fix: some bug from security

2021-06-22 15:54:42 +08:00 · 2021-06-22 15:54:42 +08:00 · 4126ea7b4e
parent 526920f564
commit 4126ea7b4e
5 changed files with 17 additions and 2 deletions
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@ -3,6 +3,7 @@ class IssuesController < ApplicationController
  before_action :load_project
  before_action :set_user
  before_action :check_issue_permission
+  before_action :operate_issue_permission, only:[:create, :update, :destroy, :clean, :series_update]
  before_action :check_project_public, only: [:index ,:show, :copy, :index_chosen, :close_issue]

  before_action :set_issue, only: [:edit, :update, :destroy, :show, :copy, :close_issue, :lock_issue]
@ -412,6 +413,10 @@ class IssuesController < ApplicationController
    end
  end

+  def operate_issue_permission
+    return render_forbidden("您没有权限进行此操作.") unless current_user.admin? || @project.member?(current_user)
+  end
+  
  def export_issues(issues)
    @table_columns = %w(ID 类型 标题	描述	状态	指派给	优先级 标签 发布人 创建时间 里程碑 开始时间 截止时间 完成度 分类 金额 属于)
    @export_issues = []
--- a/app/models/concerns/project_operable.rb
+++ b/app/models/concerns/project_operable.rb
@ -94,7 +94,7 @@ module ProjectOperable
  end

  def operator?(user)
-    user.admin? || !reporter?(user) 
+    user.admin? || (member?(user.id) && !reporter?(user))
  end

  def set_developer_role(member, role_name)
--- a/app/services/projects/create_service.rb
+++ b/app/services/projects/create_service.rb
@ -8,6 +8,7 @@ class Projects::CreateService < ApplicationService

  def call
    Rails.logger.info("#############__________project_params______###########{project_params}")
+    raise Error, "user_id不正确." unless authroize_user_id_success

    @project = Project.new(project_params)
    ActiveRecord::Base.transaction do
@ -27,6 +28,10 @@ class Projects::CreateService < ApplicationService

  private

+  def authroize_user_id_success 
+    (user.id == params[:user_id].to_i) || (user.organizations.find_by_id(params[:user_id]).present?)
+  end
+
  def project_params
    {
      name: params[:name],
--- a/app/services/projects/migrate_service.rb
+++ b/app/services/projects/migrate_service.rb
@ -8,6 +8,8 @@ class Projects::MigrateService < ApplicationService
  end

  def call
+    raise Error, "user_id不正确." unless authroize_user_id_success
+    
    @project = Project.new(project_params)
    if @project.save!
      ProjectUnit.init_types(@project.id, project.project_type)
@ -24,6 +26,9 @@ class Projects::MigrateService < ApplicationService
  end

  private
+  def authroize_user_id_success 
+    (user.id == params[:user_id].to_i) || (user.organizations.find_by_id(params[:user_id]).present?)
+  end

  def project_params
    {
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@ -4,5 +4,5 @@
 # Rails.application.config.session_store :active_record_store

 # Be sure to restart your server when you modify this file.
-Rails.application.config.session_store :cache_store, :expire_after => 24.hours, :httponly => false, :secure => false, key: '_educoder_session', domain: :all
+Rails.application.config.session_store :cache_store, :expire_after => 24.hours, :httponly => true, :secure => false, key: '_educoder_session', domain: :all