fixed 解决安全问题访问附件,id改为uuid
This commit is contained in:
parent
0cb38bce4f
commit
d74901cffa
|
|
@ -94,6 +94,7 @@ class AttachmentsController < ApplicationController
|
||||||
@attachment.author_id = current_user.id
|
@attachment.author_id = current_user.id
|
||||||
@attachment.disk_directory = month_folder
|
@attachment.disk_directory = month_folder
|
||||||
@attachment.cloud_url = remote_path
|
@attachment.cloud_url = remote_path
|
||||||
|
@attachment.uuid = SecureRandom.uuid
|
||||||
@attachment.save!
|
@attachment.save!
|
||||||
else
|
else
|
||||||
logger.info "文件已存在,id = #{@attachment.id}, filename = #{@attachment.filename}"
|
logger.info "文件已存在,id = #{@attachment.id}, filename = #{@attachment.filename}"
|
||||||
|
|
@ -147,8 +148,9 @@ class AttachmentsController < ApplicationController
|
||||||
if params[:type] == 'history'
|
if params[:type] == 'history'
|
||||||
AttachmentHistory.find params[:id]
|
AttachmentHistory.find params[:id]
|
||||||
else
|
else
|
||||||
Attachment.find params[:id]
|
Attachment.find_by(id: params[:id]) || Attachment.find_by(uuid: params[:id])
|
||||||
end
|
end
|
||||||
|
tip_exception(404, "您访问的页面不存在或已被删除") if @file.blank?
|
||||||
end
|
end
|
||||||
|
|
||||||
def delete_file(file_path)
|
def delete_file(file_path)
|
||||||
|
|
@ -218,7 +220,7 @@ class AttachmentsController < ApplicationController
|
||||||
def attachment_candown
|
def attachment_candown
|
||||||
unless current_user.admin? || current_user.business?
|
unless current_user.admin? || current_user.business?
|
||||||
candown = true
|
candown = true
|
||||||
if @file.container
|
if @file.container && @file.uuid.nil?
|
||||||
if @file.container.is_a?(Issue)
|
if @file.container.is_a?(Issue)
|
||||||
project = @file.container.project
|
project = @file.container.project
|
||||||
candown = project.is_public || (current_user.logged? && project.member?(current_user))
|
candown = project.is_public || (current_user.logged? && project.member?(current_user))
|
||||||
|
|
|
||||||
|
|
@ -299,7 +299,7 @@ module ApplicationHelper
|
||||||
end
|
end
|
||||||
|
|
||||||
def download_url attachment,options={}
|
def download_url attachment,options={}
|
||||||
attachment_path(attachment,options)
|
attachment&.uuid.present? ? attachment_path(attachment.uuid,options) : attachment_path(attachment,options)
|
||||||
end
|
end
|
||||||
|
|
||||||
# 耗时:天、小时、分、秒
|
# 耗时:天、小时、分、秒
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,7 @@
|
||||||
# delay_publish :boolean default("0")
|
# delay_publish :boolean default("0")
|
||||||
# memo_image :boolean default("0")
|
# memo_image :boolean default("0")
|
||||||
# extra_type :integer default("0")
|
# extra_type :integer default("0")
|
||||||
|
# uuid :string(255)
|
||||||
#
|
#
|
||||||
# Indexes
|
# Indexes
|
||||||
#
|
#
|
||||||
|
|
@ -97,6 +98,11 @@ class Attachment < ApplicationRecord
|
||||||
downloads
|
downloads
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def generate_uuid
|
||||||
|
self.uuid = uuid || SecureRandom.uuid
|
||||||
|
save!
|
||||||
|
end
|
||||||
|
|
||||||
def quotes_count
|
def quotes_count
|
||||||
quotes.nil? ? 0 : quotes
|
quotes.nil? ? 0 : quotes
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -224,13 +224,23 @@ class Issue < ApplicationRecord
|
||||||
|
|
||||||
# 关附件到功能
|
# 关附件到功能
|
||||||
def associate_attachment_container
|
def associate_attachment_container
|
||||||
|
return if self.project_id == 0
|
||||||
att_ids = []
|
att_ids = []
|
||||||
# 附件的格式为(/api/attachments/ + 附件id)的形式,提取出id进行附件属性关联,做附件访问权限控制
|
# 附件的格式为(/api/attachments/ + 附件id)的形式,提取出id进行附件属性关联,做附件访问权限控制
|
||||||
att_ids += self.description.to_s.scan(/\(\/api\/attachments\/.+\)/).map{|s|s.match(/\d+/)[0]}
|
att_ids += self.description.to_s.scan(/\(\/api\/attachments\/.+\)/).map{|s|s.match(/\d+/)[0]}
|
||||||
att_ids += self.description.to_s.scan(/\/api\/attachments\/.+\"/).map{|s|s.match(/\d+/)[0]}
|
att_ids += self.description.to_s.scan(/\/api\/attachments\/.+\"/).map{|s|s.match(/\d+/)[0]}
|
||||||
att_ids += self.description.to_s.scan(/\/api\/attachments\/\d+/).map{|s|s.match(/\d+/)[0]}
|
att_ids += self.description.to_s.scan(/\/api\/attachments\/\d+/).map{|s|s.match(/\d+/)[0]}
|
||||||
if att_ids.present?
