floraachy/gitlink-forgeplus
1
0
Fork 0
mirror of https://gitlink.org.cn/Gitlink/forgeplus.git synced 2026-05-02 19:30:48 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fixed 解决安全问题访问附件,id改为uuid

Browse Source
This commit is contained in:
xxq250
2023-12-12 14:31:21 +08:00
parent 0cb38bce4f
commit d74901cffa
8 changed files with 82 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/services/api/v1/issues/concerns/checkable.rb
View File

@@ -31,7 +31,7 @@ module Api::V1::Issues::Concerns::Checkable
def check_attachments (attachment_ids)
raise ApplicationService::Error, "请输入正确的附件ID数组" unless attachment_ids.is_a?(Array)
attachment_ids.each do |aid|
raise ApplicationService::Error, "请输入正确的附件ID" unless Attachment.exists?(id: aid)
raise ApplicationService::Error, "请输入正确的附件ID" unless Attachment.exists?(id: aid) || Attachment.exists?(uuid: aid)
end
end

2
app/services/api/v1/issues/concerns/loadable.rb
View File

@@ -9,7 +9,7 @@ module Api::V1::Issues::Concerns::Loadable
end
def load_attachments(attachment_ids)
@attachments = Attachment.where(id: attachment_ids)
@attachments = Attachment.where(id: attachment_ids).or(Attachment.where(uuid: attachment_ids))
end
def load_atme_receivers(receivers_login)