center/dataease-dm
center/dataease-dm
13
0
Fork 0
forked from github/dataease
Code Pull Requests Activity

Merge pull request #5213 from dataease/pr@dev@fix_msg_batch_del

Browse Source 
fix(消息管理): 删除已读消息api存在IDOR漏洞
This commit is contained in:
fit2cloud-chenyw 2023-05-15 14:15:21 +08:00 committed by GitHub
commit 104512688d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
backend/src/main/java/io/dataease/ext/ExtSysMsgMapper.java
View File

@ -29,9 +29,10 @@ public interface ExtSysMsgMapper {
"<foreach collection='msgIds' item='msgId' open='(' separator=',' close=')' >", "<foreach collection='msgIds' item='msgId' open='(' separator=',' close=')' >",
" #{msgId}", " #{msgId}",
"</foreach>", "</foreach>",
" and user_id = #{uid} ",
"</script>" "</script>"
}) })
int batchDelete(@Param("msgIds") List<Long> msgIds); int batchDelete(@Param("msgIds") List<Long> msgIds, @Param("uid") Long uid);
int batchInsert(@Param("settings") List<SysMsgSetting> settings); int batchInsert(@Param("settings") List<SysMsgSetting> settings);

2
backend/src/main/java/io/dataease/service/message/SysMsgService.java
View File

@ -109,7 +109,7 @@ public class SysMsgService {
} }
public void batchDelete(List<Long> msgIds) { public void batchDelete(List<Long> msgIds) {
extSysMsgMapper.batchDelete(msgIds); extSysMsgMapper.batchDelete(msgIds, AuthUtils.getUser().getUserId());
} }
public void save(SysMsg sysMsg) { public void save(SysMsg sysMsg) {