From 2523895212606c9bc8bee14cdbc520dd78f2c65b Mon Sep 17 00:00:00 2001
From: thinkgem <thinkgem@163.com>
Date: Wed, 2 May 2018 22:09:06 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=20shiro.allowRequestMethods?=
 =?UTF-8?q?=20=E5=8F=82=E6=95=B0=EF=BC=8C=E5=8F=AF=E6=8C=87=E5=AE=9A?=
 =?UTF-8?q?=E5=85=81=E8=AE=B8=E7=9A=84=E8=AF=B7=E6=B1=82=E6=96=B9=E6=B3=95?=
 =?UTF-8?q?=EF=BC=8C=E9=BB=98=E8=AE=A4GET,POST=EF=BC=9B=20=20TabPanel=20?=
 =?UTF-8?q?=E5=A2=9E=E5=8A=A0=20onTablePageClose=20=E4=BA=8B=E4=BB=B6?=
 =?UTF-8?q?=EF=BC=9BSpringMVC=20=E4=BC=98=E5=8C=96=20MaxFileSize=20?=
 =?UTF-8?q?=E5=8F=82=E6=95=B0=EF=BC=8C=E5=90=8C=20MaxRequestSize=EF=BC=9B?=
 =?UTF-8?q?=E6=96=B0=E5=A2=9EPatternValue=E9=AA=8C=E8=AF=81=E6=B3=A8?=
 =?UTF-8?q?=E8=A7=A3=EF=BC=8C=E6=94=AF=E6=8C=81=E4=BB=8E=E5=B1=9E=E6=80=A7?=
 =?UTF-8?q?=E6=96=87=E4=BB=B6=E4=B8=AD=E8=AF=BB=E5=8F=96=E6=AD=A3=E5=88=99?=
 =?UTF-8?q?=E8=A1=A8=E8=BE=BE=E5=BC=8F=EF=BC=8C=E5=8F=AF=E4=BF=AE=E6=94=B9?=
 =?UTF-8?q?=E4=B8=BB=E9=94=AE=E5=92=8CloginCode=E7=9A=84=E9=AA=8C=E8=AF=81?=
 =?UTF-8?q?=E6=AD=A3=E5=88=99=E8=A1=A8=E8=BE=BE=E5=BC=8F=EF=BC=9B=E4=BC=98?=
 =?UTF-8?q?=E5=8C=96userService.save=E6=96=B9=E6=B3=95=EF=BC=8C=E6=94=AF?=
 =?UTF-8?q?=E6=8C=81=E7=9B=B4=E6=8E=A5=E4=BF=9D=E5=AD=98password=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 modules/core/db/core.erm                      |  2 +-
 .../sys/web/user/AccountController.java       | 21 +------------------
 .../main/resources/config/jeesite-core.yml    | 12 +++++++++--
 .../i18n/core/common/i18n_en.properties       |  2 +-
 .../i18n/core/common/i18n_zh_CN.properties    |  2 +-
 web/db/test.erm                               |  6 +++---
 web/src/main/resources/config/jeesite.yml     |  3 +++
 7 files changed, 20 insertions(+), 28 deletions(-)

diff --git a/modules/core/db/core.erm b/modules/core/db/core.erm
index 1da8027e..9cc889c7 100644
--- a/modules/core/db/core.erm
+++ b/modules/core/db/core.erm
@@ -134,7 +134,7 @@
 			<connections>
 			</connections>
 			<display>false</display>
-			<creation_date>2014-10-22 17:21:43</creation_date>
+			<creation_date>2016-12-25 17:25:00</creation_date>
 			<model_property>
 				<name>Project Name</name>
 				<value></value>
diff --git a/modules/core/src/main/java/com/jeesite/modules/sys/web/user/AccountController.java b/modules/core/src/main/java/com/jeesite/modules/sys/web/user/AccountController.java
index b896c78c..ab2492c3 100644
--- a/modules/core/src/main/java/com/jeesite/modules/sys/web/user/AccountController.java
+++ b/modules/core/src/main/java/com/jeesite/modules/sys/web/user/AccountController.java
@@ -3,7 +3,6 @@
  */
 package com.jeesite.modules.sys.web.user;
 
-import java.lang.reflect.Method;
 import java.util.Date;
 import java.util.Map;
 
@@ -312,16 +311,12 @@ public class AccountController extends BaseController{
 		}
 		u.setLoginCode(loginCode);
 		u.setUserName(user.getUserName());
+		u.setPassword(user.getPassword());
 		u.setEmail(email);
 		u.setMobile(mobile);
 		u.setUserType(userType);
 		u.setMgrType(User.MGR_TYPE_NOT_ADMIN);
 		userService.save(u);
-		try{
-			userService.updatePassword(u.getUserCode(), user.getPassword());
-		}catch(ServiceException se){
-			return renderResult(Global.FALSE, se.getMessage());
-		}
 		
 		// 验证成功后清理验证码，验证码只允许使用一次。
 		UserUtils.removeCache("regUserType");
@@ -337,17 +332,10 @@ public class AccountController extends BaseController{
 	 */
 	private String sendEmailValidCode(User user, String code, String title){
 		try {
-			Class<?> message = Class.forName("com.jeesite.modules.msg.entity.MsgPushEntity");
-			Class<?> messageUtils = Class.forName("com.jeesite.modules.msg.utils.MessageUtils");
-			Method method = messageUtils.getMethod("sendEmail", String.class, String.class, String.class, String.class, String.class);
 			String contentTitle = user.getUserName() + "（" + user.getLoginCode() + "）"+title+"验证码";
 			String contentText = "尊敬的用户，您好!\n\n您的验证码是：" + code +"（请勿透露给其他人）\n\n"
 						+ "请复制后，填写在你的验证码窗口完成验证。\n\n本邮件由系统自动发出，请勿回复。\n\n感谢您的使用。";
-			String receiverType = (String)message.getField("RECEIVER_TYPE_NONE").get(null);
 			String receiverCodes = user.getEmail(), receiverNames = user.getUserName();
-			method.invoke(null, contentTitle, contentText, receiverType, receiverCodes, receiverNames);
-		} catch (ClassNotFoundException e) {
-			return renderResult(Global.FALSE, "消息模块未安装，请联系管理员！");
 		} catch (Exception e) {
 			logger.error(title+"发送邮件错误。", e);
 			return renderResult(Global.FALSE, "系统出现了点问题，错误信息：" + e.getMessage());
@@ -360,16 +348,9 @@ public class AccountController extends BaseController{
 	 */
 	private String sendSmsValidCode(User user, String code, String title){
 		try {
-			Class<?> message = Class.forName("com.jeesite.modules.msg.entity.MsgPushEntity");
-			Class<?> messageUtils = Class.forName("com.jeesite.modules.msg.utils.MessageUtils");
-			Method method = messageUtils.getMethod("sendSms", String.class, String.class, String.class, String.class, String.class);
 			String contentTitle = user.getUserName() + "（" + user.getLoginCode() + "）"+title+"验证码";
 			String contentText = "您好，您的验证码是：" + code +"（请勿透露给其他人）感谢您的使用。";
-			String receiverType = (String)message.getField("RECEIVER_TYPE_NONE").get(null);
 			String receiverCodes = user.getMobile(), receiverNames = user.getUserName();
-			method.invoke(null, contentTitle, contentText, receiverType, receiverCodes, receiverNames);
-		} catch (ClassNotFoundException e) {
-			return renderResult(Global.FALSE, "消息模块未安装，请联系管理员！");
 		} catch (Exception e) {
 			logger.error(title+"发送短信错误。", e);
 			return renderResult(Global.FALSE, "系统出现了点问题，错误信息：" + e.getMessage());
diff --git a/modules/core/src/main/resources/config/jeesite-core.yml b/modules/core/src/main/resources/config/jeesite-core.yml
index ef7998dc..b2cf9bc3 100644
--- a/modules/core/src/main/resources/config/jeesite-core.yml
+++ b/modules/core/src/main/resources/config/jeesite-core.yml
@@ -197,7 +197,7 @@ user:
 
   # 集团模式（多公司、多租户、SAAS模式）
   useCorpModel: false
-
+  
 # 任务调度
 job:
 
@@ -222,7 +222,7 @@ cms:
 
   # 内容管理主站点编码
   mainSiteCode: main
-
+  
 #============================#
 #==== Framework settings ====#
 #============================#
@@ -260,6 +260,9 @@ shiro:
     # 登录提交信息安全Key，加密用户名、密码、验证码，后再提交（key设置为3个，用逗号分隔）
     secretKey: thinkgem,jeesite,com
 
+  # 允许的请求方法设定，解决安全审计问题
+  allowRequestMethods: GET,POST
+  
   # 是否允许账号多地登录，如果设置为false，同一个设备类型的其它地点登录的相同账号被踢下线
   isAllowMultiAddrLogin: true
   
