fixed 解决安全问题访问附件，id改为uuid，关联功能修改

2026-05-03 03:40:49 +08:00 · 2023-12-12 16:41:02 +08:00
parent 9a0809e45b
commit de1266ba6c
9 changed files with 27 additions and 18 deletions
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -139,7 +139,7 @@ class IssuesController < ApplicationController
      SendTemplateMessageJob.perform_later('ProjectIssue', current_user.id, @issue&.id) if Site.has_notice_menu?
      if params[:attachment_ids].present?
        params[:attachment_ids].each do |id|
-          attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
+          attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
          unless attachment.blank?
            attachment.container = @issue
            attachment.author_id = current_user.id
@@ -232,7 +232,7 @@ class IssuesController < ApplicationController
    if issue_files.present?
      change_files = true
      issue_files.each do |id|
-        attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
+        attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
        unless attachment.blank?
          attachment.container = @issue
          attachment.author_id = current_user.id
--- a/app/controllers/journals_controller.rb
+++ b/app/controllers/journals_controller.rb
@@ -35,7 +35,7 @@ class JournalsController < ApplicationController
        if journal.save
          if params[:attachment_ids].present?
            params[:attachment_ids].each do |id|
-              attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
+              attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
              unless attachment.blank?
                attachment.container = journal
                attachment.author_id = current_user.id
--- a/app/controllers/version_releases_controller.rb
+++ b/app/controllers/version_releases_controller.rb
@@ -152,7 +152,7 @@ class VersionReleasesController < ApplicationController

  def create_attachments(attachment_ids, target)
    attachment_ids.each do |id|
-      attachment = Attachment.select(:id, :container_id, :container_type).where(id: id).or(Attachment.where(uuid: id))&.first
+      attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
      unless attachment.blank?
        attachment.container = target
        attachment.author_id = current_user.id