modifications for security and stuff

2025-04-09 15:24:44 +08:00 · 2025-04-09 15:24:44 +08:00 · 84fca12445
parent d820db3596
commit 84fca12445
6 changed files with 46 additions and 23 deletions
--- a/app/controllers/admin/ask_acknowledgements_controller.rb
+++ b/app/controllers/admin/ask_acknowledgements_controller.rb
@ -1,5 +1,6 @@
 class Admin::AskAcknowledgementsController < OrbitAdminController
  helper Admin::AsksHelper
+  before_action ->(module_app = "ask") { set_variables module_app }
  def initialize
    super
    @app_title = 'ask_acknowledgement'
@ -8,13 +9,13 @@ class Admin::AskAcknowledgementsController < OrbitAdminController
  def index
    @ask_acknowledgements = AskAcknowledgement.first || AskAcknowledgement.create
    @url = admin_ask_acknowledgement_path(@ask_acknowledgements)
+    @categories = @module_app.categories.map{|cat| [cat.title, cat.id.to_s]}
  end

  def update
    @ask_acknowledgements = AskAcknowledgement.first
    @ask_acknowledgements.update_attributes(params.require(:ask_acknowledgement).permit!)
-    
    redirect_to admin_ask_acknowledgements_path, notice: t('ask.save_success')
  end

-end
+end
--- a/app/controllers/asks_controller.rb
+++ b/app/controllers/asks_controller.rb
@ -580,7 +580,7 @@ class AsksController < ApplicationController
    if host_url == "http://"
      host_url = request.protocol + request.host_with_port
    end
-    mail_subject = mail_from+"  #{t('ask.new_question')}："
+    mail_subject = mail_from + " ： " + email_er.category.title
    email_er.email.update_attributes(
      :mail_lang=> site.default_locale,
      :create_user=>(current_user rescue nil),
--- a/app/helpers/admin/asks_helper.rb
+++ b/app/helpers/admin/asks_helper.rb
@ -68,7 +68,7 @@ module Admin::AsksHelper
        "<div class=\"show_field\" id=\"#{index1 ? "#{get_input_name_for_ask}[#{index1}][#{field}][#{locale}]" : "#{get_input_name_for_ask}[#{field}][#{locale}]"}\">#{value_locale}</div>".html_safe
      end
    end.join + create_lang_panel_for_ask(all_field)).html_safe + combine_element
-  
+
    if sortable
      if exteral_options['style'].nil?
        exteral_options['style'] = 'display: flex;align-items: center;flex-wrap: nowrap;'
@ -80,7 +80,7 @@ module Admin::AsksHelper
          tmp
        end).html_safe
      end
-    else 
+    else
      tmp = content_tag(:div,{:class => "tab-panel"}.merge(exteral_options)) do
        tmp
      end
@ -113,7 +113,7 @@ module Admin::AsksHelper
        end
      end
    end.join + create_lang_panel_for_ask(all_field)).html_safe + combine_element
-  
+
    if sortable
      if exteral_options['style'].nil?
        exteral_options['style'] = 'display: flex;align-items: center;flex-wrap: nowrap;'
@ -125,7 +125,7 @@ module Admin::AsksHelper
          tmp
        end).html_safe
      end
-    else 
+    else
      content_tag(:div,{:class => "tab-panel"}.merge(exteral_options)) do
        tmp
      end
@ -341,8 +341,21 @@ module Admin::AsksHelper
        file_value = value[0] rescue nil
        file_path = value[1] rescue nil
        file_required = v['required']=='true'
-        readonly ? (file_path ? "<a href=\"#{file_path}\" title=\"file\">#{file_value}</a>" : "") : "<div class=\"file-selector\"><label class=\"ui-button\">
-                                #{file_field_tag(field_name, {:data => {:src => file_path}, style: "position: absolute;width:0.1em;opacity: 0;padding: 0;border: 0;opacity: 0;left: 50%;top: 0;", :class => 'upload', :required => file_required, value: file_value})}
+        readonly ? (file_path ? "<a href=\"#{file_path}\" title=\"file\">#{file_value}</a>".html_safe : "") : "<div class=\"file-selector\"><label class=\"ui-button\">
+                                #{file_field_tag(field_name, {:data => {:src => file_path}, style: "position: absolute;width:0.1em;opacity: 0;padding: 0;border: 0;opacity: 0;left: 50%;top: 0;", :class => 'upload', :required => file_required, value: file_value, accept: ".doc,.docx,.xls,.xlsx,.ppt,.pptx,.txt,.pdf,.jpg,.jpeg,.bmp,.gif,.png,.odf,.ods,.odt",
+                                onchange: "
+                                var file = this.files[0];
+                                if (!file) return;
+                                var maxSize = 20 * 1024 * 1024; // 20MB
+                                var allowedExtensions = /\.(doc|docx|xls|xlsx|ppt|pptx|txt|pdf|jpg|jpeg|bmp|gif|png|odf|ods|odt)$/i;
+                                if (file.size > maxSize) {
+                                  alert('File exceeds 20MB limit.');
+                                  this.value = '';
+                                } else if (!allowedExtensions.test(file.name)) {
+                                  alert('Invalid file type. Allowed: doc, docx, xls, xlsx, ppt, pptx, txt, pdf, jpg, jpeg, bmp, gif, png, odf, ods, odt');
+                                  this.value = '';
+                                }
+                              "})}
                                <i class=\"fa fa-file\"></i> #{t('ask.upload_file')}
                                </label><div class=\"filename\"></div></div>"
      when 'image'
@ -451,7 +464,7 @@ module Admin::AsksHelper
  def page_for_askquestion(askquestion)
    ann_page = nil
    pages = Page.where(:module=>'ask')
-    
+
    pages.each do |page|
      if page.categories.count ==1
        if page.categories.include?(askquestion.category.id.to_s)
--- a/app/models/ask_acknowledgement.rb
+++ b/app/models/ask_acknowledgement.rb
@ -3,4 +3,5 @@ class AskAcknowledgement
  include Mongoid::Timestamps

