New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

用户登录后访问实体事件管理子系统时出现安全BUG #16

Open

gegaojian-richard opened this issue Jan 1, 2018 · 1 comment

Labels

bug

Owner

gegaojian-richard commented Jan 1, 2018

任意用户登录成功后，都可以通过修改请求参数访问其他用户创建的实体。比如用户3登录后，通过http://localhost:8080/kjb/entity/show?userId=1，可以得到用户1创建的实体，得到实体id后可以修改删除

gegaojian-richard added the bug label

Collaborator

Viking18 commented Jan 3, 2018

应该在controller中由当前登录的用户id检查请求的合法性

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment