修补会员退货接口中未校验用户ID的安全漏洞

Signed-off-by: 杨宇庆 <hiyyq@qq.com>
2024-02-28 18:23:54 +00:00 · 2024-02-28 18:23:54 +00:00 · 9c4d373f81
parent c3717b68c8
commit 9c4d373f81
1 changed files with 1 additions and 1 deletions
--- a/yudao-module-mall/yudao-module-trade-biz/src/main/java/cn/iocoder/yudao/module/trade/service/aftersale/AfterSaleServiceImpl.java
+++ b/yudao-module-mall/yudao-module-trade-biz/src/main/java/cn/iocoder/yudao/module/trade/service/aftersale/AfterSaleServiceImpl.java
@ -245,7 +245,7 @@ public class AfterSaleServiceImpl implements AfterSaleService {
    @AfterSaleLog(operateType = AfterSaleOperateTypeEnum.MEMBER_DELIVERY)
    public void deliveryAfterSale(Long userId, AppAfterSaleDeliveryReqVO deliveryReqVO) {
        // 校验售后单存在，并状态未退货
-        AfterSaleDO afterSale = tradeAfterSaleMapper.selectById(deliveryReqVO.getId());
+        AfterSaleDO afterSale = tradeAfterSaleMapper.selectByIdAndUserId(deliveryReqVO.getId(), userId);
        if (afterSale == null) {
            throw exception(AFTER_SALE_NOT_FOUND);
        }