From e09ecd8ca48ba8ad9d4098f35fef79a3e0e0b693 Mon Sep 17 00:00:00 2001
From: bohung <bohung@rulingcom.com>
Date: Mon, 24 Oct 2022 16:22:49 +0800
Subject: [PATCH] Fix vulnerable.

---
 .../admin/writing_conferences_controller.rb           |  4 ++--
 app/controllers/personal_conferences_controller.rb    | 11 ++++++++---
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/app/controllers/admin/writing_conferences_controller.rb b/app/controllers/admin/writing_conferences_controller.rb
index b2247ea..0718064 100644
--- a/app/controllers/admin/writing_conferences_controller.rb
+++ b/app/controllers/admin/writing_conferences_controller.rb
@@ -58,7 +58,7 @@ class Admin::WritingConferencesController < OrbitMemberController
   end
 
   def new
-    @member = Array(MemberProfile.find_by(:uid=>params['uid'])) rescue nil
+    @member = Array(MemberProfile.find_by(:uid=>params['uid'].to_s)) rescue nil
     @writing_conference = WritingConference.new
 
     if params[:desktop]
@@ -207,7 +207,7 @@ class Admin::WritingConferencesController < OrbitMemberController
   end
 
   def frontend_setting
-    @member = MemberProfile.find_by(:uid=>params['uid']) rescue nil
+    @member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil
     @intro = WritingConferenceIntro.find_by(:member_profile_id=>@member.id) rescue nil
     @intro = @intro.nil? ? WritingConferenceIntro.new({:member_profile_id=>@member.id}) : @intro
   end
diff --git a/app/controllers/personal_conferences_controller.rb b/app/controllers/personal_conferences_controller.rb
index 9590c31..a547185 100644
--- a/app/controllers/personal_conferences_controller.rb
+++ b/app/controllers/personal_conferences_controller.rb
@@ -47,7 +47,11 @@ class PersonalConferencesController < ApplicationController
       when 'authors'
         writing_conferences_show = writing_conferences_temp.select { |value| search_all_words(get_authors_text(value), params[:keywords]) }
       else
-        writing_conferences_show = writing_conferences_temp.select { |value| search_all_words(value.send(params[:selectbox]).to_s, params[:keywords]) }
+        if fields_to_show.include?(params[:selectbox])
+          writing_conferences_show = writing_conferences_temp.select { |value| search_all_words(value.send(params[:selectbox]).to_s, params[:keywords]) }
+        else
+          writing_conferences_show = writing_conferences_temp
+        end
       end
       page_to_show = params[:page_no].nil? ? 1 : params[:page_no].to_i
       writing_conferences = writing_conferences_show[(page_to_show - 1) * page_data_count...page_to_show * page_data_count]
@@ -111,7 +115,8 @@ class PersonalConferencesController < ApplicationController
     choice = choice.map { |value| value.inject :merge }
     select_text = t('personal_conference.search_class')
     search_text = t('personal_conference.word_to_search')
-    csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join
+    @_request = OrbitHelper.request
+    csrf_value = form_authenticity_token
     {
       'writing_conferences' => writing_conference_list,
       'extras' => { 'widget-title' => t('module_name.personal_conference'),
@@ -128,7 +133,7 @@ class PersonalConferencesController < ApplicationController
 
   def show
     params = OrbitHelper.params
-    plugin = WritingConference.where(is_hidden: false).find_by(uid: params[:uid])
+    plugin = WritingConference.where(is_hidden: false).find_by(uid: params[:uid].to_s)
     fields_to_show = %w[
       year
       authors