下更改系统管理员角色状态,获取用户表单数据,更改菜单显示状态的安全漏洞

src/main/java/com/youlai/boot/system/controller/MenuController.java

@@ -102,6 +102,7 @@ public class MenuController {
 
     @Operation(summary = "修改菜单显示状态")
     @PatchMapping("/{menuId}")
+    @PreAuthorize("@ss.hasPerm('sys:menu:edit')")
     public Result<?> updateMenuVisible(
             @Parameter(description = "菜单ID") @PathVariable Long menuId,
             @Parameter(description = "显示状态(1:显示;0:隐藏)") Integer visible

src/main/java/com/youlai/boot/system/controller/UserController.java

@@ -80,6 +80,7 @@ public class UserController {
 
     @Operation(summary = "获取用户表单数据")
     @GetMapping("/{userId}/form")
+    @PreAuthorize("@ss.hasPerm('sys:user:edit')")
     @Log(value = "用户表单数据", module = LogModuleEnum.USER)
     public Result<UserForm> getUserForm(
             @Parameter(description = "用户ID") @PathVariable Long userId
@@ -113,6 +114,7 @@ public class UserController {
 
     @Operation(summary = "修改用户状态")
     @PatchMapping(value = "/{userId}/status")
+    @PreAuthorize("@ss.hasPerm('sys:user:edit')")
     @Log(value = "修改用户状态", module = LogModuleEnum.USER)
     public Result<Void> updateUserStatus(
             @Parameter(description = "用户ID") @PathVariable Long userId,