fixed 解决安全问题访问附件，id改为uuid

app/controllers/attachments_controller.rb

@@ -94,6 +94,7 @@ class AttachmentsController < ApplicationController
         @attachment.author_id = current_user.id
         @attachment.disk_directory = month_folder
         @attachment.cloud_url = remote_path
+        @attachment.uuid = SecureRandom.uuid
         @attachment.save!
       else
         logger.info "文件已存在，id = #{@attachment.id}, filename = #{@attachment.filename}"
@@ -147,8 +148,9 @@ class AttachmentsController < ApplicationController
       if params[:type] == 'history'
         AttachmentHistory.find params[:id]
       else
-        Attachment.find params[:id]
+        Attachment.find_by(id: params[:id]) || Attachment.find_by(uuid: params[:id])
       end
+    tip_exception(404, "您访问的页面不存在或已被删除") if @file.blank?
   end
 
   def delete_file(file_path)
@@ -218,7 +220,7 @@ class AttachmentsController < ApplicationController
   def attachment_candown
     unless current_user.admin? || current_user.business?
       candown = true
-      if @file.container
+      if @file.container && @file.uuid.nil?
         if @file.container.is_a?(Issue)
           project = @file.container.project
           candown = project.is_public || (current_user.logged? && project.member?(current_user))