update app/admin/controller/Index.php.

用户资料接口；存在安全隐患；用户模拟请求可以修改权限和名称；导致用户可以获取最高权限 Signed-off-by: coffee <724179447@qq.com>
2025-04-05 19:41:44 +08:00 · 2022-09-07 02:41:43 +00:00 · 2022-09-07 02:41:43 +00:00 · 4309465887
commit 4309465887
parent da56f560dc
1 changed files with 14 additions and 1 deletions
--- a/app/admin/controller/Index.php
+++ b/app/admin/controller/Index.php
@ -77,7 +77,20 @@ class Index extends Controller
            }
        }
    }
-
+        /**
+     * 表单数据处理
+     * @param array $data
+     * @throws \think\db\exception\DataNotFoundException
+     * @throws \think\db\exception\DbException
+     * @throws \think\db\exception\ModelNotFoundException
+     */
+    protected function _form_filter(array &$data)
+    {
+        if ($this->request->isPost()) {
+            unset($data['username']);
+            unset($data['authorize']);
+        }
+    }
    /**
     * 修改用户资料
     * @login true