forked from Gitlink/forgeplus
fix: sql attack
This commit is contained in:
parent
880f09a94a
commit
09dfd504c2
|
|
@ -2,8 +2,8 @@ class Admins::FaqsController < Admins::BaseController
|
|||
before_action :find_faq, only: [:edit,:update, :destroy]
|
||||
|
||||
def index
|
||||
sort_by = params[:sort_by] ||= 'updated_at'
|
||||
sort_direction = params[:sort_direction] ||= 'desc'
|
||||
sort_by = Faq.column_names.include?(params[:sort_by]) ? params[:sort_by] : 'updated_at'
|
||||
sort_direction = %w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : 'desc'
|
||||
|
||||
keyword = params[:keyword].to_s.strip
|
||||
collection = Faq.search_question(keyword).order("#{sort_by} #{sort_direction}")
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@ class Admins::ProjectCategoriesController < Admins::BaseController
|
|||
before_action :validate_names, only: [:create, :update]
|
||||
|
||||
def index
|
||||
sort_by = params[:sort_by] ||= 'created_at'
|
||||
sort_direction = params[:sort_direction] ||= 'desc'
|
||||
sort_by = ProjectCategory.column_names.include?(params[:sort_by]) ? params[:sort_by] : 'created_at'
|
||||
sort_direction = %w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : 'desc'
|
||||
q = ProjectCategory.ransack(name_cont: params[:name])
|
||||
project_categories = q.result(distinct: true).order("#{sort_by} #{sort_direction}")
|
||||
@project_categories = paginate(project_categories)
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@ class Admins::ProjectIgnoresController < Admins::BaseController
|
|||
before_action :validate_params, only: [:create, :update]
|
||||
|
||||
def index
|
||||
sort_by = params[:sort_by] ||= 'created_at'
|
||||
sort_direction = params[:sort_direction] ||= 'desc'
|
||||
sort_by = Ignore.column_names.include?(params[:sort_by]) ? params[:sort_by] : 'created_at'
|
||||
sort_direction = %w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : 'desc'
|
||||
q = Ignore.ransack(name_cont: params[:search])
|
||||
project_ignores = q.result(distinct: true).order("#{sort_by} #{sort_direction}")
|
||||
@project_ignores = paginate(project_ignores)
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@ class Admins::ProjectLanguagesController < Admins::BaseController
|
|||
before_action :validate_names, only: [:create, :update]
|
||||
|
||||
def index
|
||||
sort_by = params[:sort_by] ||= 'created_at'
|
||||
sort_direction = params[:sort_direction] ||= 'desc'
|
||||
sort_by = ProjectLanguage.column_names.include?(params[:sort_by]) ? params[:sort_by] : 'created_at'
|
||||
sort_direction = %w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : 'desc'
|
||||
q = ProjectLanguage.ransack(name_cont: params[:search])
|
||||
project_languages = q.result(distinct: true).order("#{sort_by} #{sort_direction}")
|
||||
@project_languages = paginate(project_languages)
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@ class Admins::ProjectLicensesController < Admins::BaseController
|
|||
before_action :validate_params, only: [:create, :update]
|
||||
|
||||
def index
|
||||
sort_by = params[:sort_by] ||= 'created_at'
|
||||
sort_direction = params[:sort_direction] ||= 'desc'
|
||||
sort_by = License.column_names.include?(params[:sort_by]) ? params[:sort_by] : 'created_at'
|
||||
sort_direction = %w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : 'desc'
|
||||
q = License.ransack(name_cont: params[:search])
|
||||
project_licenses = q.result(distinct: true).order("#{sort_by} #{sort_direction}")
|
||||
@project_licenses = paginate(project_licenses)
|
||||
|
|
|
|||
|
|
@ -1,9 +1,8 @@
|
|||
class Admins::ProjectsController < Admins::BaseController
|
||||
|
||||
def index
|
||||
sort_by = params[:sort_by] ||= 'created_on'
|
||||
sort_direction = params[:sort_direction] ||= 'desc'
|
||||
|
||||
sort_by = Project.column_names.include?(params[:sort_by]) ? params[:sort_by] : 'created_on'
|
||||
sort_direction = %w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : 'desc'
|
||||
search = params[:search].to_s.strip
|
||||
projects = Project.where("name like ?", "%#{search}%").order("#{sort_by} #{sort_direction}")
|
||||
@projects = paginate projects.includes(:owner, :members, :issues, :versions, :attachments, :project_score)
|
||||
|
|
|
|||
|
|
@ -615,8 +615,8 @@ class ApplicationController < ActionController::Base
|
|||
end
|
||||
|
||||
# 排序
|
||||
rorder = option[:order] || "updated_at"
|
||||
b_order = option[:b_order] || "desc"
|
||||
rorder = UserExtension.column_names.include?(option[:order]) ? option[:order] : "updated_at"
|
||||
b_order = %w(desc asc).include?(option[:b_order]) ? option[:b_order] : "desc"
|
||||
if rorder == "created_at" || rorder == "work_score"
|
||||
work_list = work_list.order("graduation_works.#{rorder} #{b_order}")
|
||||
elsif rorder == "student_id"
|
||||
|
|
|
|||
|
|
@ -3,13 +3,12 @@ class ComposesController < ApplicationController
|
|||
before_action :find_compose, except: [:index, :new,:create]
|
||||
|
||||
def index
|
||||
@order_type = params[:order] || "created_at"
|
||||
@search_name = params[:search]
|
||||
composes = Compose.compose_includes
|
||||
if @search_name.present?
