diff --git a/app/controllers/api/pm/base_controller.rb b/app/controllers/api/pm/base_controller.rb
index 3fcc1cfb7..a78d29b38 100644
--- a/app/controllers/api/pm/base_controller.rb
+++ b/app/controllers/api/pm/base_controller.rb
@@ -30,6 +30,7 @@ class Api::Pm::BaseController < ApplicationController
end
def load_issue
+ return render_parameter_missing if params[:pm_project_id].blank?
@issue = @project.issues.issue_issue.where(pm_project_id: params[:pm_project_id]).find_by_id(params[:id])
render_not_found('疑修不存在!') if @issue.blank?
end
diff --git a/app/controllers/api/pm/issues_controller.rb b/app/controllers/api/pm/issues_controller.rb
index 4b76783d2..788951413 100644
--- a/app/controllers/api/pm/issues_controller.rb
+++ b/app/controllers/api/pm/issues_controller.rb
@@ -2,8 +2,8 @@ class Api::Pm::IssuesController < Api::Pm::BaseController
before_action :require_login, except: [:index]
before_action :load_project
before_action :load_issue, only: %i[show update destroy]
- before_action :load_issues, only: [:batch_update, :batch_destroy]
- before_action :check_issue_operate_permission, only: [:update, :destroy]
+ before_action :load_issues, only: %i[batch_update batch_destroy]
+ before_action :check_issue_operate_permission, only: %i[update destroy]
def index
@object_result = Api::V1::Issues::ListService.call(@project, query_params, current_user)
@@ -91,15 +91,9 @@ class Api::Pm::IssuesController < Api::Pm::BaseController
private
def check_issue_operate_permission
- return if params[:project_id].zero?
+ return if params[:project_id].to_i.zero?
render_forbidden('您没有操作权限!') unless @project.member?(current_user) || current_user.admin? || @issue.user == current_user
end
-
- def load_issue
- @issue = @project.issues.issue_issue.where(pm_project_id: params[:pm_project_id]).find_by_id(params[:id])
- render_not_found('疑修不存在!') if @issue.blank?
- end
-
def load_issues
return render_error('请输入正确的ID数组!') unless params[:ids].is_a?(Array)
params[:ids].each do |id|