历史消息漏洞修改、uid删除暴露

@@ -42,7 +42,6 @@ exports.page = (req, res, next) => {
                 imCs: global.yoho.config.domains.imCs,
                 imCs: global.yoho.config.domains.imCs,
                 imSocket: global.yoho.config.domains.imSocket,
                 imSocket: global.yoho.config.domains.imSocket,
                 userData: {
                 userData: {
-                    uid: uid,
                     encrypteduid: crypto.encryption(null, uid + ''),
                     encrypteduid: crypto.encryption(null, uid + ''),
                     avatar: helpers.image(userinfo.head_ico, 100, 100),
                     avatar: helpers.image(userinfo.head_ico, 100, 100),
                     uname: userinfo.profile_name
                     uname: userinfo.profile_name
@@ -80,15 +79,10 @@ exports.getOrders = (req, res, next) => {
  *
  *
  */
  */
 exports.fetchHistory = (req, res) => {
 exports.fetchHistory = (req, res) => {
-    let uid = req.user.uid;
-
-    if (!uid) {
-        uid = req.query.uid;
-    }
-
-    const endTime = req.query.endTime;
+    const encryptedUid = req.body.encryptedUid;
+    const endTime = req.body.endTime;
 
 
-    imApi.fetchImHistory(uid, endTime).then(result => {
+    imApi.fetchImHistory(encryptedUid, endTime).then(result => {
         res.json(result);
         res.json(result);
     });
     });
 };
 };
@@ -115,16 +109,11 @@ exports.msghistory = (req, res) => {
  *      content    留言内容
  *      content    留言内容
  */
  */
 exports.saveMSG = (req, res) => {
 exports.saveMSG = (req, res) => {
-    let uid = req.user.uid;
-
-    if (!uid) {
-        uid = req.body.uid;
-    }
-
+    let encryptedUid = req.body.encryptedUid;
     const conversationId = req.body.conversationId;
     const conversationId = req.body.conversationId;
     const content = req.body.content;
     const content = req.body.content;
 
 
-    imApi.saveMessage(uid, conversationId, content)
+    imApi.saveMessage(encryptedUid, conversationId, content)
         .then(result => {
         .then(result => {
             res.json(result);
             res.json(result);
         });
         });
@@ -139,14 +128,9 @@ exports.saveMSG = (req, res) => {
  *      2.  失败情况
  *      2.  失败情况
  */
  */
 exports.fetchOrders = (req, res) => {
 exports.fetchOrders = (req, res) => {
-    let uid = req.user.uid;
+    let encryptedUid = req.body.encryptedUid;
 
 
-    if (!uid) {
-        uid = req.query.uid;
-    }
-
-
-    imApi.fetchOrderList(uid)
+    imApi.fetchOrderList(encryptedUid)
         .then(result => {
         .then(result => {
             imModel.handleOrderList(result.data, 128, 170);
             imModel.handleOrderList(result.data, 128, 170);
             res.json(result);
             res.json(result);
@@ -159,19 +143,13 @@ exports.fetchOrders = (req, res) => {
 };
 };
 
 
 exports.saveEvalute = (req, res) => {
 exports.saveEvalute = (req, res) => {
-    let uid = req.user.uid;
-
-    if (!uid) {
-        uid = req.body.uid;
-    }
-
-
+    const encryptedUid = req.body.encryptedUid;
     const conversationId = req.body.conversationId;
     const conversationId = req.body.conversationId;
     const promoter = req.body.promoter;
     const promoter = req.body.promoter;
     const stars = req.body.stars;
     const stars = req.body.stars;
     const reasonMsg = req.body.reasonMsg || '';
     const reasonMsg = req.body.reasonMsg || '';
 
 
-    imApi.saveEvalute(uid, conversationId, promoter, stars, reasonMsg)
+    imApi.saveEvalute(encryptedUid, conversationId, promoter, stars, reasonMsg)
         .then(result => {
         .then(result => {
             return res.json(result);
             return res.json(result);
         }).catch(() => {
         }).catch(() => {
@@ -184,12 +162,7 @@ exports.saveEvalute = (req, res) => {
 
