From 0cf4c59d227a90a8dd4b66927b7b563dc3cea72d Mon Sep 17 00:00:00 2001
From: skynono <6811626@qq.com>
Date: Tue, 6 May 2025 14:18:15 +0800
Subject: [PATCH 1/2] feat: add original password verification when changing
password
---
controller/user.go | 26 +++++++++++++++++++++++++-
model/user.go | 1 +
web/src/components/PersonalSetting.js | 20 ++++++++++++++++++++
3 files changed, 46 insertions(+), 1 deletion(-)
diff --git a/controller/user.go b/controller/user.go
index e194f531..567c2aa7 100644
--- a/controller/user.go
+++ b/controller/user.go
@@ -592,7 +592,14 @@ func UpdateSelf(c *gin.Context) {
user.Password = "" // rollback to what it should be
cleanUser.Password = ""
}
- updatePassword := user.Password != ""
+ updatePassword, err := checkUpdatePassword(user.OriginalPassword, user.Password, cleanUser.Id)
+ if err != nil {
+ c.JSON(http.StatusOK, gin.H{
+ "success": false,
+ "message": err.Error(),
+ })
+ return
+ }
if err := cleanUser.Update(updatePassword); err != nil {
c.JSON(http.StatusOK, gin.H{
"success": false,
@@ -608,6 +615,23 @@ func UpdateSelf(c *gin.Context) {
return
}
+func checkUpdatePassword(originalPassword string, newPassword string, userId int) (updatePassword bool, err error) {
+ if newPassword == "" {
+ return
+ }
+ var currentUser *model.User
+ currentUser, err = model.GetUserById(userId, true)
+ if err != nil {
+ return
+ }
+ if !common.ValidatePasswordAndHash(originalPassword, currentUser.Password) {
+ err = fmt.Errorf("原密码错误")
+ return
+ }
+ updatePassword = true
+ return
+}
+
func DeleteUser(c *gin.Context) {
id, err := strconv.Atoi(c.Param("id"))
if err != nil {
diff --git a/model/user.go b/model/user.go
index 0aea2ff5..1a3372aa 100644
--- a/model/user.go
+++ b/model/user.go
@@ -18,6 +18,7 @@ type User struct {
Id int `json:"id"`
Username string `json:"username" gorm:"unique;index" validate:"max=12"`
Password string `json:"password" gorm:"not null;" validate:"min=8,max=20"`
+ OriginalPassword string `json:"original_password" gorm:"-:all"` // this field is only for Password change verification, don't save it to database!
DisplayName string `json:"display_name" gorm:"index" validate:"max=20"`
Role int `json:"role" gorm:"type:int;default:1"` // admin, common
Status int `json:"status" gorm:"type:int;default:1"` // enabled, disabled
diff --git a/web/src/components/PersonalSetting.js b/web/src/components/PersonalSetting.js
index d1e03db2..fbd74536 100644
--- a/web/src/components/PersonalSetting.js
+++ b/web/src/components/PersonalSetting.js
@@ -57,6 +57,7 @@ const PersonalSetting = () => {
email_verification_code: '',
email: '',
self_account_deletion_confirmation: '',
+ original_password: '',
set_new_password: '',
set_new_password_confirmation: '',
});
@@ -239,11 +240,20 @@ const PersonalSetting = () => {
};
const changePassword = async () => {
+ if (inputs.original_password === '') {
+ showError(t('请输入原密码!'));
+ return;
+ }
+ if (inputs.original_password === inputs.set_new_password) {
+ showError(t('新密码需要和原密码不一致!'));
+ return;
+ }
if (inputs.set_new_password !== inputs.set_new_password_confirmation) {
showError(t('两次输入的密码不一致!'));
return;
}
const res = await API.put(`/api/user/self`, {
+ original_password: inputs.original_password,
password: inputs.set_new_password,
});
const { success, message } = res.data;
@@ -1118,6 +1128,16 @@ const PersonalSetting = () => {
>
+ handleInputChange('original_password', value)
+ }
+ />
+
Date: Tue, 6 May 2025 22:28:32 +0800
Subject: [PATCH 2/2] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E6=9C=AA=E8=BE=93?=
=?UTF-8?q?=E5=85=A5=E6=96=B0=E5=AF=86=E7=A0=81=E6=97=B6=E6=8F=90=E7=A4=BA?=
=?UTF-8?q?=E4=BF=AE=E6=94=B9=E6=88=90=E5=8A=9F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
controller/user.go | 6 ++---
web/src/components/PersonalSetting.js | 35 ++++++++++++++++++++-------
2 files changed, 29 insertions(+), 12 deletions(-)
diff --git a/controller/user.go b/controller/user.go
index 567c2aa7..fd53e743 100644
--- a/controller/user.go
+++ b/controller/user.go
@@ -616,9 +616,6 @@ func UpdateSelf(c *gin.Context) {
}
func checkUpdatePassword(originalPassword string, newPassword string, userId int) (updatePassword bool, err error) {
- if newPassword == "" {
- return
- }
var currentUser *model.User
currentUser, err = model.GetUserById(userId, true)
if err != nil {
@@ -628,6 +625,9 @@ func checkUpdatePassword(originalPassword string, newPassword string, userId int
err = fmt.Errorf("原密码错误")
return
}
+ if newPassword == "" {
+ return
+ }
updatePassword = true
return
}
diff --git a/web/src/components/PersonalSetting.js b/web/src/components/PersonalSetting.js
index fbd74536..0f52c319 100644
--- a/web/src/components/PersonalSetting.js
+++ b/web/src/components/PersonalSetting.js
@@ -244,6 +244,10 @@ const PersonalSetting = () => {
showError(t('请输入原密码!'));
return;
}
+ if (inputs.set_new_password === '') {
+ showError(t('请输入新密码!'));
+ return;
+ }
if (inputs.original_password === inputs.set_new_password) {
showError(t('新密码需要和原密码不一致!'));
return;
@@ -826,8 +830,8 @@ const PersonalSetting = () => {
-
-
+
+
{t('通知方式')}
@@ -1003,23 +1007,36 @@ const PersonalSetting = () => {
-
+
-
{t('接受未设置价格模型')}
+
+ {t('接受未设置价格模型')}
+
handleNotificationSettingChange('acceptUnsetModelRatioModel', e.target.checked)}
+ checked={
+ notificationSettings.acceptUnsetModelRatioModel
+ }
+ onChange={(e) =>
+ handleNotificationSettingChange(
+ 'acceptUnsetModelRatioModel',
+ e.target.checked,
+ )
+ }
>
{t('接受未设置价格模型')}
-
- {t('当模型没有设置价格时仍接受调用,仅当您信任该网站时使用,可能会产生高额费用')}
+
+ {t(
+ '当模型没有设置价格时仍接受调用,仅当您信任该网站时使用,可能会产生高额费用',
+ )}