From 323272b89b804749ad58a03eb00d87fcd281920c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=B5=B5=E9=92=8A?= Date: Fri, 10 Oct 2025 18:23:06 +0800 Subject: [PATCH] =?UTF-8?q?=E5=90=8E=E5=8F=B0=E7=94=A8=E6=88=B7=E5=AF=86?= =?UTF-8?q?=E7=A0=81=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/adminapi/controller/Admin.php | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/application/adminapi/controller/Admin.php b/application/adminapi/controller/Admin.php index cfb5c81..9e25dfd 100644 --- a/application/adminapi/controller/Admin.php +++ b/application/adminapi/controller/Admin.php @@ -168,7 +168,7 @@ class Admin extends adminApi { if ($this->request->isPost()) { $params = $this->request->post(); - $group = $params['group']; + $group = $params['group']?? []; unset($params['group']); unset($params['__token__']); if ($params) { @@ -199,18 +199,19 @@ class Admin extends adminApi // 先移除所有权限 model('admin/AuthGroupAccess')->where('uid', $params['id'])->delete(); + if(!empty($group)){ + // 过滤不允许的组别,避免越权 + $group = array_intersect($this->childrenGroupIds, $group); + if (!$group) { + return V(0,"失败", []); + } - // 过滤不允许的组别,避免越权 - $group = array_intersect($this->childrenGroupIds, $group); - if (!$group) { - return V(0,"失败", []); + $dataset = []; + foreach ($group as $value) { + $dataset[] = ['uid' => $params['id'], 'group_id' => $value]; + } + model('admin/AuthGroupAccess')->saveAll($dataset); } - - $dataset = []; - foreach ($group as $value) { - $dataset[] = ['uid' => $params['id'], 'group_id' => $value]; - } - model('admin/AuthGroupAccess')->saveAll($dataset); Db::commit(); return V(1,"成功", []); } catch (\Exception $e) {