修复[issue 1298](https://github.com/dataease/dataease/issues/1298) :"个人信息建议可以修改某些字段"

2026-05-23 22:08:34 +08:00 · 2022-05-10 00:52:06 +08:00
parent a2fbbdf8c8
commit 5d674fcca9
4 changed files with 60 additions and 17 deletions
--- a/backend/src/main/java/io/dataease/controller/sys/SysUserController.java
+++ b/backend/src/main/java/io/dataease/controller/sys/SysUserController.java
@@ -119,7 +119,22 @@ public class SysUserController {
    @ApiOperation("更新个人信息")
    @PostMapping("/updatePersonInfo")
    public void updatePersonInfo(@RequestBody SysUserCreateRequest request) {
-        sysUserService.updatePersonInfo(request);
+        Long userId = AuthUtils.getUser().getUserId();
+        // 防止修改他人信息， 防止必填内容留空
+        if (!request.getUserId().equals(userId) || request.getEmail() == null || request.getNickName() == null) {
+            throw new RuntimeException("内容不合法");
+        }
+        // 再次验证，匹配格式
+        if (!request.getPhone().isEmpty() && !request.getPhone().matches("^1[3|4|5|7|8][0-9]{9}$")) {
+            throw new RuntimeException("电话格式错误");
+        }
+        if (!request.getEmail().matches("^[a-zA-Z0-9_._-]+@[a-zA-Z0-9_-]+(\\.[a-zA-Z0-9_-]+)+$")) {
+            throw new RuntimeException("邮箱格式错误");
+        }
+        if (!(2 <= request.getNickName().length() && request.getNickName().length() <= 50)) {
+            throw new RuntimeException("姓名格式错误");
+        }
+        sysUserService.updatePersonBasicInfo(request);
    }

    @ApiOperation("设置语言")
--- a/backend/src/main/java/io/dataease/service/sys/SysUserService.java
+++ b/backend/src/main/java/io/dataease/service/sys/SysUserService.java
@@ -208,6 +208,25 @@ public class SysUserService {

    }

+    /**
+     * 更新用户基本信息
+     * 只允许修改 email, nickname, phone
+     * 防止此接口被恶意利用更改不允许更改的信息，新建SysUser对象并只设置部分值
+     * @param request
+     * @return
+     */
+    @CacheEvict(value = AuthConstants.USER_CACHE_NAME, key = "'user' + #request.userId")
+    @Transactional
+    public int updatePersonBasicInfo(SysUserCreateRequest request) {
+        SysUser user = new SysUser();
+        long now = System.currentTimeMillis();
+        user.setUserId(request.getUserId());
+        user.setUpdateTime(now);
+        user.setEmail(request.getEmail());
+        user.setNickName(request.getNickName());
+        user.setPhone(request.getPhone());
+        return sysUserMapper.updateByPrimaryKeySelective(user);
+    }

    @CacheEvict(value = AuthConstants.USER_CACHE_NAME, key = "'user' + #request.userId")
    public int updateStatus(SysUserStateRequest request) {
@@ -218,7 +237,7 @@ public class SysUserService {
    }

    /**
-     * 修改用户密码清楚缓存
+     * 修改用户密码清除缓存
     *
     * @param request
     * @return
@@ -235,6 +254,9 @@ public class SysUserService {
        }
        SysUser sysUser = new SysUser();
        sysUser.setUserId(user.getUserId());
+        if (!request.getNewPassword().matches("^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d).{8,30}$")) {
+            throw new RuntimeException("密码格式错误");
+        }
        sysUser.setPassword(CodingUtil.md5(request.getNewPassword()));
        return sysUserMapper.updateByPrimaryKeySelective(sysUser);
    }