渗透测试漏洞修复

2025-11-27 13:27:56 +08:00 · 2025-11-27 13:27:56 +08:00 · e4498346c4
parent 5b4fc26ffa
commit e4498346c4
4 changed files with 24 additions and 9 deletions
--- a/auth/src/main/java/com/bonus/auth/controller/TokenController.java
+++ b/auth/src/main/java/com/bonus/auth/controller/TokenController.java
@ -64,6 +64,10 @@ public class TokenController
        {
            throw new CaptchaException("验证码错误");
        }
+        String userName = userInfo.getSysUser().getUserName();
+        if ("ysAdmin".equals(userName)){
+            throw new CaptchaException("账号已被禁用");
+        }
        // 获取登录token
        return R.ok(tokenService.createToken(userInfo));
    }
--- a/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/UserController.java
+++ b/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/UserController.java
@ -70,9 +70,12 @@ public class UserController {
 	@Log(title = "用户管理-修改用户", businessType = BusinessType.UPDATE)
 	@PutMapping
 	@RequiresPermissions("sys:user:add")
-	public R updateUser(@RequestBody UserBean userDto) {
+	public R updateUser(UserBean userDto) {
 		userDto.setUserName(RSAUtil.decrypt(userDto.getUserName()));
-		userDto.setPhone(RSAUtil.decrypt(userDto.getPhone()));
+		userDto.setPhonenumber(RSAUtil.decrypt(userDto.getPhonenumber()));
+		userDto.setIdNumber(RSAUtil.decrypt(userDto.getIdNumber()));
+		userDto.setOrgId(RSAUtil.decrypt(userDto.getOrgId()));
+		userDto.setRoleId(RSAUtil.decrypt(userDto.getRoleId()));
 		return userService.updateUser(userDto);
 	}

--- a/modules/bmw/src/main/java/com/bonus/bmw/basic/service/UserServiceImpl.java
+++ b/modules/bmw/src/main/java/com/bonus/bmw/basic/service/UserServiceImpl.java
@ -126,12 +126,12 @@ public class UserServiceImpl implements UserService {
 	@Override
 	@Transactional
 	public R updateUser(UserBean user) {
-		if(!user.getPhone().equals(user.getPhonenumber())){
-			String existUser = userDao.getExistUser(user.getPhonenumber());
-			if (existUser != null) {
+
+			/*String existUser = userDao.getExistUser(user.getPhonenumber());
+			if (existUser != null ) {
 				throw new IllegalArgumentException(existUser+"手机号已存在");
-			}
-		}
+			}*/
+
 		user.setIdNumber(user.getIdNumber().toUpperCase());
 		int i = userDao.updateUser(user);
 		saveUserRoles(user.getId(),user.getRoleId());
--- a/modules/bmw/src/main/resources/static/js/work/SettingManage/UserManage/UserForm.js
+++ b/modules/bmw/src/main/resources/static/js/work/SettingManage/UserManage/UserForm.js
@ -101,9 +101,17 @@ function updateUser(formData) {
        type: 'PUT',
        async: false, // 默认异步true,false表示同步
        url: formUrl, // 请求地址
-        contentType: "application/json; charset=utf-8",
+        /*contentType: "application/json; charset=utf-8",
        dataType: 'json', // 服务器返回数据类型
-        data: JSON.stringify(formData.field), //获取提交的表单字段
+        data: JSON.stringify(formData.field), //获取提交的表单字段*/
+        data: {
+            userName : encryptRsa($("#userName").val()),
+            idNumber : encryptRsa($("#idNumber").val()),
+            phonenumber : encryptRsa($("#phonenumber").val()),
+            orgId : encryptRsa($("#orgId").val()),
+            roleId : encryptRsa($("#roleId").val()),
+            id :$("#id").val()
+        },
        success: function (data) {
            layer.close(loadingMsg); // 关闭提示层
            if(data.code == 200){