saurabh
/
personal-journal
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix vulnerable.

This commit is contained in:
BoHung Chiu 2022-10-24 16:19:10 +08:00
parent 94e205445b
commit 70b55508c7
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/admin/journal_papers_controller.rb
View File

@ -51,7 +51,7 @@ class Admin::JournalPapersController < OrbitMemberController
end
def new
@member = Array(MemberProfile.find_by(:uid=>params['uid'])) rescue nil
@member = Array(MemberProfile.find_by(:uid=>params['uid'].to_s)) rescue nil
@journal_paper = JournalPaper.new
if params[:desktop]
@ -204,7 +204,7 @@ class Admin::JournalPapersController < OrbitMemberController
def frontend_setting
@member = MemberProfile.find_by(:uid=>params['uid']) rescue nil
@member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil
@intro = JournalPaperIntro.find_by(:member_profile_id=>@member.id) rescue nil
@intro = @intro.nil? ? JournalPaperIntro.new({:member_profile_id=>@member.id}) : @intro
end

11
app/controllers/personal_journals_controller.rb
View File

@ -46,7 +46,11 @@ class PersonalJournalsController < ApplicationController
when 'authors'
journal_papers_show = journal_papers_temp.select { |value| search_all_words(get_authors_text(value), params[:keywords]) }
else
journal_papers_show = journal_papers_temp.select { |value| search_all_words(value.send(params[:selectbox]).to_s, params[:keywords]) }
if fields_to_show.include?(params[:selectbox])
journal_papers_show = journal_papers_temp.select { |value| search_all_words(value.send(params[:selectbox]).to_s, params[:keywords]) }
else
journal_papers_show = journal_papers_temp
end
end
page_to_show = params[:page_no].nil? ? 1 : params[:page_no].to_i
journal_papers = journal_papers_show[(page_to_show - 1) * page_data_count...page_to_show * page_data_count]
@ -108,7 +112,8 @@ class PersonalJournalsController < ApplicationController
choice = choice.map { |value| value.inject :merge }
select_text = t('personal_journal.search_class')
search_text = t('personal_journal.word_to_search')
csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join
@_request = OrbitHelper.request
csrf_value = form_authenticity_token
{
'journal_papers' => journal_paper_list,
'headers' => headers,
@ -125,7 +130,7 @@ class PersonalJournalsController < ApplicationController
def show
params = OrbitHelper.params
plugin = JournalPaper.where(is_hidden: false).find_by(uid: params[:uid])
plugin = JournalPaper.where(is_hidden: false).find_by(uid: params[:uid].to_s)
fields_to_show = %w[
year
authors