fixed raw request.referer 防盗链

app/controllers/application_controller.rb

@@ -210,6 +210,10 @@ class ApplicationController < ActionController::Base
 		tip_exception(401, "请登录后再操作") unless User.current.logged?
 	end
 
+	def require_referer
+		tip_exception(403, "你没有权限访问") if request.host.present? && !request.referer.to_s.include?(request.host.to_s.gsub("www.",""))
+	end
+
 	def require_login_or_token
 		if params[:token].present?
 			user = User.try_to_autologin(params[:token])

app/controllers/repositories_controller.rb

@@ -13,6 +13,7 @@ class RepositoriesController < ApplicationController
   before_action :get_ref, only: %i[entries sub_entries top_counts files archive]
   before_action :get_latest_commit, only: %i[entries sub_entries top_counts]
   before_action :get_statistics, only: %i[top_counts]
+  before_action :require_referer, only: [:raw]
 
   def files
     result = @project.educoder? ? nil : Gitea::Repository::Files::GetService.call(@owner, @project.identifier, @ref, params[:search], @owner.gitea_token)