qyzh1996
/
trustieforge
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

修改邀请用户url,隐藏userid防止注入

This commit is contained in:
huang 2015-06-16 11:11:59 +08:00
parent 04d4fee17e
commit c8884c6fd4
2 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/controllers/projects_controller.rb
View File

@ -413,10 +413,11 @@ class ProjectsController < ApplicationController
# 2、加入项目、创建角色
# 3、用户得分
if params[:mail]
user = User.find(params[:user_id])
userid = Token.find_by_value(params[:token]).user_id
user = User.find(userid)
user.activate!
Member.create(:role_ids => [4], :user_id => params[:user_id],:project_id => params[:id])
UserGrade.create(:user_id => params[:user_id], :project_id => params[:id])
Member.create(:role_ids => [4], :user_id => userid, :project_id => params[:id])
UserGrade.create(:user_id => userid, :project_id => params[:id])
token = Token.get_token_from_user(user, 'autologin')
#user = User.try_to_autologin(token.value)
if user

4
app/models/mailer.rb
View File

@ -61,8 +61,8 @@ class Mailer < ActionMailer::Base
InviteList.create(:user_id => user.id, :project_id => project.id)
User.current = user unless User.current.nil?
@user = user
@project_url = url_for(:controller => 'projects', :action => 'member', :id => project.id, :user_id => user.id, :mail => true)
@token = Token.get_token_from_user(user, 'autologin')
@project_url = url_for(:controller => 'projects', :action => 'member', :id => project.id, :mail => true, :token => @token.value)
mail :to => email, :subject => @subject
end