  field :content, type: Hash,default:{}
-end
+  field :category_id, type: String
+end
--- a/app/views/admin/ask_acknowledgements/index.html.erb
+++ b/app/views/admin/ask_acknowledgements/index.html.erb
@ -11,6 +11,10 @@
 </style>
 <div id="ask-acknowledgements">
  <%= form_for @ask_acknowledgements, url:  @url, html: { class: 'form-horizontal' } do |f| %>
+    <div class="control-group">
+      <%= f.label :content, t('category'), class: 'control-label' %>
+      <%= f.select :category_id, options_for_select(@categories) %>
+    </div>
    <div class="control-group">
      <%= f.label :content, t('ask.acknowledgements'), class: 'control-label' %>
      <%= multiple_lang_tag_for_ask(nil,'text_area','content',@ask_acknowledgements.content,{:class=>'ckeditor',placeholder: t('ask.acknowledgements'),rows:10},nil,{'class' => 'controls','style'=>'display: flex;flex-direction: column-reverse;'})
--- a/app/views/asks/_history.html.erb
+++ b/app/views/asks/_history.html.erb
@ -3,9 +3,11 @@
  <thead>
    <tr>
      <th><%= t('status') %></th>
-      <th><%= t('ask.modified_by') %></th>
-      <th><%= t('ask.remark') %></th>
-      <th><%= t('ask.attachment') %></th>
+      <% if !current_user.nil? %>
+        <th><%= t('ask.modified_by') %></th>
+        <th><%= t('ask.remark') %></th>
+        <th><%= t('ask.attachment') %></th>
+      <% end %>
      <th><%= t('ask.updated_at') %></th>
    </tr>
  </thead>
@ -15,15 +17,17 @@
        <td>
          <%= @status_mapping[ask_status_history.status] %>
        </td>
-        <td>
-          <%= ask_status_history.modified_by_name %>
-        </td>
-        <td>
-          <%= ask_status_history.comment %>
-        </td>
-        <td>
-          <%= link_to(ask_status_history[:file], ask_status_history.file.url) if ask_status_history.file.present? %>
-        </td>
+        <% if !current_user.nil? %>
+          <td>
+            <%= ask_status_history.modified_by_name %>
+          </td>
+          <td>
+            <%= ask_status_history.comment %>
+          </td>
+          <td>
+            <%= link_to(ask_status_history[:file], ask_status_history.file.url) if ask_status_history.file.present? %>
+          </td>
+        <% end %>
        <td>
          <%= ask_status_history.created_at.strftime("%Y-%m-%d %H:%M:%S") %>
        </td>