From 1ad38bf2a82f9caee582a2ff8bc166e87a92d4d1 Mon Sep 17 00:00:00 2001
From: FatttSnake <fatttsnake@gmail.com>
Date: Fri, 1 Dec 2023 16:12:05 +0800
Subject: [PATCH] Other users cannot change admin password

---
 .../fatweb/api/service/permission/impl/UserServiceImpl.kt    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/main/kotlin/top/fatweb/api/service/permission/impl/UserServiceImpl.kt b/src/main/kotlin/top/fatweb/api/service/permission/impl/UserServiceImpl.kt
index d61267d..79a045c 100644
--- a/src/main/kotlin/top/fatweb/api/service/permission/impl/UserServiceImpl.kt
+++ b/src/main/kotlin/top/fatweb/api/service/permission/impl/UserServiceImpl.kt
@@ -5,6 +5,7 @@ import com.baomidou.mybatisplus.extension.kotlin.KtQueryWrapper
 import com.baomidou.mybatisplus.extension.kotlin.KtUpdateWrapper
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page
 import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl
+import org.springframework.security.access.AccessDeniedException
 import org.springframework.security.crypto.password.PasswordEncoder
 import org.springframework.stereotype.Service
 import org.springframework.transaction.annotation.Transactional
@@ -201,6 +202,10 @@ class UserServiceImpl(
     }
 
     override fun changePassword(userChangePasswordParam: UserChangePasswordParam) {
+        if (WebUtil.getLoginUserId() != 0L && userChangePasswordParam.id == 0L) {
+            throw AccessDeniedException("Access denied")
+        }
+
         val user = baseMapper.selectById(userChangePasswordParam.id)
         user?.let {
             val wrapper = KtUpdateWrapper(User())