修补会员取消售后接口中未校验用户ID的安全漏洞
Signed-off-by: 杨宇庆 <hiyyq@qq.com>
This commit is contained in:
parent
c3717b68c8
commit
5849f99d23
@ -383,7 +383,7 @@ public class AfterSaleServiceImpl implements AfterSaleService {
|
|||||||
@AfterSaleLog(operateType = AfterSaleOperateTypeEnum.MEMBER_CANCEL)
|
@AfterSaleLog(operateType = AfterSaleOperateTypeEnum.MEMBER_CANCEL)
|
||||||
public void cancelAfterSale(Long userId, Long id) {
|
public void cancelAfterSale(Long userId, Long id) {
|
||||||
// 校验售后单的状态,并状态待退款
|
// 校验售后单的状态,并状态待退款
|
||||||
AfterSaleDO afterSale = tradeAfterSaleMapper.selectById(id);
|
AfterSaleDO afterSale = tradeAfterSaleMapper.selectByIdAndUserId(id, userId);
|
||||||
if (afterSale == null) {
|
if (afterSale == null) {
|
||||||
throw exception(AFTER_SALE_NOT_FOUND);
|
throw exception(AFTER_SALE_NOT_FOUND);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user