Gitlink
/
forgeplus
Not watched
1
0
Fork 0
Code
Releases 16 Wiki evaluate Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain HPC
Browse Source

fixed 解决安全问题访问附件,id改为uuid

pull/347/head
xxq250 2 years ago
parent
6ae4aded65
commit
2ea41d0100
5 changed files with 25 additions and 3 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +3
    -1
      app/controllers/attachments_controller.rb
  2. +1
    -1
      app/helpers/application_helper.rb
  3. +10
    -0
      app/models/issue.rb
  4. +10
    -0
      app/models/journal.rb
  5. +1
    -1
      app/views/attachments/create.json.jbuilder

+ 3
- 1
app/controllers/attachments_controller.rb View File

@@ -94,6 +94,7 @@ class AttachmentsController < ApplicationController
@attachment.author_id = current_user.id
@attachment.disk_directory = month_folder
@attachment.cloud_url = remote_path
@attachment.uuid = SecureRandom.uuid
@attachment.save!
else
logger.info "文件已存在,id = #{@attachment.id}, filename = #{@attachment.filename}"
@@ -147,8 +148,9 @@ class AttachmentsController < ApplicationController
if params[:type] == 'history'
AttachmentHistory.find params[:id]
else
Attachment.find params[:id] || Attachment.find_by(uuid: params[:id])
Attachment.find_by(id: params[:id]) || Attachment.find_by(uuid: params[:id])
end
tip_exception(404, "您访问的页面不存在或已被删除") if @file.blank?
end

def delete_file(file_path)


+ 1
- 1
app/helpers/application_helper.rb View File

@@ -299,7 +299,7 @@ module ApplicationHelper
end

def download_url attachment,options={}
attachment_path(attachment,options)
attachment&.uuid.present? ? attachment_path(attachment.uuid,options) : attachment_path(attachment,options)
end

# 耗时:天、小时、分、秒


+ 10
- 0
app/models/issue.rb View File

@@ -248,6 +248,7 @@ class Issue < ApplicationRecord

# 关附件到功能
def associate_attachment_container
return if self.project_id == 0
att_ids = []
# 附件的格式为(/api/attachments/ + 附件id)的形式,提取出id进行附件属性关联,做附件访问权限控制
att_ids += self.description.to_s.scan(/\(\/api\/attachments\/.+\)/).map{|s|s.match(/\d+/)[0]}
@@ -256,6 +257,15 @@ class Issue < ApplicationRecord
if att_ids.present?
Attachment.where(id: att_ids).where("container_type IS NULL OR container_type = 'Issue'").update_all(container_id: self.project_id, container_type: 'Project')
end

att_ids2 = []
# uuid_regex= /[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/
# 附件的格式为(/api/attachments/ + uuid)的形式,提取出id进行附件属性关联,做附件访问权限控制
att_ids2 += self.description.to_s.scan(/\(\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\)/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
att_ids2 += self.description.to_s.scan(/\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
if att_ids2.present?
Attachment.where(uuid: att_ids2).where("container_type IS NULL OR container_type = 'Issue'").update_all(container_id: self.project_id, container_type: 'Project')
end
end

def to_builder


+ 10
- 0
app/models/journal.rb View File

@@ -61,6 +61,7 @@ class Journal < ApplicationRecord

# 关附件到功能
def associate_attachment_container
return if self.issue&.project_id.to_i == 0
att_ids = []
# 附件的格式为(/api/attachments/ + 附件id)的形式,提取出id进行附件属性关联,做附件访问权限控制
att_ids += self.notes.to_s.scan(/\(\/api\/attachments\/.+\)/).map{|s|s.match(/\d+/)[0]}
@@ -69,6 +70,15 @@ class Journal < ApplicationRecord
if att_ids.present?
Attachment.where(id: att_ids).where("container_type IS NULL OR container_type = 'Journal'").update_all(container_id: self.issue.project_id, container_type: "Project")
end

att_ids2 = []
# uuid_regex= /[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/
# 附件的格式为(/api/attachments/ + uuid)的形式,提取出id进行附件属性关联,做附件访问权限控制
att_ids2 += self.description.to_s.scan(/\(\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\)/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
att_ids2 += self.description.to_s.scan(/\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
if att_ids2.present?
Attachment.where(uuid: att_ids).where("container_type IS NULL OR container_type = 'Journal'").update_all(container_id: self.issue.project_id, container_type: "Project")
end
end

def operate_content


+ 1
- 1
app/views/attachments/create.json.jbuilder View File

@@ -1,4 +1,4 @@
json.id @attachment.id
json.id @attachment.uuid
json.title @attachment.title
json.filesize number_to_human_size(@attachment.filesize)
json.is_pdf @attachment.is_pdf?


Write Preview
Loading…
Cancel
Save