Gitlink
/
forgeplus
33
1
Fork 58
Code Issues 1 Pull Requests 1 Packages Releases 15 Wiki Activity

fix: some bug from security

This commit is contained in:
vilet.yy 2021-06-22 15:54:42 +08:00
parent 526920f564
commit 4126ea7b4e
5 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/issues_controller.rb
View File

@ -3,6 +3,7 @@ class IssuesController < ApplicationController
before_action :load_project before_action :load_project
before_action :set_user before_action :set_user
before_action :check_issue_permission before_action :check_issue_permission
before_action :operate_issue_permission, only:[:create, :update, :destroy, :clean, :series_update]
before_action :check_project_public, only: [:index ,:show, :copy, :index_chosen, :close_issue] before_action :check_project_public, only: [:index ,:show, :copy, :index_chosen, :close_issue]
before_action :set_issue, only: [:edit, :update, :destroy, :show, :copy, :close_issue, :lock_issue] before_action :set_issue, only: [:edit, :update, :destroy, :show, :copy, :close_issue, :lock_issue]
@ -412,6 +413,10 @@ class IssuesController < ApplicationController
end end
end end
def operate_issue_permission
return render_forbidden("您没有权限进行此操作.") unless current_user.admin? || @project.member?(current_user)
end
def export_issues(issues) def export_issues(issues)
@table_columns = %w(ID 类型 标题 描述 状态 指派给 优先级 标签 发布人 创建时间 里程碑 开始时间 截止时间 完成度 分类 金额 属于) @table_columns = %w(ID 类型 标题 描述 状态 指派给 优先级 标签 发布人 创建时间 里程碑 开始时间 截止时间 完成度 分类 金额 属于)
@export_issues = [] @export_issues = []

2
app/models/concerns/project_operable.rb
View File

@ -94,7 +94,7 @@ module ProjectOperable
end end
def operator?(user) def operator?(user)
user.admin? || !reporter?(user) user.admin? || (member?(user.id) && !reporter?(user))
end end
def set_developer_role(member, role_name) def set_developer_role(member, role_name)

5
app/services/projects/create_service.rb
View File

@ -8,6 +8,7 @@ class Projects::CreateService < ApplicationService
def call def call
Rails.logger.info("#############__________project_params______###########{project_params}") Rails.logger.info("#############__________project_params______###########{project_params}")
raise Error, "user_id不正确." unless authroize_user_id_success
@project = Project.new(project_params) @project = Project.new(project_params)
ActiveRecord::Base.transaction do ActiveRecord::Base.transaction do
@ -27,6 +28,10 @@ class Projects::CreateService < ApplicationService
private private
def authroize_user_id_success
(user.id == params[:user_id].to_i) || (user.organizations.find_by_id(params[:user_id]).present?)
end
def project_params def project_params
{ {
name: params[:name], name: params[:name],

5
app/services/projects/migrate_service.rb
View File

@ -8,6 +8,8 @@ class Projects::MigrateService < ApplicationService
end end
def call def call
raise Error, "user_id不正确." unless authroize_user_id_success
@project = Project.new(project_params) @project = Project.new(project_params)
if @project.save! if @project.save!
ProjectUnit.init_types(@project.id, project.project_type) ProjectUnit.init_types(@project.id, project.project_type)
@ -24,6 +26,9 @@ class Projects::MigrateService < ApplicationService
end end
private private
def authroize_user_id_success
(user.id == params[:user_id].to_i) || (user.organizations.find_by_id(params[:user_id]).present?)
end
def project_params def project_params
{ {

2
config/initializers/session_store.rb
View File

@ -4,5 +4,5 @@
# Rails.application.config.session_store :active_record_store # Rails.application.config.session_store :active_record_store
# Be sure to restart your server when you modify this file. # Be sure to restart your server when you modify this file.
Rails.application.config.session_store :cache_store, :expire_after => 24.hours, :httponly => false, :secure => false, key: '_educoder_session', domain: :all Rails.application.config.session_store :cache_store, :expire_after => 24.hours, :httponly => true, :secure => false, key: '_educoder_session', domain: :all