From 4dcb3b5b1dcf5e6fb7a225c0c79146bf851b169a Mon Sep 17 00:00:00 2001
From: bohung <bohung@rulingcom.com>
Date: Mon, 24 Oct 2022 16:09:44 +0800
Subject: [PATCH] Fix vulnerable.

---
 app/controllers/admin/patents_controller.rb    | 4 ++--
 app/controllers/personal_patents_controller.rb | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/controllers/admin/patents_controller.rb b/app/controllers/admin/patents_controller.rb
index 731f8fa..82a366f 100644
--- a/app/controllers/admin/patents_controller.rb
+++ b/app/controllers/admin/patents_controller.rb
@@ -53,7 +53,7 @@ class Admin::PatentsController < OrbitMemberController
   end
 
   def new
-    @member = Array(MemberProfile.find_by(:uid=>params['uid'])) rescue nil
+    @member = Array(MemberProfile.find_by(:uid=>params['uid'].to_s)) rescue nil
     @patent = Patent.new
 
     if params[:desktop]
@@ -203,7 +203,7 @@ class Admin::PatentsController < OrbitMemberController
   end
 
   def frontend_setting
-    @member = MemberProfile.find_by(:uid=>params['uid']) rescue nil
+    @member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil
     @intro = PatentIntro.find_by(:member_profile_id=>@member.id) rescue nil
     @intro = @intro.nil? ? PatentIntro.new({:member_profile_id=>@member.id}) : @intro
   end
diff --git a/app/controllers/personal_patents_controller.rb b/app/controllers/personal_patents_controller.rb
index af58c96..376f0ba 100644
--- a/app/controllers/personal_patents_controller.rb
+++ b/app/controllers/personal_patents_controller.rb
@@ -95,7 +95,8 @@ class PersonalPatentsController < ApplicationController
     choice = choice.map { |value| value.inject :merge }
     select_text = t('personal_patent.search_class')
     search_text = t('personal_patent.word_to_search')
-    csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join
+    @_request = OrbitHelper.request
+    csrf_value = form_authenticity_token
     {
       'patents' => patent_list,
       'extras' => { 'widget-title' => t('module_name.personal_patent'),
@@ -112,7 +113,7 @@ class PersonalPatentsController < ApplicationController
 
   def show
     params = OrbitHelper.params
-    plugin = Patent.where(is_hidden: false).find_by(uid: params[:uid])
+    plugin = Patent.where(is_hidden: false).find_by(uid: params[:uid].to_s)
     fields_to_show = %w[
       patent_title
       patent_no