修复BUG: 密码修改越权bug修复

2022-08-21 10:10:41 +08:00 · 2022-08-21 10:10:41 +08:00 · f22a45af94
parent 50858d6d7d
commit f22a45af94
1 changed files with 7 additions and 11 deletions
--- a/backend/dvadmin/system/views/user.py
+++ b/backend/dvadmin/system/views/user.py
@ -272,22 +272,18 @@ class UserViewSet(CustomModelViewSet):
    @action(methods=["PUT"], detail=True, permission_classes=[IsAuthenticated])
    def change_password(self, request, *args, **kwargs):
        """密码修改"""
-        instance = Users.objects.filter(id=kwargs.get("pk")).first()
        data = request.data
        old_pwd = data.get("oldPassword")
        new_pwd = data.get("newPassword")
        new_pwd2 = data.get("newPassword2")
-        if instance:
-            if new_pwd != new_pwd2:
-                return ErrorResponse(msg="两次密码不匹配")
-            elif instance.check_password(old_pwd):
-                instance.password = make_password(new_pwd)
-                instance.save()
-                return DetailResponse(data=None, msg="修改成功")
-            else:
-                return ErrorResponse(msg="旧密码不正确")
+        if new_pwd != new_pwd2:
+            return ErrorResponse(msg="两次密码不匹配")
+        elif request.user.check_password(old_pwd):
+            request.user.password = make_password(new_pwd)
+            request.user.save()
+            return DetailResponse(data=None, msg="修改成功")
        else:
-            return ErrorResponse(msg="未获取到用户")
+            return ErrorResponse(msg="旧密码不正确")

    @action(methods=["PUT"], detail=True, permission_classes=[IsAuthenticated])
    def reset_to_default_password(self, request, *args, **kwargs):