 
 
 
 exports.queryGlobalOrder = (req, res) => {
 exports.queryGlobalOrder = (req, res) => {
-    let uid = req.user.uid;
-
-    if (!uid) {
-        uid = req.query.uid;
-    }
-
+    let encryptedUid = req.body.encryptedUid;
 
 
     let emptyOrder = {
     let emptyOrder = {
         code: 200,
         code: 200,
@@ -197,7 +170,7 @@ exports.queryGlobalOrder = (req, res) => {
         message: '获取失败'
         message: '获取失败'
     };
     };
 
 
-    imApi.queryGlobalOrder(uid)
+    imApi.queryGlobalOrder(encryptedUid)
         .then(result=> {
         .then(result=> {
             imModel.handleOrderList(result.data, 128, 170);
             imModel.handleOrderList(result.data, 128, 170);
             res.json(result);
             res.json(result);

@@ -16,15 +16,15 @@ const encryptedUid = uid => crypto.encryption(null, uid + '');
  *  新建留言信息
  *  新建留言信息
  *  path: {host}/leavemessage/saveLeavemessage
  *  path: {host}/leavemessage/saveLeavemessage
  *
  *
- *  @param {int} uid 用户id
+ *  @param {int} encryptedUid 加密用户id
  *  @param {int} conversationId 会话id
  *  @param {int} conversationId 会话id
  *  @param {str} content 留言内容
  *  @param {str} content 留言内容
  */
  */
-exports.saveMessage = (uid, conversationId, content) => {
+exports.saveMessage = (encryptedUid, conversationId, content) => {
     let params = {
     let params = {
         conversationId,
         conversationId,
         content,
         content,
-        encryptedUid: encryptedUid(uid)
+        encryptedUid
     };
     };
 
 
 
 
@@ -35,17 +35,17 @@ exports.saveMessage = (uid, conversationId, content) => {
 
 
 /**
 /**
  *  查询用户聊天记录
  *  查询用户聊天记录
- *  @param {int} uid 用户uid
+ *  @param {string} encryptedUid 加密用户uid
  *  @param [int] pageSize 每次加载的聊天记录
  *  @param [int] pageSize 每次加载的聊天记录
  *  @param [int] startTime
  *  @param [int] startTime
  *  @param [int] endTime
  *  @param [int] endTime
  */
  */
-exports.fetchImHistory = (uid, endTime, pageSize, startTime) => {
+exports.fetchImHistory = (encryptedUid, endTime, pageSize, startTime) => {
     pageSize = pageSize || 10;
     pageSize = pageSize || 10;
 
 
     let params = {
     let params = {
         pageSize,
         pageSize,
-        encryptedUid: encryptedUid(uid)
+        encryptedUid
     };
     };
 
 
     _.forEach({startTime, endTime}, (val, key) => {
     _.forEach({startTime, endTime}, (val, key) => {
@@ -67,12 +67,12 @@ exports.fetchImHistory = (uid, endTime, pageSize, startTime) => {
 
 
 /**
 /**
  *  获取用户订单, 默认最近10笔
  *  获取用户订单, 默认最近10笔
- *  @param {int} uid 用户uid
+ *  @param {string} encryptedUid 用户加密uid
  *  @param {init} createTimeBegin 开始时间
  *  @param {init} createTimeBegin 开始时间
  */
  */
-exports.fetchOrderList = (uid, createTimeBegin) => {
+exports.fetchOrderList = (encryptedUid, createTimeBegin) => {
     let params = {
     let params = {
-        encryptedUid: encryptedUid(uid),
+        encryptedUid,
         imgSize: '90x120',
         imgSize: '90x120',
     };
     };
 
 
@@ -105,10 +105,10 @@ exports.fetchOrderList = (uid, createTimeBegin) => {
 | reasonMsg      | string | N    | 其他原因            |
 | reasonMsg      | string | N    | 其他原因            |
 
 
  */
  */
-exports.saveEvalute = (uid, conversationId, promoter, stars, reasonMsg) => {
+exports.saveEvalute = (encryptedUid, conversationId, promoter, stars, reasonMsg) => {
     let params = {
     let params = {
         conversationId,
         conversationId,
-        encryptedUid: encryptedUid(uid),
+        encryptedUid,
         promoter,
         promoter,
         stars,
         stars,
         reasonMsg
         reasonMsg
@@ -122,9 +122,9 @@ exports.saveEvalute = (uid, conversationId, promoter, stars, reasonMsg) => {
  *  获取全球购的订单
  *  获取全球购的订单
  */
  */
 
