Skip to content

Commit

Permalink
fix: use clean object when update user info
Browse files Browse the repository at this point in the history
  • Loading branch information
@songquanpeng
songquanpeng committed Nov 5, 2022
1 parent c4391c7 commit 4a98ed9
Showing 1 changed file with 7 additions and 9 deletions.
16 changes: 7 additions & 9 deletions controller/user.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -325,19 +325,17 @@ func UpdateSelf(c *gin.Context) {
})
return
}
// User cannot change its id, role, status itself
user.Id = c.GetInt("id")
user.Role = c.GetInt("role")
user.Status = c.GetInt("status")

// User cannot change its Email, GitHub ID & WeChat ID without verification
user.Email = ""
user.GitHubId = ""
user.WeChatId = ""
cleanUser := model.User{
Id: c.GetInt("id"),
Username: user.Username,
Password: user.Password,
DisplayName: user.DisplayName,
}

updatePassword := user.Password != ""
// TODO: check Display Name to avoid XSS attack
if err := user.Update(updatePassword); err != nil {
if err := cleanUser.Update(updatePassword); err != nil {
c.JSON(http.StatusOK, gin.H{
"success": false,
"message": err.Error(),
Expand Down

0 comments on commit 4a98ed9

Please sign in to comment.