|
||||
composes = composes.where("title like ?", "%#{@search_name}%")
|
||||
end
|
||||
composes = composes.order("#{@order_type} desc")
|
||||
composes = composes.order("#{order_type} desc")
|
||||
@page = params[:page] || 1
|
||||
@limit = params[:limit] || 15
|
||||
@composes_size = composes.size
|
||||
|
|
@ -96,4 +95,8 @@ class ComposesController < ApplicationController
|
|||
end
|
||||
end
|
||||
|
||||
def order_type
|
||||
Compose.column_names.include?(params[:order_type]) ? params[:order_type] : 'created_at'
|
||||
end
|
||||
|
||||
end
|
||||
|
|
@ -7,9 +7,6 @@ class IssueTagsController < ApplicationController
|
|||
|
||||
|
||||
def index
|
||||
order_name = params[:order_name] || "created_at"
|
||||
order_type = params[:order_type] || "desc"
|
||||
|
||||
issue_tags = @project.issue_tags.order("#{order_name} #{order_type}")
|
||||
@user_admin_or_member = current_user.present? && (current_user.admin || @project.member?(current_user))
|
||||
@page = params[:page] || 1
|
||||
|
|
@ -138,4 +135,14 @@ class IssueTagsController < ApplicationController
|
|||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def order_name
|
||||
IssueTag.column_names.include?(params[:order_name]) ? params[:order_name] : 'created_at'
|
||||
end
|
||||
|
||||
def order_type
|
||||
%w(desc asc).include?(params[:order_type]) ? params[:order_type] : 'desc'
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -88,11 +88,11 @@ class Organizations::OrganizationsController < Organizations::BaseController
|
|||
end
|
||||
|
||||
def sort_by
|
||||
params.fetch(:sort_by, "created_at")
|
||||
OrganizationExtension.column_names.include?(params[:sort_by]) ? params[:sort_by] : 'created_at'
|
||||
end
|
||||
|
||||
def sort_direction
|
||||
params.fetch(:sort_direction, "desc")
|
||||
%w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : 'desc'
|
||||
end
|
||||
|
||||
end
|
||||
|
|
@ -36,10 +36,10 @@ class Organizations::ProjectsController < Organizations::BaseController
|
|||
end
|
||||
|
||||
def sort
|
||||
params.fetch(:sort_by, "updated_on")
|
||||
Project.column_names.include?(params[:sort_by]) ? params[:sort_by] : 'updated_on'
|
||||
end
|
||||
|
||||
def sort_direction
|
||||
params.fetch(:sort_direction, "desc")
|
||||
%w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : 'desc'
|
||||
end
|
||||
end
|
||||
|
|
@ -1,8 +1,8 @@
|
|||
class Users::BanksController < Users::BaseController
|
||||
before_action :params_filter
|
||||
def index
|
||||
order = params[:order] || "updated_at"
|
||||
sort = params[:sort] || "desc"
|
||||
order = CourseList.column_names.include?(params[:order]) ? params[:order] : "updated_at"
|
||||
sort = %w(desc asc).includes?(params[:sort]) ? params[:sort] : "desc"
|
||||
@banks = @object_type.classify.constantize.where(@object_filter)
|
||||
@course_lists = CourseList.where(id: @banks.pluck(:course_list_id))
|
||||
@banks = @banks.where(course_list_id: params[:tag_id]) unless params[:tag_id].blank?