|
if att_ids.present?
|
||||||
Attachment.where(id: att_ids).where("container_type IS NULL OR container_type = 'Issue'").update_all(container_id: self.project_id, container_type: "Project")
|
Attachment.where(id: att_ids).where("container_type IS NULL OR container_type = 'Issue'").update_all(container_id: self.project_id, container_type: 'Project')
|
||||||
|
end
|
||||||
|
|
||||||
|
att_ids2 = []
|
||||||
|
# uuid_regex= /[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/
|
||||||
|
# 附件的格式为(/api/attachments/ + uuid)的形式,提取出id进行附件属性关联,做附件访问权限控制
|
||||||
|
att_ids2 += self.description.to_s.scan(/\(\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\)/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
|
||||||
|
att_ids2 += self.description.to_s.scan(/\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
|
||||||
|
if att_ids2.present?
|
||||||
|
Attachment.where(uuid: att_ids2).where("container_type IS NULL OR container_type = 'Issue'").update_all(container_id: self.project_id, container_type: 'Project')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -61,6 +61,7 @@ class Journal < ApplicationRecord
|
||||||
|
|
||||||
# 关附件到功能
|
# 关附件到功能
|
||||||
def associate_attachment_container
|
def associate_attachment_container
|
||||||
|
return if self.issue&.project_id.to_i == 0
|
||||||
att_ids = []
|
att_ids = []
|
||||||
# 附件的格式为(/api/attachments/ + 附件id)的形式,提取出id进行附件属性关联,做附件访问权限控制
|
# 附件的格式为(/api/attachments/ + 附件id)的形式,提取出id进行附件属性关联,做附件访问权限控制
|
||||||
att_ids += self.notes.to_s.scan(/\(\/api\/attachments\/.+\)/).map{|s|s.match(/\d+/)[0]}
|
att_ids += self.notes.to_s.scan(/\(\/api\/attachments\/.+\)/).map{|s|s.match(/\d+/)[0]}
|
||||||
|
|
@ -69,6 +70,15 @@ class Journal < ApplicationRecord
|
||||||
if att_ids.present?
|
if att_ids.present?
|
||||||
Attachment.where(id: att_ids).where("container_type IS NULL OR container_type = 'Journal'").update_all(container_id: self.issue.project_id, container_type: "Project")
|
Attachment.where(id: att_ids).where("container_type IS NULL OR container_type = 'Journal'").update_all(container_id: self.issue.project_id, container_type: "Project")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
att_ids2 = []
|
||||||
|
# uuid_regex= /[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/
|
||||||
|
# 附件的格式为(/api/attachments/ + uuid)的形式,提取出id进行附件属性关联,做附件访问权限控制
|
||||||
|
att_ids2 += self.notes.to_s.scan(/\(\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\)/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
|
||||||
|
att_ids2 += self.notes.to_s.scan(/\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
|
||||||
|
if att_ids2.present?
|
||||||
|
Attachment.where(uuid: att_ids).where("container_type IS NULL OR container_type = 'Journal'").update_all(container_id: self.issue.project_id, container_type: "Project")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def operate_content
|
def operate_content
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@ module Api::V1::Issues::Concerns::Checkable
|
||||||
def check_attachments (attachment_ids)
|
def check_attachments (attachment_ids)
|
||||||
raise ApplicationService::Error, "请输入正确的附件ID数组!" unless attachment_ids.is_a?(Array)
|
raise ApplicationService::Error, "请输入正确的附件ID数组!" unless attachment_ids.is_a?(Array)
|
||||||
attachment_ids.each do |aid|
|
attachment_ids.each do |aid|
|
||||||
raise ApplicationService::Error, "请输入正确的附件ID!" unless Attachment.exists?(id: aid)
|
raise ApplicationService::Error, "请输入正确的附件ID!" unless Attachment.exists?(id: aid) || Attachment.exists?(uuid: aid)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ module Api::V1::Issues::Concerns::Loadable
|
||||||
end
|
end
|
||||||
|
|
||||||
def load_attachments(attachment_ids)
|
def load_attachments(attachment_ids)
|
||||||
@attachments = Attachment.where(id: attachment_ids)
|
@attachments = Attachment.where(id: attachment_ids).or(Attachment.where(uuid: attachment_ids))
|
||||||
end
|
end
|
||||||
|
|
||||||
def load_atme_receivers(receivers_login)
|
def load_atme_receivers(receivers_login)
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,7 @@
|
||||||
json.id @attachment.id
|
json.id @attachment.uuid
|
||||||
json.filesize @attachment.filesize
|
json.title @attachment.title
|
||||||
|
json.filesize number_to_human_size(@attachment.filesize)
|
||||||
|
json.is_pdf @attachment.is_pdf?
|
||||||
|
json.url Rails.application.config_for(:configuration)['platform_url'] + (@attachment.is_pdf? ? download_url(@attachment,disposition:"inline") : download_url(@attachment)).to_s
|
||||||
|
json.created_on @attachment.created_on.strftime("%Y-%m-%d %H:%M")
|
||||||
|
json.content_type @attachment.content_type
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue