BitMaster/ProxyPanel
1
0
Fork 0
mirror of https://github.com/ProxyPanel/ProxyPanel.git synced 2026-04-02 10:39:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fixed Order & Ticket IDOR

Browse Source 
Solved #292 2nd & 3rd problem;
This commit is contained in:
BrettonYe
2026-03-15 22:42:59 +08:00
parent cd6d10b3db
commit f8cb2b9062
4 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
app/Exceptions/Handler.php
View File

@@ -13,6 +13,7 @@ use Illuminate\Validation\ValidationException;
use Log;
use ReflectionException;
use Response;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\MethodNotAllowedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Throwable;
@@ -77,6 +78,12 @@ class Handler extends ExceptionHandler
return Response::json(['status' => 'fail', 'message' => trans('http-statuses.401')], 401);
}
return Response::view('auth.error', ['message' => trans('http-statuses.401')], 401);
case $exception instanceof AccessDeniedHttpException: // 捕获权限拒绝异常
if ($request->ajax() || $request->wantsJson()) {
return Response::json(['status' => 'fail', 'message' => trans('http-statuses.401')], 401);
}
return Response::view('auth.error', ['message' => trans('http-statuses.401')], 401);
case $exception instanceof TokenMismatchException: // 捕获CSRF异常
if ($request->ajax() || $request->wantsJson()) {
@@ -114,6 +121,12 @@ class Handler extends ExceptionHandler
}
return Response::view('auth.error', ['message' => $exception->getMessage()], 408);
default:
if ($request->ajax() || $request->wantsJson()) {
return Response::json(['status' => 'fail', 'message' => $exception->getMessage()], 400);
}
return Response::view('auth.error', ['message' => $exception->getMessage()], 400);
}
}

4
app/Http/Controllers/PaymentController.php
View File

@@ -185,6 +185,10 @@ class PaymentController extends Controller
public function close(Order $order): JsonResponse
{
if ($order->user_id !== auth()->id()) {
return response()->json(['status' => 'fail', 'message' => trans('http-statuses.401')]);
}
if (! $order->close()) {
return response()->json(['status' => 'fail', 'message' => trans('common.failed_action_item', ['action' => trans('common.close'), 'attribute' => trans('model.order.attribute')])]);
}

12
app/Http/Controllers/User/TicketController.php
View File

@@ -47,6 +47,10 @@ class TicketController extends Controller
public function edit(Ticket $ticket): View
{ // 回复工单
if ($ticket->user_id !== auth()->id()) {
abort(404, trans('http-statuses.404'));
}
$replyList = $ticket->reply()
->with('ticket:id,status', 'admin:id,username,qq', 'user:id,username,qq')
->oldest()
@@ -57,6 +61,10 @@ class TicketController extends Controller
public function reply(Request $request, Ticket $ticket): JsonResponse
{
if ($ticket->user_id !== auth()->id()) {
return response()->json(['status' => 'fail', 'message' => trans('http-statuses.401')]);
}
$validatedData = $request->validate([
'content' => 'required|string|max:300',
]);
@@ -84,6 +92,10 @@ class TicketController extends Controller
public function close(Ticket $ticket): JsonResponse
{ // 关闭工单
if ($ticket->user_id !== auth()->id()) {
return response()->json(['status' => 'fail', 'message' => trans('http-statuses.401')]);
}
if ($ticket->close()) {
return response()->json([
'status' => 'success',

2
public/assets/js/config/common.js
View File

@@ -246,7 +246,7 @@ function handleErrors(xhr, options = {}) {
}
// 其它错误
const errorMessage = xhr.responseJSON?.message || xhr.statusText;
const errorMessage = xhr.responseJSON?.message || xhr?.message || xhr.statusText;
// 提取公共的 showMessage 调用
const showMessageOptions = {title: errorMessage, icon: "error"};