CVE-2023-38989: 普通用户可以删除不可见的管理员信息 · Issue #518 · thinkgem/jeesite

管理员角色对普通用户是不可见的，但是普通用户可以通过id来删除管理员的角色信息，以下展示了普通用户请求url:http://localhost:8080/jeesite/a/sys/user/delete?id=2 删除id为2的管理员的角色信息
The administrator role is not visible to regular users, but regular users can still delete the administrator’s role information by using the 'id’. The following shows an example of a regular user requesting the URL: http://localhost:8080/jeesite/a/sys/user/delete?id=2 to delete the role information of the administrator with ID 2.

问题代码出现在com.thinkgem.jeesite.modules.sys.web.UserController类中的delete函数
The issue code is present in the ‘delete’ function of the ‘UserController’ class in com.thinkgem.jeesite.modules.sys.web.

管理员可见的
Visible to administrators.

发送请求尝试删除山东省总公司的id为2，用户名为sd_admin的
Attempting to delete the record with ID 2 and username “sd_admin” for the Shandong Provincial Headquarters by sending a request.

删除成功
Deletion successful.

登录管理员查看登录名为ad_admin的角色已经被删除
After logging in as an administrator, it is noticed that the role with the login name “ad_admin” has been deleted.

问题代码
The problematic code.