From 3347ca4d7484d9141b189462e169b2be4d324632 Mon Sep 17 00:00:00 2001
From: 江强 <jiangq@powerlbs.com>
Date: 星期二, 27 七月 2021 09:33:12 +0800
Subject: [PATCH] fix:Issue #I42GRW   修复任意账户越权漏洞

---
 ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysRoleController.java |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysRoleController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysRoleController.java
index d479805..953f336 100644
--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysRoleController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysRoleController.java
@@ -220,6 +220,7 @@
     /**
      * 批量取消授权用户
      */
+    @PreAuthorize("@ss.hasPermi('system:role:edit')")
     @Log(title = "角色管理", businessType = BusinessType.GRANT)
     @PutMapping("/authUser/cancelAll")
     public AjaxResult cancelAuthUserAll(Long roleId, Long[] userIds)
@@ -230,6 +231,7 @@
     /**
      * 批量选择用户授权
      */
+    @PreAuthorize("@ss.hasPermi('system:role:edit')")
     @Log(title = "角色管理", businessType = BusinessType.GRANT)
     @PutMapping("/authUser/selectAll")
     public AjaxResult selectAuthUserAll(Long roleId, Long[] userIds)

--
Gitblit v1.9.2