[ISSUE #3406] fix change self's password fail

[haoyann]

Please do not create a Pull Request without creating an issue first.

What is the purpose of the change

#3406
Use a special resource to update the password. any user can access,authentication is implemented inside the method

Brief changelog

XX

Verifying this change

XXXX

Follow this checklist to help us incorporate your contribution quickly and easily:

• Make sure there is a Github issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a Github issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue.
• Format the pull request title like [ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Write necessary unit-test to verify your logic correction, more mock a little better when cross module dependency exist. If the new feature or significant change is committed, please remember to add integration-test in test module.
• Run mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=true to make sure basic checks pass. Run mvn clean install -DskipITs to make sure unit-test pass. Run mvn clean test-compile failsafe:integration-test to make sure integration-test pass.

[KomachiSion]

use com.alibaba.nacos.common.utils.StringUtil#isBlank will be better, I think

[haoyann]

use util is better , but it is an object. I will use com.alibaba.nacos.common.utils.Objects#isNull

[KomachiSion]

If nacos_user_key is "", whether it return false directly?

[KomachiSion]

I think this implementation will cause security problem. If you get admin from user input, users can mock or inject this value so that they can change others' password.

[haoyann]

The current version also has this problem, because admin can modify the password of other users.I just kept this feature.

[KomachiSion]

But current judge admin has auth to change other password is used the role queried by datasource.

Your implementation is used the request input. If I'm not admin, but I call this API with myself input. I will change other's password.

I am not saying that there is a problem with this function, I just describe that your implementation allows other non-admin users to modify the passwords of other users.

[haoyann]

抱歉，我不是很明白您“I call this API with myself input. I will change other's password”这里表达的意思，因为我看代码在com.alibaba.nacos.core.auth.AuthFilter#doFilter这里会调用方法com.alibaba.nacos.console.senicurity.nacos.NacosAuthManager#login,这里它将设置NACOS_USER_KEY

        List<RoleInfo> roleInfoList = roleService.getRoles(username);
        if (roleInfoList != null) {
            for (RoleInfo roleInfo : roleInfoList) {
                if (roleInfo.getRole().equals(NacosRoleServiceImpl.GLOBAL_ADMIN_ROLE)) {
                    user.setGlobalAdmin(true);
                    break;
                }
            }
        }
        req.setAttribute(RequestUtil.NACOS_USER_KEY, user);

在我的理解里，我在后续从request中取出的NACOS_USER_KEY是已经认证过后的用户信息。或许有哪些地方我没有考虑到的，会造成您所说的安全问题。
如是确实存在这个问题，我在这里认证的时候调用com.alibaba.nacos.console.senicurity.nacos.NacosAuthManager#login这个方法获取用户信息，这样应该保险的。

[KomachiSion]

如果是从AuthFilter中覆盖的应该也可以。

[haoyann]

那现在我需要做什么呢 : )

[KomachiSion]

上面那个问题， 需不需要换成工具类判断？

[haoyann]

done