|
||||
|
|
|
|||
|
|
@ -16,10 +16,10 @@ class Users::OrganizationsController < Users::BaseController
|
|||
|
||||
private
|
||||
def sort_by
|
||||
params.fetch(:sort_by, "created_at")
|
||||
OrganizationExtension.column_names.include?(params[:sort_by]) ? params[:sort_by] : 'created_at'
|
||||
end
|
||||
|
||||
def sort_direction
|
||||
params.fetch(:sort_direction, "desc")
|
||||
%w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : 'desc'
|
||||
end
|
||||
end
|
||||
|
|
@ -7,8 +7,6 @@ class VersionsController < ApplicationController
|
|||
def index
|
||||
return render_not_found unless @project.has_menu_permission("versions")
|
||||
@user_admin_or_member = current_user.present? && (current_user.admin || @project.member?(current_user))
|
||||
order_name = params[:order_name] || "created_on"
|
||||
order_type = params[:order_type] || "desc"
|
||||
status = params[:status]
|
||||
versions = @project.versions.version_includes
|
||||
@open_versions_size = versions.where(status: "open")&.size
|
||||
|
|
@ -27,9 +25,6 @@ class VersionsController < ApplicationController
|
|||
end
|
||||
|
||||
def show
|
||||
order_name = params[:order_name] || "created_on"
|
||||
order_type = params[:order_type] || "desc"
|
||||
|
||||
version_issues = @version.issues.issue_includes
|
||||
|
||||
status_type = params[:status_type] || "1"
|
||||
|
|
@ -167,4 +162,12 @@ class VersionsController < ApplicationController
|
|||
end
|
||||
end
|
||||
|
||||
def order_name
|
||||
Version.column_names.include?(params[:order_name]) ? params[:order_name] : 'created_on'
|
||||
end
|
||||
|
||||
def order_type
|
||||
%w(desc asc).include?(params[:order_type]) ? params[:order_type] : 'desc'
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -55,8 +55,8 @@ class Projects::ListMyQuery < ApplicationQuery
|
|||
|
||||
scope = q.result.includes(:project_category, :project_language,:owner, :repository, :has_pinned_users)
|
||||
|
||||
sort = params[:sort_by] || "updated_on"
|
||||
sort_direction = params[:sort_direction] || "desc"
|
||||
sort = Project.column_names.include?(params[:sort_by]) ? params[:sort_by] : "updated_on"
|
||||
sort_direction = %w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : "desc"
|
||||
|
||||
if params[:choosed].present? && params[:choosed].is_a?(Array)
|
||||
scope.order("FIELD(id, #{params[:choosed].reverse.join(",")}) desc")
|
||||
|
|
|
|||
|
|
@ -28,10 +28,10 @@ class Weapps::SubjectQuery < ApplicationQuery
|
|||
private
|
||||
|
||||
def order_type
|
||||
params[:order] || "updated_at"
|
||||
Subject.column_names.include?(params[:order]) ? params[:order] : 'updated_at'
|
||||
end
|
||||
|
||||
def sort_type
|
||||
params[:sort] || "desc"
|
||||
%w(desc asc).include?(params[:sort]) ? params[:sort] : "desc"
|
||||
end
|
||||
end
|
||||
|
|
@ -45,9 +45,17 @@ class Issues::ListQueryService < ApplicationService
|
|||
issues = issues.where(issue_type: params[:issue_type].to_s) if params[:issue_type].present? && params[:issue_type].to_s != "all"
|
||||
issues = issues.joins(:issue_tags).where(issue_tags: {id: params[:issue_tag_id].to_i}) if params[:issue_tag_id].present? && params[:issue_tag_id].to_s != "all"
|
||||
|
||||
order_type = params[:order_type] || "desc" #或者"asc"
|
||||
order_name = params[:order_name] || "updated_on" #或者"updated_on"
|
||||
issues.reorder("issues.#{order_name} #{order_type}")
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def order_name
|
||||
Issue.column_names.include?(params[:order_name]) ? params[:order_name] : 'updated_on'
|
||||
end
|
||||
|
||||
def order_type
|
||||
%w(desc asc).include?(params[:order_type]) ? params[:order_type] : 'desc'
|
||||
end
|
||||
|
||||
end
|
||||
Loading…
Reference in New Issue