From 0d2ed00e4c49b437d17f5fedb580f10c5771f145 Mon Sep 17 00:00:00 2001 From: xxq250 Date: Tue, 22 Oct 2024 09:27:53 +0800 Subject: [PATCH] =?UTF-8?q?fixed=20raw=20request.referer=20=E9=98=B2?= =?UTF-8?q?=E7=9B=97=E9=93=BE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/controllers/application_controller.rb | 4 ++++ app/controllers/repositories_controller.rb | 1 + 2 files changed, 5 insertions(+) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index d9dd9e2e6..ea050ebe5 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -210,6 +210,10 @@ class ApplicationController < ActionController::Base tip_exception(401, "请登录后再操作") unless User.current.logged? end + def require_referer + tip_exception(403, "你没有权限访问") if request.host.present? && !request.referer.to_s.include?(request.host.to_s.gsub("www.","")) + end + def require_login_or_token if params[:token].present? user = User.try_to_autologin(params[:token]) diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index 536bda3a8..b7776bcfd 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -13,6 +13,7 @@ class RepositoriesController < ApplicationController before_action :get_ref, only: %i[entries sub_entries top_counts files archive] before_action :get_latest_commit, only: %i[entries sub_entries top_counts] before_action :get_statistics, only: %i[top_counts] + before_action :require_referer, only: [:raw] def files result = @project.educoder? ? nil : Gitea::Repository::Files::GetService.call(@owner, @project.identifier, @ref, params[:search], @owner.gitea_token)