安全修复: - 创建 UserSelfUpdate schema,禁止用户修改自己的 role 和 is_active - /users/me 端点现在使用 UserSelfUpdate 而非 UserUpdate 安全增强: - 添加 SecurityHeadersMiddleware 中间件 - X-Content-Type-Options: nosniff - X-Frame-Options: DENY - X-XSS-Protection: 1; mode=block - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy: 禁用敏感功能 - Cache-Control: API响应不缓存
This commit is contained in:
yuliang_guo
@@ -13,7 +13,7 @@ from app.core.logger import logger
|
||||
from app.models.user import User
|
||||
from app.schemas.base import PaginatedResponse, PaginationParams, ResponseModel
|
||||
from app.schemas.user import User as UserSchema
|
||||
from app.schemas.user import UserCreate, UserFilter, UserPasswordUpdate, UserUpdate
|
||||
from app.schemas.user import UserCreate, UserFilter, UserPasswordUpdate, UserUpdate, UserSelfUpdate
|
||||
from app.services.user_service import UserService
|
||||
from app.services.system_log_service import system_log_service
|
||||
from app.schemas.system_log import SystemLogCreate
|
||||
@@ -157,7 +157,7 @@ async def get_recent_exams(
|
||||
|
||||
@router.put("/me", response_model=ResponseModel)
|
||||
async def update_current_user(
|
||||
user_in: UserUpdate,
|
||||
user_in: UserSelfUpdate,
|
||||
current_user: dict = Depends(get_current_active_user),
|
||||
db: AsyncSession = Depends(get_db),
|
||||
) -> ResponseModel:
|
||||
@@ -165,6 +165,7 @@ async def update_current_user(
|
||||
更新当前用户信息
|
||||
|
||||
权限:需要登录
|
||||
注意:用户只能修改自己的基本信息,不能修改角色(role)和激活状态(is_active)
|
||||
"""
|
||||
user_service = UserService(db)
|
||||
user = await user_service.update_user(
|
||||
|
||||
Reference in New Issue
Block a user