1、修改登录查询中积分与签到信息BUG；

2、为POST类接口增加Token与UserID一致性判断。

controllers/ferroalloy/score.go

@@ -24,6 +24,13 @@ func Signin(c *gin.Context) {
 	m := models.THJSigninReq{}
 	a.DoBindReq(&m)
 
+	// 判断Token与UserID是否对应
+	userID, exists := c.Get("requserid")
+	if !exists || userID != m.USERID {
+		a.Response(http.StatusBadRequest, e.ERROR_OPERATION_FAILED, nil)
+		return
+	}
+
 	if rsp, err := m.Signin(); err == nil {
 		a.Response(http.StatusOK, e.SUCCESS, rsp)
 	} else {

models/account.go

@@ -656,14 +656,14 @@ func GetUserAccount(userID int) (*Useraccount, error) {
 	}
 	t1 := new(tmp1)
 	sql = fmt.Sprintf("select t.CURSCORE from THJ_USERSCORE t where t.USERID = %v", userAccount.Userid)
-	if _, err := engine.SQL(sql).Get(t); err != nil {
+	if _, err := engine.SQL(sql).Get(t1); err != nil {
 		return nil, err
 	}
 	userAccount.CURSCORE = t1.CURSCORE
 
 	// 今日是否已签到
 	p := new(Thjsignin)
-	userAccount.IsSigned, _ = engine.Where("userid = ?", userAccount.Userid).And("tradedate = to_char(sysdate, 'yyyymmdd')").Get(&p)
+	userAccount.IsSigned, _ = engine.Where("userid = ?", userAccount.Userid).And("tradedate = to_char(sysdate, 'yyyymmdd')").Get(p)
 
 	return &userAccount, nil
 }

models/ferroalloy.go

@@ -97,6 +97,13 @@ func (r *THJSigninReq) Signin() (rsp *THJSigninRsp, err error) {
 
 	engine := db.GetEngine()
 
+	// 获取目标用户信息
+	if u, err := GetUserInfo(int(r.USERID)); err != nil || u == nil {
+		logger.GetLogger().Errorf("Thjsignin failed: %s", err.Error())
+		err = errors.New("错误的用户ID")
+		return nil, err
+	}
+
 	// 判断目标用户当日是否已经签到
 	p := new(Thjsignin)
 	if has, err := engine.Where("userid = ?", r.USERID).And("tradedate = to_char(sysdate, 'yyyymmdd')").Get(p); err != nil {

token/token.go

@@ -17,7 +17,7 @@ import (
 var TouristToken string = "c886a057f3d820d4dbc41473686c7c2d"
 
 // CheckToken Token校验
-func CheckToken(loginid string, token string, group string) error {
+func CheckToken(loginid string, token string, group string) (string, error) {
 	key := ""
 	if len(group) == 0 {
 		key = fmt.Sprintf("monitor:online_loginid::%s", loginid)
@@ -29,14 +29,17 @@ func CheckToken(loginid string, token string, group string) error {
 
 	realToken, err := rediscli.GetRedisClient().HGet(key, field).Result()
 	if err != nil {
-		return err
+		return "", err
 	}
 
 	if realToken != token {
-		return errors.New("token is invalid")
+		return "", errors.New("token is invalid")
 	}
 
-	return nil
+	// 获取UserID
+	userID, err := rediscli.GetRedisClient().HGet(key, "UserID").Result()
+
+	return userID, err
 }
 
 // CheckNewToken 新接入服务Token校验
@@ -74,6 +77,7 @@ func Auth() gin.HandlerFunc {
 
 		var code int
 		var data interface{}
+		userID := ""
 
 		code = e.SUCCESS
 		token := c.GetHeader("Authorization")
@@ -93,7 +97,9 @@ func Auth() gin.HandlerFunc {
 				if len(s) == 3 {
 					group = s[2]
 				}
-				if err := CheckToken(loginid, token, group); err != nil {
+				var err error
+				userID, err = CheckToken(loginid, token, group)
+				if err != nil {
 					// Token错误
 					code = e.ERROR_AUTH_CHECK_TOKEN_FAIL
 				}
@@ -120,6 +126,9 @@ func Auth() gin.HandlerFunc {
 		}
 
 		// FIXME: - 针对POST接口，应判断传入TOKEN对应的用户是否正确（比如判断UserID或AccountID是否对得上等），后期处理
+		if c.Request.Method == "POST" {
+			c.Set("requserid", userID)
+		}
 
 		// Token检验成功
 		c.Next()
@@ -201,7 +210,7 @@ func realToken(c *gin.Context) {
 		if len(s) == 3 {
 			group = s[2]
 		}
-		if err := CheckToken(loginid, token, group); err != nil {
+		if _, err := CheckToken(loginid, token, group); err != nil {
 			// Token错误
 			code = e.ERROR_AUTH_CHECK_TOKEN_FAIL
 		}