fix 订单修改orderCode漏洞问题

姜枫
Commit 52490a413984c1457340416c5356dcc1f69617c5 1 parent 799e1fce
Showing 3 changed files with 3 additions and 2 deletions
apps/me/controllers/order.js
apps/me/views/partial/order/detail/order-status.hbs
public/js/me/order-detail.page.js
--- a/apps/me/controllers/order.js
View file @52490a4
+++ b/apps/me/controllers/order.js
View file @52490a4
@@ -129,6 +129,7 @@ const editOrder = (req, res, next) => {
     const query = req.query;
 
     query.uid = uid;
+     query.orderCode = crypto.decrypt(config.crypto.common, query.orderCode);
 
     orderModel.editOrder(query).then(result => {
         res.json(result);
--- a/apps/me/views/partial/order/detail/order-status.hbs
View file @52490a4
+++ b/apps/me/views/partial/order/detail/order-status.hbs
View file @52490a4
- <div class="order-status order" data-code="{{orderCode}}" >
+ <div class="order-status order" data-code="{{orderCode}}" data-codem="{{orderCodeM}}">
     <div class="basic">
         <p>订单号：{{orderCode}}</p>
         <p>订单状态：{{statusStr}}</p>
--- a/public/js/me/order-detail.page.js
View file @52490a4
+++ b/public/js/me/order-detail.page.js
View file @52490a4
@@ -26,7 +26,7 @@ $('.order .cancel-btn').on('click', function() {
 $('.order .edit-btn').on('click', function() {
     var $this = $(this);
     var $userInfo = $('.user-info.info-box');
-     var code = $this.closest('.order').data('code');
+     var code = $this.closest('.order').data('codem');
 
     var areaCode = $userInfo.data('area');
     var userName = $userInfo.find('.user-name-sel').data('name');