fixed 解决安全问题访问附件,id改为uuid,关联功能修改
This commit is contained in:
parent
9a0809e45b
commit
de1266ba6c
|
|
@ -139,7 +139,7 @@ class IssuesController < ApplicationController
|
|||
SendTemplateMessageJob.perform_later('ProjectIssue', current_user.id, @issue&.id) if Site.has_notice_menu?
|
||||
if params[:attachment_ids].present?
|
||||
params[:attachment_ids].each do |id|
|
||||
attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
|
||||
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
|
||||
unless attachment.blank?
|
||||
attachment.container = @issue
|
||||
attachment.author_id = current_user.id
|
||||
|
|
@ -232,7 +232,7 @@ class IssuesController < ApplicationController
|
|||
if issue_files.present?
|
||||
change_files = true
|
||||
issue_files.each do |id|
|
||||
attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
|
||||
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
|
||||
unless attachment.blank?
|
||||
attachment.container = @issue
|
||||
attachment.author_id = current_user.id
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ class JournalsController < ApplicationController
|
|||
if journal.save
|
||||
if params[:attachment_ids].present?
|
||||
params[:attachment_ids].each do |id|
|
||||
attachment = Attachment.select(:id, :container_id, :container_type)&.find_by_id(id)
|
||||
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
|
||||
unless attachment.blank?
|
||||
attachment.container = journal
|
||||
attachment.author_id = current_user.id
|
||||
|
|
|
|||
|
|
@ -152,7 +152,7 @@ class VersionReleasesController < ApplicationController
|
|||
|
||||
def create_attachments(attachment_ids, target)
|
||||
attachment_ids.each do |id|
|
||||
attachment = Attachment.select(:id, :container_id, :container_type).where(id: id).or(Attachment.where(uuid: id))&.first
|
||||
attachment = Attachment.where_id_or_uuid(id).select(:id, :container_id, :container_type)&.first
|
||||
unless attachment.blank?
|
||||
attachment.container = target
|
||||
attachment.author_id = current_user.id
|
||||
|
|
|
|||
|
|
@ -69,6 +69,7 @@ class Attachment < ApplicationRecord
|
|||
scope :simple_columns, -> { select(:id, :filename, :filesize, :created_on, :cloud_url, :author_id, :content_type, :container_type, :container_id) }
|
||||
scope :search_by_container, -> (ids) {where(container_id: ids)}
|
||||
scope :unified_setting, -> {where("unified_setting = ? ", 1)}
|
||||
scope :where_id_or_uuid, -> (id) { where("id = ? or uuid= ? ", id, id) }
|
||||
|
||||
validates_length_of :description, maximum: 100, message: "不能超过100个字符"
|
||||
|
||||
|
|
|
|||
|
|
@ -6,10 +6,10 @@
|
|||
# user_id :integer not null
|
||||
# number :string(255) not null
|
||||
# name :string(255) not null
|
||||
# card_front :integer
|
||||
# card_back :integer
|
||||
# hold_card_front :integer
|
||||
# hold_card_back :integer
|
||||
# card_front :string(255)
|
||||
# card_back :string(255)
|
||||
# hold_card_front :string(255)
|
||||
# hold_card_back :string(255)
|
||||
# state :integer default("0")
|
||||
# description :string(255)
|
||||
# created_at :datetime not null
|
||||
|
|
@ -34,18 +34,18 @@ class IdentityVerification < ApplicationRecord
|
|||
end
|
||||
|
||||
def card_front_attachment
|
||||
Attachment.find_by_id card_front
|
||||
Attachment.where_id_or_uuid.first card_front
|
||||
end
|
||||
|
||||
def card_back_attachment
|
||||
Attachment.find_by_id card_back
|
||||
Attachment.where_id_or_uuid.first card_back
|
||||
end
|
||||
|
||||
def hold_card_front_attachment
|
||||
Attachment.find_by_id hold_card_front
|
||||
Attachment.where_id_or_uuid.first hold_card_front
|
||||
end
|
||||
|
||||
def hold_card_back_attachment
|
||||
Attachment.find_by_id hold_card_back
|
||||
Attachment.where_id_or_uuid hold_card_back
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -88,8 +88,8 @@ class Journal < ApplicationRecord
|
|||
when 'issue'
|
||||
return "创建了<b>疑修</b>"
|
||||
when 'attachment'
|
||||
old_value = Attachment.where(id: detail.old_value.split(",")).pluck(:filename).join("、")
|
||||
new_value = Attachment.where(id: detail.value.split(",")).pluck(:filename).join("、")
|
||||
old_value = Attachment.where("id in (?) or uuid in (?)", detail.old_value.to_s.split(","), detail.old_value.to_s.split(",")).pluck(:filename).join("、")
|
||||
new_value = Attachment.where("id in (?) or uuid in (?)", detail.value.to_s.split(","), detail.value.to_s.split(",")).pluck(:filename).join("、")
|
||||
if old_value.nil? || old_value.blank?
|
||||
content += "添加了<b>#{new_value}</b>附件"
|
||||
else
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ module Api::V1::Issues::Concerns::Checkable
|
|||
def check_attachments (attachment_ids)
|
||||
raise ApplicationService::Error, "请输入正确的附件ID数组!" unless attachment_ids.is_a?(Array)
|
||||
attachment_ids.each do |aid|
|
||||
raise ApplicationService::Error, "请输入正确的附件ID!" unless Attachment.exists?(id: aid) || Attachment.exists?(uuid: aid)
|
||||
raise ApplicationService::Error, "请输入正确的附件ID!" unless Attachment.where("id=? or uuid=?", aid, aid).exists?
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ module Api::V1::Issues::Concerns::Loadable
|
|||
end
|
||||
|
||||
def load_attachments(attachment_ids)
|
||||
@attachments = Attachment.where(id: attachment_ids).or(Attachment.where(uuid: attachment_ids))
|
||||
@attachments = Attachment.where("id in (?) or uuid in (?)", attachment_ids, attachment_ids)
|
||||
end
|
||||
|
||||
def load_atme_receivers(receivers_login)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
class ChangeIdentityVerification < ActiveRecord::Migration[5.2]
|
||||
def change
|
||||
change_column :identity_verifications, :card_front, :string
|
||||
change_column :identity_verifications, :card_back, :string
|
||||
change_column :identity_verifications, :hold_card_front, :string
|
||||
change_column :identity_verifications, :hold_card_back, :string
|
||||
end
|
||||
end
|
||||
Loading…
Reference in New Issue