🐞 fix: 修复权限控制漏洞

apis/ClockIn/AddAttendanceItems.js

@@ -61,7 +61,7 @@ class AddAttendanceItems extends API {
         try {
             uuids = await AccessControl.checkUser(user);
             if(admin != '')
-                admins = await AccessControl.checkUser(admin);
+                admins = await AccessControl.checkUser(admin, true);
         } catch (error) {
             return res.json({
                 ...BaseStdResponse.ERR,

apis/ClockIn/EditAttendanceItems.js

@@ -75,7 +75,7 @@ class EditAttendanceItems extends API {
         let uuids, admins;
         try {
             uuids = await AccessControl.checkUser(user);
-            admins = await AccessControl.checkUser(admin);
+            admins = await AccessControl.checkUser(admin, true);
         } catch (error) {
             return res.json({
                 ...BaseStdResponse.ERR,

lib/AccessControl.js

@@ -20,12 +20,14 @@ class AccessControl {
         return groups;
     }
 
-    async checkUser(maintainers) {
+    async checkUser(maintainers, isAdmin = false) {
         if (Array.isArray(maintainers) && maintainers.length > 0) {
             let uuids = [];
 
             let queries = maintainers.map(async (maintainer) => {
-                const sql = 'SELECT uuid FROM `users` WHERE username = ?';
+                let sql = 'SELECT uuid FROM `users` WHERE username = ?';
+                if(isAdmin) 
+                    sql = 'SELECT uuid FROM `users` WHERE username = ? AND manage = 1';
                 const rows = await db.query(sql, [maintainer]);
 
                 if (!rows || rows.length === 0) {