🐛 Fix set avatar cause group permission leaked to personal

2025-03-25 21:48:51 +08:00 · 2025-03-25 21:48:51 +08:00 · 742edaa9e2
commit 742edaa9e2
parent 9712119238
3 changed files with 4 additions and 8 deletions
--- a/pkg/internal/web/api/accounts_api.go
+++ b/pkg/internal/web/api/accounts_api.go
@ -113,7 +113,7 @@ func getUserinfo(c *fiber.Ctx) error {
 	return c.JSON(resp)
 }

-func updateUserinfo(c *fiber.Ctx) error {
+func editUserinfo(c *fiber.Ctx) error {
 	if err := exts.EnsureAuthenticated(c); err != nil {
 		return err
 	}
--- a/pkg/internal/web/api/avatar_api.go
+++ b/pkg/internal/web/api/avatar_api.go
@ -26,9 +26,7 @@ func setAvatar(c *fiber.Ctx) error {
 	}

 	og := user.Avatar
-	user.Avatar = &data.AttachmentID
-
-	if err := database.C.Save(&user).Error; err != nil {
+	if err := database.C.Model(&user).Update("avatar", data.AttachmentID).Error; err != nil {
 		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
 	} else {
 		services.AddEvent(user.ID, "profile.edit.avatar", nil, c.IP(), c.Get(fiber.HeaderUserAgent))
@ -64,9 +62,7 @@ func setBanner(c *fiber.Ctx) error {
 	}

 	og := user.Banner
-	user.Banner = &data.AttachmentID
-
-	if err := database.C.Save(&user).Error; err != nil {
+	if err := database.C.Model(&user).Update("banner", data.AttachmentID).Error; err != nil {
 		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
 	} else {
 		services.AddEvent(user.ID, "profile.edit.banner", nil, c.IP(), c.Get(fiber.HeaderUserAgent))
--- a/pkg/internal/web/api/index.go
+++ b/pkg/internal/web/api/index.go
@ -67,7 +67,7 @@ func MapControllers(app *fiber.App, baseURL string) {

 			me.Get("/", getUserinfo)
 			me.Get("/oidc", getUserinfoForOidc)
-			me.Put("/", updateUserinfo)
+			me.Put("/", editUserinfo)
 			me.Put("/language", updateAccountLanguage)
 			me.Get("/events", getEvents)
 			me.Get("/tickets", getTickets)