修改用户密码前先验证旧密码，增加安全性

2021-04-15 11:42:05 +08:00
parent 8bd962c006
commit a70e327a8e
8 changed files with 41 additions and 31 deletions
--- a/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
+++ b/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
@@ -3,16 +3,13 @@ package com.genersoft.iot.vmp.vmanager.user;
 import com.genersoft.iot.vmp.conf.security.SecurityUtils;
 import com.genersoft.iot.vmp.conf.security.dto.LoginUser;
 import com.genersoft.iot.vmp.service.IUserService;
-import com.genersoft.iot.vmp.storager.dao.dto.User;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
 import io.swagger.annotations.ApiImplicitParams;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.util.DigestUtils;
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.*;

 import javax.security.sasl.AuthenticationException;
@@ -53,17 +50,26 @@ public class UserController {
    @ApiOperation("修改密码")
    @ApiImplicitParams({
            @ApiImplicitParam(name = "username", value = "用户名", dataTypeClass = String.class),
-            @ApiImplicitParam(name = "password", value = "密码（未md5加密的密码）", dataTypeClass = String.class),
+            @ApiImplicitParam(name = "oldpassword", value = "旧密码（已md5加密的密码）", dataTypeClass = String.class),
+            @ApiImplicitParam(name = "password", value = "新密码（未md5加密的密码）", dataTypeClass = String.class),
    })
    @PostMapping("/changePassword")
-    public String changePassword(String password){
+    public String changePassword(String oldpassword, String password){
        // 获取当前登录用户id
-        int userId = SecurityUtils.getUserId();
-        boolean result = userService.changePassword(userId, DigestUtils.md5DigestAsHex(password.getBytes()));
-        if (result) {
-            return "success";
-        }else {
-            return "fail";
+        String username = SecurityUtils.getUserInfo().getUsername();
+        LoginUser user = null;
+        try {
+            user = SecurityUtils.login(username, oldpassword, authenticationManager);
+            if (user != null) {
+                int userId = SecurityUtils.getUserId();
+                boolean result = userService.changePassword(userId, DigestUtils.md5DigestAsHex(password.getBytes()));
+                if (result) {
+                    return "success";
+                }
+            }
+        } catch (AuthenticationException e) {
+            e.printStackTrace();
        }
+        return "fail";
    }
 }