Ruoyi Incorrect Access Control Vulnerability in SysUserController

An access control vulnerability has been identified in Ruoyi version 4.8.0. The issue arises from a missing permission check in the 'authRole' method of 'SysUserController.java', which can lead to unauthorized access to user information, including potentially sensitive details about admin accounts.

Impact

Exploitation of this vulnerability could result in unauthorized access to user data, bypassing intended access controls. This includes access to administrative user information, which could be particularly sensitive.

Reproduction

To reproduce this vulnerability, invoke the 'authRole' method in 'SysUserController.java' without the necessary 'checkUserDataScope' permission check. This can be done by calling 'userService.selectUserById' with a user ID, which will bypass the access control and allow retrieval of user details, including roles, without proper authorization.

Remediation

It is recommended to add the missing 'checkUserDataScope' permission check in the 'authRole' method to ensure proper access control is enforced.