scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-02-28 17:54:16 +08:00
Code Issues Projects Releases Packages Wiki Activity

Hot fix for TinyMCE asset permission check (#1896)

Browse source 
* Hot fix for TimyMCE asset permission check
This commit is contained in:
aignatov-bio 2019-07-04 15:59:11 +02:00 committed by GitHub
parent ef107d98c7
commit 88dc2dcdd0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/models/concerns/tiny_mce_images.rb
View file

@ -97,7 +97,7 @@ module TinyMceImages
if image['data-mce-token']
asset = TinyMceAsset.find_by_id(Base62.decode(image['data-mce-token']))
next if asset && asset.object == self
next if asset && (asset.object == self || asset_team_id != asset.team_id)
new_image = asset.image
else

6
app/models/tiny_mce_asset.rb
View file

@ -41,7 +41,9 @@ class TinyMceAsset < ApplicationRecord
end
images.each do |image|
image_to_update = find_by_id(Base62.decode(image))
image_to_update&.update(object: object, saved: true) unless image_to_update.object
next if image_to_update.object || image_to_update.team_id != Team.find_by_object(object)
image_to_update&.update(object: object, saved: true)
end
where(id: images_to_delete).destroy_all
@ -58,7 +60,7 @@ class TinyMceAsset < ApplicationRecord
tm_assets = description.css('img[data-mce-token]')
tm_assets.each do |tm_asset|
asset_id = tm_asset.attr('data-mce-token')
new_asset_url = find_by_id(Base62.decode(asset_id))
new_asset_url = obj.tiny_mce_assets.find_by_id(Base62.decode(asset_id))
if new_asset_url
tm_asset.attributes['src'].value = new_asset_url.url
tm_asset['class'] = 'img-responsive'