资源库搜索 sql注入
This commit is contained in:
parent
f6867068f5
commit
c004b05991
|
@ -1857,46 +1857,46 @@ class UsersController < ApplicationController
|
||||||
|
|
||||||
# 根据资源关键字进行搜索
|
# 根据资源关键字进行搜索
|
||||||
def resource_search
|
def resource_search
|
||||||
search = params[:search].to_s.strip.downcase
|
search = "%#{params[:search].strip.downcase}%"
|
||||||
if(params[:type].nil? || params[:type].blank? || params[:type] == "1" || params[:type] == 'all') #全部
|
if(params[:type].nil? || params[:type].blank? || params[:type] == "1" || params[:type] == 'all') #全部
|
||||||
if User.current.id.to_i == params[:id].to_i
|
if User.current.id.to_i == params[:id].to_i
|
||||||
user_course_ids = User.current.courses.map { |c| c.id} #我的资源库的话,那么应该是我上传的所有资源 加上 我加入的课程的所有资源 取交集并查询
|
user_course_ids = User.current.courses.map { |c| c.id} #我的资源库的话,那么应该是我上传的所有资源 加上 我加入的课程的所有资源 取交集并查询
|
||||||
@attachments = Attachment.where("((author_id = #{params[:id]} and container_type in('Project','Principal','Course','Issue','Document','Message','News','StudentWorkScore','HomewCommon')) "+
|
@attachments = Attachment.where("((author_id = #{params[:id]} and container_type in('Project','Principal','Course','Issue','Document','Message','News','StudentWorkScore','HomewCommon')) "+
|
||||||
" or (container_type = 'Course' and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')}))) and (filename like '%#{search}%') ").order("created_on desc")
|
" or (container_type = 'Course' and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')}))) and (filename like :p) ",:p=>search).order("created_on desc")
|
||||||
else
|
else
|
||||||
user_course_ids = User.find(params[:id]).courses.visible.map { |c| c.id} #如果课程私有资源,那么要看这个资源的课程是不是在 这个user的所有我可见的课程中
|
user_course_ids = User.find(params[:id]).courses.visible.map { |c| c.id} #如果课程私有资源,那么要看这个资源的课程是不是在 这个user的所有我可见的课程中
|
||||||
@attachments = Attachment.where("((author_id = #{params[:id]} and is_public = 1 and container_type in" +
|
@attachments = Attachment.where("((author_id = #{params[:id]} and is_public = 1 and container_type in" +
|
||||||
" ('Project','Principal','Course','Issue','Document','Message','News','StudentWorkScore','HomewCommon'))"+
|
" ('Project','Principal','Course','Issue','Document','Message','News','StudentWorkScore','HomewCommon'))"+
|
||||||
" or (container_type = 'Course' and is_public = 1 and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')})) )" +
|
" or (container_type = 'Course' and is_public = 1 and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')})) )" +
|
||||||
" and (filename like '%#{search}%') ").order("created_on desc")
|
" and (filename like :p) ",:p=>search).order("created_on desc")
|
||||||
end
|
end
|
||||||
elsif params[:type] == "2" #课程资源
|
elsif params[:type] == "2" #课程资源
|
||||||
if User.current.id.to_i == params[:id].to_i
|
if User.current.id.to_i == params[:id].to_i
|
||||||
user_course_ids = User.current.courses.map { |c| c.id}
|
user_course_ids = User.current.courses.map { |c| c.id}
|
||||||
@attachments = Attachment.where("(author_id = #{params[:id]} and container_type = 'Course') or (container_type = 'Course' and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')})) and (filename like '%#{search}%') ").order("created_on desc")
|
@attachments = Attachment.where("(author_id = #{params[:id]} and container_type = 'Course') or (container_type = 'Course' and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')})) and (filename like :p) ",:p=>search).order("created_on desc")
|
||||||
else
|
else
|
||||||
user_course_ids = User.find(params[:id]).courses.visible.map { |c| c.id} #如果课程私有资源,那么要看这个资源的课程是不是在 这个user的所有我可见的课程中
|
user_course_ids = User.find(params[:id]).courses.visible.map { |c| c.id} #如果课程私有资源,那么要看这个资源的课程是不是在 这个user的所有我可见的课程中
|
||||||
@attachments = Attachment.where("((author_id = #{params[:id]} and is_public = 1 and container_type = 'Course') "+
|
@attachments = Attachment.where("((author_id = #{params[:id]} and is_public = 1 and container_type = 'Course') "+
|
||||||
"or (container_type = 'Course' and is_public = 1 and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')})) )"+
|
"or (container_type = 'Course' and is_public = 1 and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')})) )"+
|
||||||
" and (filename like '%#{search}%') ").order("created_on desc")
|
" and (filename like :p) ",:p=>search).order("created_on desc")
|
||||||
end
|
end
|
||||||
elsif params[:type] == "3" #项目资源
|
elsif params[:type] == "3" #项目资源
|
||||||
if User.current.id.to_i == params[:id].to_i
|
if User.current.id.to_i == params[:id].to_i
|
||||||
@attachments = Attachment.where("author_id = #{params[:id]} and container_type = 'Project' and (filename like '%#{search}%')").order("created_on desc")
|
@attachments = Attachment.where("author_id = #{params[:id]} and container_type = 'Project' and (filename like :p)",:p=>search).order("created_on desc")
|
||||||
else
|
else
|
||||||
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type = 'Project' and (filename like '%#{search}%') ").order("created_on desc")
|
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type = 'Project' and (filename like :p) ",:p=>search).order("created_on desc")
|
||||||
end
|
end
|
||||||
elsif params[:type] == "4" #附件
|
elsif params[:type] == "4" #附件
|
||||||
if User.current.id.to_i == params[:id].to_i
|
if User.current.id.to_i == params[:id].to_i
|
||||||
@attachments = Attachment.where("author_id = #{params[:id]} and container_type in('Project','Issue','Document','Message','News','StudentWorkScore','HomewCommon') and (filename like '%#{search}%')").order("created_on desc")
|
@attachments = Attachment.where("author_id = #{params[:id]} and container_type in('Project','Issue','Document','Message','News','StudentWorkScore','HomewCommon') and (filename like :p)",:p=>search).order("created_on desc")
|
||||||
else
|
else
|
||||||
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type in('Issue','Document','Message','News','StudentWorkScore','HomewCommon') and (filename like '%#{search}%')").order("created_on desc")
|
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type in('Issue','Document','Message','News','StudentWorkScore','HomewCommon') and (filename like :p)",:p=>search).order("created_on desc")
|
||||||
end
|
end
|
||||||
elsif params[:type] == "5" #用户资源
|
elsif params[:type] == "5" #用户资源
|
||||||
if User.current.id.to_i == params[:id].to_i
|
if User.current.id.to_i == params[:id].to_i
|
||||||
@attachments = Attachment.where("author_id = #{params[:id]} and container_type = 'Principal' and (filename like '%#{search}%')").order("created_on desc")
|
@attachments = Attachment.where("author_id = #{params[:id]} and container_type = 'Principal' and (filename like :p)",:p=>search).order("created_on desc")
|
||||||
else
|
else
|
||||||
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type = 'Principal' and (filename like '%#{search}%')").order("created_on desc")
|
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type = 'Principal' and (filename like :p)",:p=>search).order("created_on desc")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
@type = params[:type]
|
@type = params[:type]
|
||||||
|
|
Loading…
Reference in New Issue