fixed 解决安全问题访问附件,id改为uuid,关联功能修改
This commit is contained in:
parent
9a0809e45b
commit
de1266ba6c
|
@ -139,7 +139,7 @@ class IssuesController < ApplicationController
|
||||||
SendTemplateMessageJob.perform_later('ProjectIssue', current_user.id, @issue&.id) if Site.has_notice_menu?
|
SendTemplateMessageJob.perform_later('ProjectIssue', current_user.id, @issue&.id) if Site.has_notice_menu?
|
||||||
if params[:attachment_ids].present?
|
if params[:attachment_ids].present?
|
||||||
params[:attachment_ids].each do |id|
|
params[:attachment_ids].each do |id|
|
||||||
attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
|
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
|
||||||
unless attachment.blank?
|
unless attachment.blank?
|
||||||
attachment.container = @issue
|
attachment.container = @issue
|
||||||
attachment.author_id = current_user.id
|
attachment.author_id = current_user.id
|
||||||
|
@ -232,7 +232,7 @@ class IssuesController < ApplicationController
|
||||||
if issue_files.present?
|
if issue_files.present?
|
||||||
change_files = true
|
change_files = true
|
||||||
issue_files.each do |id|
|
issue_files.each do |id|
|
||||||
attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
|
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
|
||||||
unless attachment.blank?
|
unless attachment.blank?
|
||||||
attachment.container = @issue
|
attachment.container = @issue
|
||||||
attachment.author_id = current_user.id
|
attachment.author_id = current_user.id
|
||||||
|
|
|
@ -35,7 +35,7 @@ class JournalsController < ApplicationController
|
||||||
if journal.save
|
if journal.save
|
||||||
if params[:attachment_ids].present?
|
if params[:attachment_ids].present?
|
||||||
params[:attachment_ids].each do |id|
|
params[:attachment_ids].each do |id|
|
||||||
attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
|
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
|
||||||
unless attachment.blank?
|
unless attachment.blank?
|
||||||
attachment.container = journal
|
attachment.container = journal
|
||||||
attachment.author_id = current_user.id
|
attachment.author_id = current_user.id
|
||||||
|
|
|
@ -152,7 +152,7 @@ class VersionReleasesController < ApplicationController
|
||||||
|
|
||||||
def create_attachments(attachment_ids, target)
|
def create_attachments(attachment_ids, target)
|
||||||
attachment_ids.each do |id|
|
attachment_ids.each do |id|
|
||||||
attachment = Attachment.select(:id, :container_id, :container_type).where(id: id).or(Attachment.where(uuid: id))&.first
|
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
|
||||||
unless attachment.blank?
|
unless attachment.blank?
|
||||||
attachment.container = target
|
attachment.container = target
|
||||||
attachment.author_id = current_user.id
|
attachment.author_id = current_user.id
|
||||||
|
|
|
@ -69,6 +69,7 @@ class Attachment < ApplicationRecord
|
||||||
scope :simple_columns, -> { select(:id, :filename, :filesize, :created_on, :cloud_url, :author_id, :content_type, :container_type, :container_id) }
|
scope :simple_columns, -> { select(:id, :filename, :filesize, :created_on, :cloud_url, :author_id, :content_type, :container_type, :container_id) }
|
||||||
scope :search_by_container, -> (ids) {where(container_id: ids)}
|
scope :search_by_container, -> (ids) {where(container_id: ids)}
|
||||||
scope :unified_setting, -> {where("unified_setting = ? ", 1)}
|
scope :unified_setting, -> {where("unified_setting = ? ", 1)}
|
||||||
|
scope :where_id_or_uuid, -> (id) { where("id = ? or uuid= ? ", id, id) }
|
||||||
|
|
||||||
validates_length_of :description, maximum: 100, message: "不能超过100个字符"
|
validates_length_of :description, maximum: 100, message: "不能超过100个字符"
|
||||||
|
|
||||||
|
|
|
@ -6,10 +6,10 @@
|
||||||
# user_id :integer not null
|
# user_id :integer not null
|
||||||
# number :string(255) not null
|
# number :string(255) not null
|
||||||
# name :string(255) not null
|
# name :string(255) not null
|
||||||
# card_front :integer
|
# card_front :string(255)
|
