Skip to content

FIX : 用户信息password字段隐藏.避免安全隐患. #297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 5, 2024
Merged

FIX : 用户信息password字段隐藏.避免安全隐患. #297

merged 5 commits into from
Jul 5, 2024

Conversation

ShaBaoFa
Copy link
Contributor

@ShaBaoFa ShaBaoFa commented Jul 5, 2024

起因:在线监控发现返回的用户信息包含password,个人认为应该没有场景需要返回加密(或未加密)的密码信息。所以直接在model层进行了hidden处理。

ShaBaoFa added 2 commits July 4, 2024 16:14
@ShaBaoFa
LoginListener.php: 修复因为多点登录复用同一个token导致该账号最近一次登录的设备登出就无法获得正确的用户在线情况
1743b03 
SystemUserService.php: 1. 重写 token-key 正则匹配 2. kickUser 保证获取到所有token,一次性全部下线。 3. hasTokenBlack 只判断传入token所在scene的情况,否则会导致判断多重scene而导致在线用户监控列表出错。
@ShaBaoFa
fix 用户返回信息会出现password字段,虽然是加密过的字段,但依旧存在安全隐患。故隐藏。
d7d9d5e
@boring-cyborg boring-cyborg bot added the System label Jul 5, 2024
@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. bug labels Jul 5, 2024
@dosubot dosubot bot added size:XS This PR changes 0-9 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Jul 5, 2024
@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:XS This PR changes 0-9 lines, ignoring generated files. labels Jul 5, 2024
zds-s
zds-s previously approved these changes Jul 5, 2024
View reviewed changes
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Jul 5, 2024
@ShaBaoFa ShaBaoFa requested a review from zds-s July 5, 2024 09:47
@ShaBaoFa
Copy link
Contributor Author

ShaBaoFa commented Jul 5, 2024

....ShaBaoFa requested a review from zds-s now 我点错了。。。

@zds-s zds-s merged commit 84e8bb6 into mineadmin:master Jul 5, 2024
@zds-s
Copy link
Member

zds-s commented Jul 5, 2024

感谢

@zds-s
Copy link
Member

zds-s commented Jul 5, 2024

再次感谢,提一个小小建议。如果后面还有功能建议的话,从 master 迁出一份分支再往主仓库提交 具体可以参考

zds-s added a commit that referenced this pull request Jul 9, 2024
@zds-s @People-Sea
@ShaBaoFa @clq321
sync (#301)
c25de96 
* Fix(filterExecuteAttributes): Utilizing memory address pointers (#294)

* LoginListener.php: 修复因为多点登录复用同一个token导致该账号最近一次登录的设备登出就无法获得正确的用户在线情况 (#295)

SystemUserService.php: 1. 重写 token-key 正则匹配 2. kickUser 保证获取到所有token,一次性全部下线。 3. hasTokenBlack 只判断传入token所在scene的情况,否则会导致判断多重scene而导致在线用户监控列表出错。

* FIX : 用户信息password字段隐藏.避免安全隐患. (#297)

* LoginListener.php: 修复因为多点登录复用同一个token导致该账号最近一次登录的设备登出就无法获得正确的用户在线情况
SystemUserService.php: 1. 重写 token-key 正则匹配 2. kickUser 保证获取到所有token,一次性全部下线。 3. hasTokenBlack 只判断传入token所在scene的情况,否则会导致判断多重scene而导致在线用户监控列表出错。

* fix 用户返回信息会出现password字段,虽然是加密过的字段,但依旧存在安全隐患。故隐藏。

* UserAuthService.php 修复因为隐藏password导致user模型 toarray之后无法获取password导致登录流程出错的问题

* UserAuthService.php fix:获取主键value 而不是主键 key (Tab 按快了)

* Fix: 优化 is_in_container 函数(#298)

---------

Co-authored-by: PeopleSea <70972819+People-Sea@users.noreply.github.com>
Co-authored-by: ShaBaoFa <wlfpanda1012@gmail.com>
Co-authored-by: clq321 <405292878@qq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zds-s zds-s zds-s approved these changes

+1 more reviewer

@littlezo littlezo littlezo approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
bug lgtm This PR has been approved by a maintainer size:S This PR changes 10-29 lines, ignoring generated files. System
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ShaBaoFa @zds-s @littlezo