From 88dc2dcdd0a44c363b17393e691f07e5bee3de95 Mon Sep 17 00:00:00 2001 From: aignatov-bio <47317017+aignatov-bio@users.noreply.github.com> Date: Thu, 4 Jul 2019 15:59:11 +0200 Subject: [PATCH] Hot fix for TinyMCE asset permission check (#1896) * Hot fix for TimyMCE asset permission check --- app/models/concerns/tiny_mce_images.rb | 2 +- app/models/tiny_mce_asset.rb | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/app/models/concerns/tiny_mce_images.rb b/app/models/concerns/tiny_mce_images.rb index 4cd5906ce..187358d0a 100644 --- a/app/models/concerns/tiny_mce_images.rb +++ b/app/models/concerns/tiny_mce_images.rb @@ -97,7 +97,7 @@ module TinyMceImages if image['data-mce-token'] asset = TinyMceAsset.find_by_id(Base62.decode(image['data-mce-token'])) - next if asset && asset.object == self + next if asset && (asset.object == self || asset_team_id != asset.team_id) new_image = asset.image else diff --git a/app/models/tiny_mce_asset.rb b/app/models/tiny_mce_asset.rb index 8e4c0b287..5a627e4b2 100644 --- a/app/models/tiny_mce_asset.rb +++ b/app/models/tiny_mce_asset.rb @@ -41,7 +41,9 @@ class TinyMceAsset < ApplicationRecord end images.each do |image| image_to_update = find_by_id(Base62.decode(image)) - image_to_update&.update(object: object, saved: true) unless image_to_update.object + next if image_to_update.object || image_to_update.team_id != Team.find_by_object(object) + + image_to_update&.update(object: object, saved: true) end where(id: images_to_delete).destroy_all @@ -58,7 +60,7 @@ class TinyMceAsset < ApplicationRecord tm_assets = description.css('img[data-mce-token]') tm_assets.each do |tm_asset| asset_id = tm_asset.attr('data-mce-token') - new_asset_url = find_by_id(Base62.decode(asset_id)) + new_asset_url = obj.tiny_mce_assets.find_by_id(Base62.decode(asset_id)) if new_asset_url tm_asset.attributes['src'].value = new_asset_url.url tm_asset['class'] = 'img-responsive'