From a70e327a8efaf38d74911ea568419a087fbd235a Mon Sep 17 00:00:00 2001
From: lawrencehj <1934378145@qq.com>
Date: 星期四, 15 四月 2021 11:42:05 +0800
Subject: [PATCH] 修改用户密码前先验证旧密码，增加安全性

---
 src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java |   28 +++++++++++++++++-----------
 1 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java b/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
index 4fd7b96..706f97e 100644
--- a/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
+++ b/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
@@ -3,16 +3,13 @@
 import com.genersoft.iot.vmp.conf.security.SecurityUtils;
 import com.genersoft.iot.vmp.conf.security.dto.LoginUser;
 import com.genersoft.iot.vmp.service.IUserService;
-import com.genersoft.iot.vmp.storager.dao.dto.User;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
 import io.swagger.annotations.ApiImplicitParams;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.util.DigestUtils;
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.*;
 
 import javax.security.sasl.AuthenticationException;
@@ -53,17 +50,26 @@
     @ApiOperation("淇敼瀵嗙爜")
     @ApiImplicitParams({
             @ApiImplicitParam(name = "username", value = "鐢ㄦ埛鍚�", dataTypeClass = String.class),
-            @ApiImplicitParam(name = "password", value = "瀵嗙爜锛堟湭md5鍔犲瘑鐨勫瘑鐮侊級", dataTypeClass = String.class),
+            @ApiImplicitParam(name = "oldpassword", value = "鏃у瘑鐮侊紙宸瞞d5鍔犲瘑鐨勫瘑鐮侊級", dataTypeClass = String.class),
+            @ApiImplicitParam(name = "password", value = "鏂板瘑鐮侊紙鏈猰d5鍔犲瘑鐨勫瘑鐮侊級", dataTypeClass = String.class),
     })
     @PostMapping("/changePassword")
-    public String changePassword(String password){
+    public String changePassword(String oldpassword, String password){
         // 鑾峰彇褰撳墠鐧诲綍鐢ㄦ埛id
-        int userId = SecurityUtils.getUserId();
-        boolean result = userService.changePassword(userId, DigestUtils.md5DigestAsHex(password.getBytes()));
-        if (result) {
-            return "success";
-        }else {
-            return "fail";
+        String username = SecurityUtils.getUserInfo().getUsername();
+        LoginUser user = null;
+        try {
+            user = SecurityUtils.login(username, oldpassword, authenticationManager);
+            if (user != null) {
+                int userId = SecurityUtils.getUserId();
+                boolean result = userService.changePassword(userId, DigestUtils.md5DigestAsHex(password.getBytes()));
+                if (result) {
+                    return "success";
+                }
+            }
+        } catch (AuthenticationException e) {
+            e.printStackTrace();
         }
+        return "fail";
     }
 }

--
Gitblit v1.8.0