oadmin/sub2api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: address audit findings for notify, websearch and security

Browse Source 
- Fix GetByKeyForAuth missing user.FieldEmail and user.FieldUsername (notifications sent to empty address)
- Guard against empty email in collectBalanceNotifyRecipients
- Remove non-atomic TotalRecharged read-modify-write in admin balance adjustment
- HTML-escape userName/siteName/accountName in notification email templates
- Fix timer leak in ProfileBalanceNotifyCard (add onUnmounted cleanup)
- Add warning log on websearch proxy URL resolution failure
This commit is contained in:
erio
2026-04-12 18:11:47 +08:00
parent eba289a7ff
commit 4e96a6faec
5 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/internal/service/admin_service.go
View File

@@ -709,12 +709,6 @@ func (s *adminServiceImpl) UpdateUserBalance(ctx context.Context, userID int64,
return nil, fmt.Errorf("balance cannot be negative, current balance: %.2f, requested operation would result in: %.2f", oldBalance, user.Balance)
}
// Track cumulative recharge for percentage-based balance notifications
balanceDelta := user.Balance - oldBalance
if balanceDelta > 0 {
user.TotalRecharged += balanceDelta
}
if err := s.userRepo.Update(ctx, user); err != nil {
return nil, err
}