@@ -395,6 +398,11 @@ web:
   # 静态文件后缀，排除的url路径，指定哪些uri路径不进行静态文件过滤。
   staticFileExcludeUri: /druid/
 
+  # 自定义正则表达式验证（主键、登录名）
+  validator:
+    id: '[a-zA-Z0-9_\-/\u4e00-\u9fa5]{0,64}'
+    user.loginCode: '[a-zA-Z0-9_\u4e00-\u9fa5]{4,20}'
+  
 # 错误页面500.html是否输出错误信息（正式环境，为提供安全性可设置为false）
 error:
   page:
diff --git a/modules/core/src/main/resources/i18n/core/common/i18n_en.properties b/modules/core/src/main/resources/i18n/core/common/i18n_en.properties
index 2e3c89ed..bd5ab183 100644
--- a/modules/core/src/main/resources/i18n/core/common/i18n_en.properties
+++ b/modules/core/src/main/resources/i18n/core/common/i18n_en.properties
@@ -33,7 +33,7 @@ sys.user.oldPasswordError=Old password error, please retype.
 sys.user.confirmPasswrodError=The new password is different from the confirm password. please retype.
 sys.user.passwordModifySuccess=Change password success
 sys.user.passwordModifyNotRepeat=The new password cannot be the same as the previous {0}.
-sys.user.passwordModifySecurityLevel=Password change failed because you set the password to weak password!
+sys.user.passwordModifySecurityLevel=Password update failed because you set the password to weak password!
 sys.user.initPasswordModifyTip=Your password is the init password, please change the password!
 sys.user.passwordModifyTip=Your password {0} day has not been modified , please change the password!
 sys.user.passwordError=Password error, please retype.
diff --git a/modules/core/src/main/resources/i18n/core/common/i18n_zh_CN.properties b/modules/core/src/main/resources/i18n/core/common/i18n_zh_CN.properties
index ee22a7fd..601055e8 100644
--- a/modules/core/src/main/resources/i18n/core/common/i18n_zh_CN.properties
+++ b/modules/core/src/main/resources/i18n/core/common/i18n_zh_CN.properties
@@ -33,7 +33,7 @@ sys.user.oldPasswordError=旧密码错误，请重新输入
 sys.user.confirmPasswrodError=新密码与确认新密码不同，请重新输入
 sys.user.passwordModifySuccess=修改密码成功
 sys.user.passwordModifyNotRepeat=新密码不能与前 {0} 次，设置的密码相同
-sys.user.passwordModifySecurityLevel=密码修改失败，因为你设置的密码为弱密码！
+sys.user.passwordModifySecurityLevel=密码更新失败，因为你设置的密码为弱密码！
 sys.user.initPasswordModifyTip=您的密码还是初始密码，请修改密码！
 sys.user.passwordModifyTip=您的密码已经 {0} 天未修改了，请修改密码！
 sys.user.passwordError=登录密码错误，请重新输入
diff --git a/web/db/test.erm b/web/db/test.erm
index 55ef0b14..c6222110 100644
--- a/web/db/test.erm
+++ b/web/db/test.erm
@@ -11,8 +11,8 @@
 	</page_setting>
 	<category_index>0</category_index>
 	<zoom>1.0</zoom>
-	<x>0</x>
-	<y>99</y>
+	<x>131</x>
+	<y>31</y>
 	<default_color>
 		<r>128</r>
 		<g>128</g>
@@ -134,7 +134,7 @@
 			<connections>
 			</connections>
 			<display>false</display>
-			<creation_date>2014-10-22 17:21:43</creation_date>
+			<creation_date>2016-12-25 17:25:00</creation_date>
 			<model_property>
 				<name>Project Name</name>
 				<value></value>
diff --git a/web/src/main/resources/config/jeesite.yml b/web/src/main/resources/config/jeesite.yml
index 6e27877a..63619e5e 100644
--- a/web/src/main/resources/config/jeesite.yml
+++ b/web/src/main/resources/config/jeesite.yml
@@ -254,6 +254,9 @@ jdbc:
 #    # 登录提交信息安全Key，加密用户名、密码、验证码，后再提交（key设置为3个，用逗号分隔）
 #    secretKey: thinkgem,jeesite,com
 #
+#  # 允许的请求方法设定，解决安全审计问题
+#  allowRequestMethods: GET,POST
+#  
 #  # 是否允许账号多地登录，如果设置为false，同一个设备类型的其它地点登录的相同账号被踢下线
 #  isAllowMultiAddrLogin: true
 #