!891 修补会员退货接口中未校验用户ID的安全漏洞

Merge pull request !891 from 杨宇庆/N/A
2024-02-29 13:01:34 +00:00
parent c3717b68c8 9c4d373f81
commit 801c405881
1 changed files with 1 additions and 1 deletions
--- a/yudao-module-mall/yudao-module-trade-biz/src/main/java/cn/iocoder/yudao/module/trade/service/aftersale/AfterSaleServiceImpl.java
+++ b/yudao-module-mall/yudao-module-trade-biz/src/main/java/cn/iocoder/yudao/module/trade/service/aftersale/AfterSaleServiceImpl.java
@@ -245,7 +245,7 @@ public class AfterSaleServiceImpl implements AfterSaleService {
    @AfterSaleLog(operateType = AfterSaleOperateTypeEnum.MEMBER_DELIVERY)
    public void deliveryAfterSale(Long userId, AppAfterSaleDeliveryReqVO deliveryReqVO) {
        // 校验售后单存在，并状态未退货
-        AfterSaleDO afterSale = tradeAfterSaleMapper.selectById(deliveryReqVO.getId());
+        AfterSaleDO afterSale = tradeAfterSaleMapper.selectByIdAndUserId(deliveryReqVO.getId(), userId);
        if (afterSale == null) {
            throw exception(AFTER_SALE_NOT_FOUND);
        }