fixed 账号相关方法增加登录验证,安全校验

2024-09-24 16:34:05 +08:00 · 2024-09-24 16:34:05 +08:00 · ca226e1f81
parent 484346d542
commit ca226e1f81
1 changed files with 1 additions and 0 deletions
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@ -224,6 +224,7 @@ class AccountsController < ApplicationController
  def change_password 
    return render_error("两次输入的密码不一致") if params[:password].to_s != params[:new_password_repeat].to_s
    @user = User.find_by(login: params[:login])
+    return render_forbidden unless User.current.login == @user&.login
    return render_error("此用户禁止修改密码！") if @user.id.to_i === 104691
    return render_error("未找到相关用户!") if @user.blank?
    return render_error("旧密码不正确") unless @user.check_password?(params[:old_password])