OpenIM Server Version
1.8.4
Operating System and CPU Architecture
Linux (AMD)
Deployment Method
Docker Deployment
Bug Description and Steps to Reproduce
使用当前用户xxx 的OpenIM 业务token,可直接查询另一个真实用户lll 的资料。响应返回phoneNumber、nickname、gender、birth、消息设置等字段,说明接口按传入userIDs 返回用户资料,未限制为当前用户或已授权关系范围
Screenshots Link
internal/rpc/chat/user.go 中的 FindUserFullInfo 函数,增加权限校验:
func (o *chatSvr) FindUserFullInfo(ctx context.Context, req *chat.FindUserFullInfoReq) (*chat.FindUserFullInfoResp, error) {
opUserID, userType, err := mctx.Check(ctx)
if err != nil {
return nil, err
}
if len(req.UserIDs) == 0 {
return nil, errs.ErrArgs.WrapMsg("UserIDs is empty")
}
// 普通用户只能查询自己的信息
if userType == constant.NormalUser {
for _, userID := range req.UserIDs {
if userID != opUserID {
return nil, errs.ErrNoPermission.WrapMsg("normal user can only query own info")
}
}
}
attributes, err := o.Database.FindAttribute(ctx, req.UserIDs)
if err != nil {
return nil, err
}
return &chat.FindUserFullInfoResp{Users: DbToPbUserFullInfos(attributes)}, nil
}
OpenIM Server Version
1.8.4
Operating System and CPU Architecture
Linux (AMD)
Deployment Method
Docker Deployment
Bug Description and Steps to Reproduce
使用当前用户
xxx的OpenIM 业务token,可直接查询另一个真实用户lll的资料。响应返回phoneNumber、nickname、gender、birth、消息设置等字段,说明接口按传入userIDs返回用户资料,未限制为当前用户或已授权关系范围Screenshots Link
internal/rpc/chat/user.go 中的 FindUserFullInfo 函数,增加权限校验:
func (o *chatSvr) FindUserFullInfo(ctx context.Context, req *chat.FindUserFullInfoReq) (*chat.FindUserFullInfoResp, error) {
opUserID, userType, err := mctx.Check(ctx)
if err != nil {
return nil, err
}
if len(req.UserIDs) == 0 {
return nil, errs.ErrArgs.WrapMsg("UserIDs is empty")
}
}