From b86ef5b393fb69a104661722c9d9ca1e6e876280 Mon Sep 17 00:00:00 2001
From: nuo-promise <nuoyan@apache.org>
Date: Sun, 3 Jul 2022 22:25:14 +0800
Subject: [PATCH 1/2] #3657 Fix Admin have insecure permissions

---
 .../shenyu/admin/controller/DashboardUserController.java  | 8 ++++++++
 .../apache/shenyu/admin/utils/ShenyuResultMessage.java    | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java b/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
index d0b93044e714..33914c6dc23a 100644
--- a/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
+++ b/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
@@ -20,6 +20,7 @@
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.shenyu.admin.mapper.DashboardUserMapper;
+import org.apache.shenyu.admin.model.custom.UserInfo;
 import org.apache.shenyu.admin.model.dto.DashboardUserDTO;
 import org.apache.shenyu.admin.model.page.CommonPager;
 import org.apache.shenyu.admin.model.page.PageParameter;
@@ -32,6 +33,7 @@
 import org.apache.shenyu.admin.utils.ShenyuResultMessage;
 import org.apache.shenyu.admin.validation.annotation.Existed;
 import org.apache.shenyu.common.utils.ShaUtils;
+import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.DeleteMapping;
@@ -50,6 +52,7 @@
 import javax.validation.constraints.NotNull;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Objects;
 import java.util.Optional;
 
 /**
@@ -158,6 +161,11 @@ public ShenyuAdminResult modifyPassword(@PathVariable("id")
                                             @Existed(provider = DashboardUserMapper.class,
                                                     message = "user is not found") final String id,
                                             @Valid @RequestBody final DashboardUserDTO dashboardUserDTO) {
+        UserInfo userInfo = (UserInfo) SecurityUtils.getSubject().getPrincipal();
+        if (Objects.isNull(userInfo) || !userInfo.getUserId().equals(id)
+                && !userInfo.getUserName().equals(dashboardUserDTO.getUserName())) {
+            return ShenyuAdminResult.error(ShenyuResultMessage.DASHBOARD_MODIFY_PASSWORD_ERROR);
+        }
         return updateDashboardUser(id, dashboardUserDTO);
     }
     
diff --git a/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java b/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
index 760cec15b434..56fc00422563 100644
--- a/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
+++ b/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
@@ -48,6 +48,8 @@ public final class ShenyuResultMessage {
 
     public static final String DASHBOARD_QUERY_ERROR = "user info is empty";
 
+    public static final String DASHBOARD_MODIFY_PASSWORD_ERROR = "can not modify other user password";
+
     public static final String DASHBOARD_CREATE_USER_ERROR = "empty user info, please confirm";
 
     public static final String PLATFORM_LOGIN_SUCCESS = "login dashboard user success";

From 4d7f64b4f96bd5d8c0564787e81cea114d8fc5a6 Mon Sep 17 00:00:00 2001
From: nuo-promise <nuoyan@apache.org>
Date: Fri, 29 Jul 2022 11:39:53 +0800
Subject: [PATCH 2/2] add user not login return message

---
 .../shenyu/admin/controller/DashboardUserController.java    | 6 ++++--
 .../org/apache/shenyu/admin/utils/ShenyuResultMessage.java  | 2 ++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java b/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
index 33914c6dc23a..2ceef896da26 100644
--- a/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
+++ b/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java
@@ -162,8 +162,10 @@ public ShenyuAdminResult modifyPassword(@PathVariable("id")
                                                     message = "user is not found") final String id,
                                             @Valid @RequestBody final DashboardUserDTO dashboardUserDTO) {
         UserInfo userInfo = (UserInfo) SecurityUtils.getSubject().getPrincipal();
-        if (Objects.isNull(userInfo) || !userInfo.getUserId().equals(id)
-                && !userInfo.getUserName().equals(dashboardUserDTO.getUserName())) {
+        if (Objects.isNull(userInfo)) {
+            return ShenyuAdminResult.error(ShenyuResultMessage.DASHBOARD_USER_LOGIN_ERROR);
+        }
+        if (!userInfo.getUserId().equals(id) && !userInfo.getUserName().equals(dashboardUserDTO.getUserName())) {
             return ShenyuAdminResult.error(ShenyuResultMessage.DASHBOARD_MODIFY_PASSWORD_ERROR);
         }
         return updateDashboardUser(id, dashboardUserDTO);
diff --git a/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java b/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
index 56fc00422563..6fa38871c08d 100644
--- a/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
+++ b/shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java
@@ -46,6 +46,8 @@ public final class ShenyuResultMessage {
 
     public static final String ROLE_CREATE_ERROR = "can not create super role";
 
+    public static final String DASHBOARD_USER_LOGIN_ERROR = "user not login please login first";
+
     public static final String DASHBOARD_QUERY_ERROR = "user info is empty";
 
     public static final String DASHBOARD_MODIFY_PASSWORD_ERROR = "can not modify other user password";