harrybomrah
/
personal-project
forked from saurabh/personal-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix vulnerable.

This commit is contained in:
BoHung Chiu 2022-10-24 16:09:16 +08:00
parent 63ec149248
commit c1c099a6af
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/admin/projects_controller.rb
View File

@ -52,7 +52,7 @@ class Admin::ProjectsController < OrbitMemberController
end end
def new def new
@member = Array(MemberProfile.find_by(:uid=>params['uid'])) rescue nil @member = Array(MemberProfile.find_by(:uid=>params['uid'].to_s)) rescue nil
@project = Project.new @project = Project.new
if params[:desktop] if params[:desktop]
render :layout => false render :layout => false
@ -203,7 +203,7 @@ class Admin::ProjectsController < OrbitMemberController
end end
def frontend_setting def frontend_setting
@member = MemberProfile.find_by(:uid=>params['uid']) rescue nil @member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil
@intro = ProjectIntro.find_by(:member_profile_id=>@member.id) rescue nil @intro = ProjectIntro.find_by(:member_profile_id=>@member.id) rescue nil
@intro = @intro.nil? ? ProjectIntro.new({:member_profile_id=>@member.id}) : @intro @intro = @intro.nil? ? ProjectIntro.new({:member_profile_id=>@member.id}) : @intro
end end

9
app/controllers/personal_projects_controller.rb
View File

@ -34,7 +34,11 @@ class PersonalProjectsController < ApplicationController
when 'note' when 'note'
projects_show = projects_temp.select { |value| search_all_words(Nokogiri::HTML(value.note).text, params[:keywords]) } projects_show = projects_temp.select { |value| search_all_words(Nokogiri::HTML(value.note).text, params[:keywords]) }
else else
if fields_to_show.include?(params[:selectbox])
projects_show = projects_temp.select { |value| search_all_words(value.send(params[:selectbox]).to_s, params[:keywords]) } projects_show = projects_temp.select { |value| search_all_words(value.send(params[:selectbox]).to_s, params[:keywords]) }
else
projects_show = projects_temp
end
end end
page_to_show = params[:page_no].nil? ? 1 : params[:page_no].to_i page_to_show = params[:page_no].nil? ? 1 : params[:page_no].to_i
projects = projects_show[(page_to_show - 1) * page_data_count...page_to_show * page_data_count] projects = projects_show[(page_to_show - 1) * page_data_count...page_to_show * page_data_count]
@ -88,7 +92,8 @@ class PersonalProjectsController < ApplicationController
choice = choice.map { |value| value.inject :merge } choice = choice.map { |value| value.inject :merge }
select_text = t('personal_project.search_class') select_text = t('personal_project.search_class')
search_text = t('personal_project.word_to_search') search_text = t('personal_project.word_to_search')
csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join @_request = OrbitHelper.request
csrf_value = form_authenticity_token
{ {
'projects' => project_list, 'projects' => project_list,
'headers' => headers, 'headers' => headers,
@ -105,7 +110,7 @@ class PersonalProjectsController < ApplicationController
def show def show
params = OrbitHelper.params params = OrbitHelper.params
plugin = Project.where(is_hidden: false).find_by(uid: params[:uid]) plugin = Project.where(is_hidden: false).find_by(uid: params[:uid].to_s)
fields_to_show = %w[ fields_to_show = %w[
year year
project_type project_type