||||||
# card_back :integer
|
# card_back :string(255)
|
||||||
# hold_card_front :integer
|
# hold_card_front :string(255)
|
||||||
# hold_card_back :integer
|
# hold_card_back :string(255)
|
||||||
# state :integer default("0")
|
# state :integer default("0")
|
||||||
# description :string(255)
|
# description :string(255)
|
||||||
# created_at :datetime not null
|
# created_at :datetime not null
|
||||||
|
@ -34,18 +34,18 @@ class IdentityVerification < ApplicationRecord
|
||||||
end
|
end
|
||||||
|
|
||||||
def card_front_attachment
|
def card_front_attachment
|
||||||
Attachment.find_by_id card_front
|
Attachment.where_id_or_uuid.first card_front
|
||||||
end
|
end
|
||||||
|
|
||||||
def card_back_attachment
|
def card_back_attachment
|
||||||
Attachment.find_by_id card_back
|
Attachment.where_id_or_uuid.first card_back
|
||||||
end
|
end
|
||||||
|
|
||||||
def hold_card_front_attachment
|
def hold_card_front_attachment
|
||||||
Attachment.find_by_id hold_card_front
|
Attachment.where_id_or_uuid.first hold_card_front
|
||||||
end
|
end
|
||||||
|
|
||||||
def hold_card_back_attachment
|
def hold_card_back_attachment
|
||||||
Attachment.find_by_id hold_card_back
|
Attachment.where_id_or_uuid hold_card_back
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -88,9 +88,9 @@ class Journal < ApplicationRecord
|
||||||
when 'issue'
|
when 'issue'
|
||||||
return "创建了<b>疑修</b>"
|
return "创建了<b>疑修</b>"
|
||||||
when 'attachment'
|
when 'attachment'
|
||||||
old_value = Attachment.where(id: detail.old_value.split(",")).pluck(:filename).join("、")
|
old_value = Attachment.where("id in (?) or uuid in (?)", detail.old_value.to_s.split(","), detail.old_value.to_s.split(",")).pluck(:filename).join("、")
|
||||||
new_value = Attachment.where(id: detail.value.split(",")).pluck(:filename).join("、")
|
new_value = Attachment.where("id in (?) or uuid in (?)", detail.value.to_s.split(","), detail.value.to_s.split(",")).pluck(:filename).join("、")
|
||||||
if old_value.nil? || old_value.blank?
|
if old_value.nil? || old_value.blank?
|
||||||
content += "添加了<b>#{new_value}</b>附件"
|
content += "添加了<b>#{new_value}</b>附件"
|
||||||
else
|
else
|
||||||
new_value = "无" if new_value.blank?
|
new_value = "无" if new_value.blank?
|
||||||
|
|
|
@ -31,8 +31,8 @@ module Api::V1::Issues::Concerns::Checkable
|
||||||
def check_attachments (attachment_ids)
|
def check_attachments (attachment_ids)
|
||||||
raise ApplicationService::Error, "请输入正确的附件ID数组!" unless attachment_ids.is_a?(Array)
|
raise ApplicationService::Error, "请输入正确的附件ID数组!" unless attachment_ids.is_a?(Array)
|
||||||
attachment_ids.each do |aid|
|
attachment_ids.each do |aid|
|
||||||
raise ApplicationService::Error, "请输入正确的附件ID!" unless Attachment.exists?(id: aid) || Attachment.exists?(uuid: aid)
|
raise ApplicationService::Error, "请输入正确的附件ID!" unless Attachment.where("id=? or uuid=?", aid, aid).exists?
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def check_atme_receivers(receivers_login)
|
def check_atme_receivers(receivers_login)
|
||||||
|
|
|
@ -9,7 +9,7 @@ module Api::V1::Issues::Concerns::Loadable
|
||||||
end
|
end
|
||||||
|
|
||||||
def load_attachments(attachment_ids)
|
def load_attachments(attachment_ids)
|
||||||
@attachments = Attachment.where(id: attachment_ids).or(Attachment.where(uuid: attachment_ids))
|
@attachments = Attachment.where("id in (?) or uuid in (?)", attachment_ids, attachment_ids)
|
||||||
end
|
end
|
||||||
|
|
||||||
def load_atme_receivers(receivers_login)
|
def load_atme_receivers(receivers_login)
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
class ChangeIdentityVerification < ActiveRecord::Migration[5.2]
|
||||||
|
def change
|
||||||
|
change_column :identity_verifications, :card_front, :string
|
||||||
|
change_column :identity_verifications, :card_back, :string
|
||||||
|
change_column :identity_verifications, :hold_card_front, :string
|
||||||
|
change_column :identity_verifications, :hold_card_back, :string
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue