From 4126ea7b4e3806b9789070204d5908d22ca79632 Mon Sep 17 00:00:00 2001 From: "vilet.yy" Date: Tue, 22 Jun 2021 15:54:42 +0800 Subject: [PATCH] fix: some bug from security --- app/controllers/issues_controller.rb | 5 +++++ app/models/concerns/project_operable.rb | 2 +- app/services/projects/create_service.rb | 5 +++++ app/services/projects/migrate_service.rb | 5 +++++ config/initializers/session_store.rb | 2 +- 5 files changed, 17 insertions(+), 2 deletions(-) diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb index 5fb45a0b4..9780d4729 100644 --- a/app/controllers/issues_controller.rb +++ b/app/controllers/issues_controller.rb @@ -3,6 +3,7 @@ class IssuesController < ApplicationController before_action :load_project before_action :set_user before_action :check_issue_permission + before_action :operate_issue_permission, only:[:create, :update, :destroy, :clean, :series_update] before_action :check_project_public, only: [:index ,:show, :copy, :index_chosen, :close_issue] before_action :set_issue, only: [:edit, :update, :destroy, :show, :copy, :close_issue, :lock_issue] @@ -412,6 +413,10 @@ class IssuesController < ApplicationController end end + def operate_issue_permission + return render_forbidden("您没有权限进行此操作.") unless current_user.admin? || @project.member?(current_user) + end + def export_issues(issues) @table_columns = %w(ID 类型 标题 描述 状态 指派给 优先级 标签 发布人 创建时间 里程碑 开始时间 截止时间 完成度 分类 金额 属于) @export_issues = [] diff --git a/app/models/concerns/project_operable.rb b/app/models/concerns/project_operable.rb index 79d099a2e..a228a7028 100644 --- a/app/models/concerns/project_operable.rb +++ b/app/models/concerns/project_operable.rb @@ -94,7 +94,7 @@ module ProjectOperable end def operator?(user) - user.admin? || !reporter?(user) + user.admin? || (member?(user.id) && !reporter?(user)) end def set_developer_role(member, role_name) diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb index f014b8d7f..e7e4924ae 100644 --- a/app/services/projects/create_service.rb +++ b/app/services/projects/create_service.rb @@ -8,6 +8,7 @@ class Projects::CreateService < ApplicationService def call Rails.logger.info("#############__________project_params______###########{project_params}") + raise Error, "user_id不正确." unless authroize_user_id_success @project = Project.new(project_params) ActiveRecord::Base.transaction do @@ -27,6 +28,10 @@ class Projects::CreateService < ApplicationService private + def authroize_user_id_success + (user.id == params[:user_id].to_i) || (user.organizations.find_by_id(params[:user_id]).present?) + end + def project_params { name: params[:name], diff --git a/app/services/projects/migrate_service.rb b/app/services/projects/migrate_service.rb index 7df08f9eb..68ed9f642 100644 --- a/app/services/projects/migrate_service.rb +++ b/app/services/projects/migrate_service.rb @@ -8,6 +8,8 @@ class Projects::MigrateService < ApplicationService end def call + raise Error, "user_id不正确." unless authroize_user_id_success + @project = Project.new(project_params) if @project.save! ProjectUnit.init_types(@project.id, project.project_type) @@ -24,6 +26,9 @@ class Projects::MigrateService < ApplicationService end private + def authroize_user_id_success + (user.id == params[:user_id].to_i) || (user.organizations.find_by_id(params[:user_id]).present?) + end def project_params { diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index def30285a..12faf10f2 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -4,5 +4,5 @@ # Rails.application.config.session_store :active_record_store # Be sure to restart your server when you modify this file. -Rails.application.config.session_store :cache_store, :expire_after => 24.hours, :httponly => false, :secure => false, key: '_educoder_session', domain: :all +Rails.application.config.session_store :cache_store, :expire_after => 24.hours, :httponly => true, :secure => false, key: '_educoder_session', domain: :all