floraachy/gitlink-forgeplus
1
0
Fork 0
mirror of https://gitlink.org.cn/Gitlink/forgeplus.git synced 2026-05-16 17:55:56 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: sql attack

Browse Source
This commit is contained in:
vilet.yy
2021-06-17 16:13:40 +08:00
parent 880f09a94a
commit 09dfd504c2
17 changed files with 59 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/users/banks_controller.rb
View File

@@ -1,8 +1,8 @@
class Users::BanksController < Users::BaseController
before_action :params_filter
def index
order = params[:order] || "updated_at"
sort = params[:sort] || "desc"
order = CourseList.column_names.include?(params[:order]) ? params[:order] : "updated_at"
sort = %w(desc asc).includes?(params[:sort]) ? params[:sort] : "desc"
@banks = @object_type.classify.constantize.where(@object_filter)
@course_lists = CourseList.where(id: @banks.pluck(:course_list_id))
@banks = @banks.where(course_list_id: params[:tag_id]) unless params[:tag_id].blank?

4
app/controllers/users/organizations_controller.rb
View File

@@ -16,10 +16,10 @@ class Users::OrganizationsController < Users::BaseController
private
def sort_by
params.fetch(:sort_by, "created_at")
OrganizationExtension.column_names.include?(params[:sort_by]) ? params[:sort_by] : 'created_at'
end
def sort_direction
params.fetch(:sort_direction, "desc")
%w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : 'desc'
end
end