!1124 【修复】修复会员取消售后接口中未校验用户ID的漏洞

Merge pull request !1124 from 杨宇庆/N/A
2024-11-09 07:29:00 +00:00 · 2024-11-09 07:29:00 +00:00 · b93199bd0a
parent 14dc2e3849 c776371d48
commit b93199bd0a
1 changed files with 1 additions and 1 deletions
--- a/yudao-module-mall/yudao-module-trade-biz/src/main/java/cn/iocoder/yudao/module/trade/service/aftersale/AfterSaleServiceImpl.java
+++ b/yudao-module-mall/yudao-module-trade-biz/src/main/java/cn/iocoder/yudao/module/trade/service/aftersale/AfterSaleServiceImpl.java
@ -399,7 +399,7 @@ public class AfterSaleServiceImpl implements AfterSaleService {
    @AfterSaleLog(operateType = AfterSaleOperateTypeEnum.MEMBER_CANCEL)
    public void cancelAfterSale(Long userId, Long id) {
        // 校验售后单的状态，并状态待退款
-        AfterSaleDO afterSale = tradeAfterSaleMapper.selectById(id);
+        AfterSaleDO afterSale = tradeAfterSaleMapper.selectByIdAndUserId(id, userId);
        if (afterSale == null) {
            throw exception(AFTER_SALE_NOT_FOUND);
        }