 
-exports.queryGlobalOrder = uid => {
+exports.queryGlobalOrder = encryptedUid => {
     let params = {
     let params = {
-        encryptedUid: encryptedUid(uid)
+        encryptedUid
     };
     };
 
 
     return ImService.post('/api/order/queryGlobalOrder', params);
     return ImService.post('/api/order/queryGlobalOrder', params);

@@ -62,7 +62,6 @@
 
 
 <input type="hidden" id="js-im" name="im-server" value="{{imCs}}">
 <input type="hidden" id="js-im" name="im-server" value="{{imCs}}">
 {{#with userData}}
 {{#with userData}}
-<input type="hidden" id="js-uid" value="{{uid}}">
 <input type="hidden" id="js-eid" value="{{encrypteduid}}">
 <input type="hidden" id="js-eid" value="{{encrypteduid}}">
 <input type="hidden" id="js-avatar" value="{{avatar}}">
 <input type="hidden" id="js-avatar" value="{{avatar}}">
 <input type="hidden" id="js-uname" value="{{uname}}">
 <input type="hidden" id="js-uname" value="{{uname}}">

@@ -39,7 +39,6 @@ const msgTypeMap = {
 };
 };
 
 
 let userName = $('#js-uname').val();
 let userName = $('#js-uname').val();
-let uid = $('#js-uid').val() || 0;
 let encryptedUid = cmEntity.encryptedUid = $('#js-eid').val() || 0;
 let encryptedUid = cmEntity.encryptedUid = $('#js-eid').val() || 0;
 let userAvatar = cmEntity.userHead = socketConf.defaultUserHead;
 let userAvatar = cmEntity.userHead = socketConf.defaultUserHead;
 
 
@@ -267,7 +266,6 @@ var chat = {
 
 
         this.$ratingView.on('click', '.submit', function() {
         this.$ratingView.on('click', '.submit', function() {
             self.ratingView.post({
             self.ratingView.post({
-                uid,
                 encryptedUid,
                 encryptedUid,
                 conversationId: cmEntity.conversationId,
                 conversationId: cmEntity.conversationId,
             });
             });
@@ -762,7 +760,7 @@ var chat = {
             return $.Deferred().resolve(false); // eslint-disable-line
             return $.Deferred().resolve(false); // eslint-disable-line
         }
         }
 
 
-        return api.msghistory(uid, encryptedUid, msgHistory.endTime)
+        return api.msghistory(encryptedUid, msgHistory.endTime)
             .done(function(result) {
             .done(function(result) {
                 if (!result || result.code !== 200 || !result.data) {
                 if (!result || result.code !== 200 || !result.data) {
                     return false;
                     return false;

@@ -5,7 +5,7 @@ const socketConf = require('./socket-config');
 const conversation = socketConf.conversationMessage;
 const conversation = socketConf.conversationMessage;
 const slice = Array.prototype.slice;
 const slice = Array.prototype.slice;
 
 
-let uid = $('#js-uid').val();
+let encryptedUid = $('#js-eid').val();
 
 
 // EventEmitter
 // EventEmitter
 //--------------------------------------------------------
 //--------------------------------------------------------
@@ -55,7 +55,7 @@ let api = {
         return $.post('/service/leavemsg/save.json', {
         return $.post('/service/leavemsg/save.json', {
             conversationId: conversation.conversationId,
             conversationId: conversation.conversationId,
             content,
             content,
-            uid
+            encryptedUid
         });
         });
     },
     },
 
 
@@ -67,11 +67,11 @@ let api = {
     fetchOrders: function(type) {
     fetchOrders: function(type) {
         let url = `/service/im/${type}-list`;
         let url = `/service/im/${type}-list`;
 
 
-        return $.post(url, {uid});
+        return $.post(url, {encryptedUid});
     },
     },
 
 
     // 获取10条历史记录
     // 获取10条历史记录
-    msghistory: function(uid, encryptedUid, endTime) {
+    msghistory: function(encryptedUid, endTime) {
         let url = '/service/im/fetchHistory';
         let url = '/service/im/fetchHistory';
         let data = {
         let data = {
             encryptedUid
             encryptedUid
@@ -83,7 +83,7 @@ let api = {
     },
     },
 
 
     saveEvalute: function(data) {
     saveEvalute: function(data) {
-        data.uid = uid;
+        data.encryptedUid = encryptedUid;
         return $.post('/service/im/saveEvalute', data);
         return $.post('/service/im/saveEvalute', data);
     },
     },