floraachy
/
gitlink-forgeplus
mirror of https://gitlink.org.cn/Gitlink/forgeplus.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

fixed 解决安全问题访问附件,id改为uuid,关联功能修改

This commit is contained in:
xxq250 2023-12-12 16:41:02 +08:00
parent 9a0809e45b
commit de1266ba6c
9 changed files with 27 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/issues_controller.rb
View File

@ -139,7 +139,7 @@ class IssuesController < ApplicationController
SendTemplateMessageJob.perform_later('ProjectIssue', current_user.id, @issue&.id) if Site.has_notice_menu?
if params[:attachment_ids].present?
params[:attachment_ids].each do |id|
attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
unless attachment.blank?
attachment.container = @issue
attachment.author_id = current_user.id
@ -232,7 +232,7 @@ class IssuesController < ApplicationController
if issue_files.present?
change_files = true
issue_files.each do |id|
attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
unless attachment.blank?
attachment.container = @issue
attachment.author_id = current_user.id

2
app/controllers/journals_controller.rb
View File

@ -35,7 +35,7 @@ class JournalsController < ApplicationController
if journal.save
if params[:attachment_ids].present?
params[:attachment_ids].each do |id|
attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
unless attachment.blank?
attachment.container = journal
attachment.author_id = current_user.id

2
app/controllers/version_releases_controller.rb
View File

@ -152,7 +152,7 @@ class VersionReleasesController < ApplicationController
def create_attachments(attachment_ids, target)
attachment_ids.each do |id|
attachment = Attachment.select(:id, :container_id, :container_type).where(id: id).or(Attachment.where(uuid: id))&.first
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
unless attachment.blank?
attachment.container = target
attachment.author_id = current_user.id

1
app/models/attachment.rb
View File

@ -69,6 +69,7 @@ class Attachment < ApplicationRecord
scope :simple_columns, -> { select(:id, :filename, :filesize, :created_on, :cloud_url, :author_id, :content_type, :container_type, :container_id) }
scope :search_by_container, -> (ids) {where(container_id: ids)}
scope :unified_setting, -> {where("unified_setting = ? ", 1)}
scope :where_id_or_uuid, -> (id) { where("id = ? or uuid= ? ", id, id) }
validates_length_of :description, maximum: 100, message: "不能超过100个字符"

16
app/models/identity_verification.rb
View File

@ -6,10 +6,10 @@
# user_id :integer not null
# number :string(255) not null
# name :string(255) not null
# card_front :integer
# card_back :integer
# hold_card_front :integer
# hold_card_back :integer
# card_front :string(255)
# card_back :string(255)
# hold_card_front :string(255)
# hold_card_back :string(255)
# state :integer default("0")
# description :string(255)
# created_at :datetime not null
@ -34,18 +34,18 @@ class IdentityVerification < ApplicationRecord
end
def card_front_attachment
Attachment.find_by_id card_front
Attachment.where_id_or_uuid.first card_front
end
def card_back_attachment
Attachment.find_by_id card_back
Attachment.where_id_or_uuid.first card_back
end
def hold_card_front_attachment
Attachment.find_by_id hold_card_front
Attachment.where_id_or_uuid.first hold_card_front
end
def hold_card_back_attachment
Attachment.find_by_id hold_card_back
Attachment.where_id_or_uuid hold_card_back
end
end

6
app/models/journal.rb
View File

@ -88,9 +88,9 @@ class Journal < ApplicationRecord
when 'issue'
return "创建了<b>疑修</b>"
when 'attachment'
old_value = Attachment.where(id: detail.old_value.split(",")).pluck(:filename).join("")
new_value = Attachment.where(id: detail.value.split(",")).pluck(:filename).join("")
if old_value.nil? || old_value.blank?
old_value = Attachment.where("id in (?) or uuid in (?)", detail.old_value.to_s.split(","), detail.old_value.to_s.split(",")).pluck(:filename).join("")
new_value = Attachment.where("id in (?) or uuid in (?)", detail.value.to_s.split(","), detail.value.to_s.split(",")).pluck(:filename).join("")
if old_value.nil? || old_value.blank?
content += "添加了<b>#{new_value}</b>附件"
else
new_value = "" if new_value.blank?

4
app/services/api/v1/issues/concerns/checkable.rb
View File

@ -31,8 +31,8 @@ module Api::V1::Issues::Concerns::Checkable
def check_attachments (attachment_ids)
raise ApplicationService::Error, "请输入正确的附件ID数组" unless attachment_ids.is_a?(Array)
attachment_ids.each do |aid|
raise ApplicationService::Error, "请输入正确的附件ID" unless Attachment.exists?(id: aid) || Attachment.exists?(uuid: aid)
end
raise ApplicationService::Error, "请输入正确的附件ID" unless Attachment.where("id=? or uuid=?", aid, aid).exists?
end
end
def check_atme_receivers(receivers_login)

2
app/services/api/v1/issues/concerns/loadable.rb
View File

@ -9,7 +9,7 @@ module Api::V1::Issues::Concerns::Loadable
end
def load_attachments(attachment_ids)
@attachments = Attachment.where(id: attachment_ids).or(Attachment.where(uuid: attachment_ids))
@attachments = Attachment.where("id in (?) or uuid in (?)", attachment_ids, attachment_ids)
end
def load_atme_receivers(receivers_login)

8
db/migrate/20231212012107_change_identity_verification.rb Normal file
View File

@ -0,0 +1,8 @@
class ChangeIdentityVerification < ActiveRecord::Migration[5.2]
def change
change_column :identity_verifications, :card_front, :string
change_column :identity_verifications, :card_back, :string
change_column :identity_verifications, :hold_card_front, :string
change_column :identity_verifications, :hold_card_back, :string
end
end