fixed 解决安全问题访问附件，id改为uuid，关联功能修改

2026-05-22 20:55:46 +08:00 · 2023-12-12 16:41:02 +08:00
parent 9a0809e45b
commit de1266ba6c
9 changed files with 27 additions and 18 deletions
--- a/app/models/attachment.rb
+++ b/app/models/attachment.rb
@@ -69,6 +69,7 @@ class Attachment < ApplicationRecord
  scope :simple_columns,                -> { select(:id, :filename, :filesize, :created_on, :cloud_url, :author_id, :content_type, :container_type, :container_id) }
  scope :search_by_container,           -> (ids) {where(container_id: ids)}
  scope :unified_setting, -> {where("unified_setting = ? ", 1)}
+  scope :where_id_or_uuid, -> (id) { where("id = ? or uuid= ? ", id, id) }

  validates_length_of :description, maximum: 100, message: "不能超过100个字符"

--- a/app/models/identity_verification.rb
+++ b/app/models/identity_verification.rb
@@ -6,10 +6,10 @@
 #  user_id         :integer          not null
 #  number          :string(255)      not null
 #  name            :string(255)      not null
-#  card_front      :integer
-#  card_back       :integer
-#  hold_card_front :integer
-#  hold_card_back  :integer
+#  card_front      :string(255)
+#  card_back       :string(255)
+#  hold_card_front :string(255)
+#  hold_card_back  :string(255)
 #  state           :integer          default("0")
 #  description     :string(255)
 #  created_at      :datetime         not null
@@ -34,18 +34,18 @@ class IdentityVerification < ApplicationRecord
    end

    def card_front_attachment
-        Attachment.find_by_id card_front
+        Attachment.where_id_or_uuid.first card_front
    end
    
    def card_back_attachment
-        Attachment.find_by_id card_back
+        Attachment.where_id_or_uuid.first card_back
    end

    def hold_card_front_attachment
-        Attachment.find_by_id hold_card_front
+        Attachment.where_id_or_uuid.first hold_card_front
    end

    def hold_card_back_attachment
-        Attachment.find_by_id hold_card_back
+        Attachment.where_id_or_uuid hold_card_back
    end
 end
--- a/app/models/journal.rb
+++ b/app/models/journal.rb
@@ -88,9 +88,9 @@ class Journal < ApplicationRecord
    when 'issue'
      return "创建了<b>疑修</b>"
    when 'attachment'
-      old_value = Attachment.where(id: detail.old_value.split(",")).pluck(:filename).join("、")
-      new_value = Attachment.where(id: detail.value.split(",")).pluck(:filename).join("、")
-      if old_value.nil? || old_value.blank? 
+      old_value = Attachment.where("id in (?) or uuid in (?)", detail.old_value.to_s.split(","), detail.old_value.to_s.split(",")).pluck(:filename).join("、")
+      new_value = Attachment.where("id in (?) or uuid in (?)", detail.value.to_s.split(","), detail.value.to_s.split(",")).pluck(:filename).join("、")
+      if old_value.nil? || old_value.blank?
        content += "添加了<b>#{new_value}</b>附件"
      else 
        new_value = "无" if new_value.blank?