feat: only admin can specify user in BuyProduct() (#3287)

* fix: balance can be used without login * fix: balance can be used without login * fix: fix bug * fix: fix bug
2025-05-23 02:35:49 +08:00 · 2024-10-16 00:02:04 +08:00 · 2024-10-16 00:02:04 +08:00 · 7ae067e369
commit 7ae067e369
parent dde936e935
1 changed files with 4 additions and 0 deletions
--- a/controllers/product.go
+++ b/controllers/product.go
@ -182,6 +182,10 @@ func (c *ApiController) BuyProduct() {
 	paidUserName := c.Input().Get("userName")
 	owner, _ := util.GetOwnerAndNameFromId(id)
 	userId := util.GetId(owner, paidUserName)
+	if paidUserName != "" && !c.IsAdmin() {
+		c.ResponseError(c.T("general:Only admin user can specify user"))
+		return
+	}
 	if paidUserName == "" {
 		userId = c.GetSessionUsername()
 	}