ady/ruoyi-vue-pro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修补会员取消售后接口中未校验用户ID的安全漏洞

Browse Source 
Signed-off-by: 杨宇庆 <hiyyq@qq.com>
This commit is contained in:
杨宇庆
2024-02-28 19:35:07 +00:00
committed by Gitee
parent c3717b68c8
commit 5849f99d23
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
yudao-module-mall/yudao-module-trade-biz/src/main/java/cn/iocoder/yudao/module/trade/service/aftersale/AfterSaleServiceImpl.java
View File

@@ -383,7 +383,7 @@ public class AfterSaleServiceImpl implements AfterSaleService {
@AfterSaleLog(operateType = AfterSaleOperateTypeEnum.MEMBER_CANCEL)
public void cancelAfterSale(Long userId, Long id) {
// 校验售后单的状态,并状态待退款
AfterSaleDO afterSale = tradeAfterSaleMapper.selectById(id);
AfterSaleDO afterSale = tradeAfterSaleMapper.selectByIdAndUserId(id, userId);
if (afterSale == null) {
throw exception(AFTER_SALE_NOT_FOUND);
}