Hot fix for TinyMCE asset permission check (#1896)

* Hot fix for TimyMCE asset permission check
2025-03-01 02:05:41 +08:00 · 2019-07-04 15:59:11 +02:00 · 2019-07-04 15:59:11 +02:00 · 88dc2dcdd0
commit 88dc2dcdd0
parent ef107d98c7
2 changed files with 5 additions and 3 deletions
--- a/app/models/concerns/tiny_mce_images.rb
+++ b/app/models/concerns/tiny_mce_images.rb
@ -97,7 +97,7 @@ module TinyMceImages
        if image['data-mce-token']
          asset = TinyMceAsset.find_by_id(Base62.decode(image['data-mce-token']))
-          next if asset && asset.object == self
+          next if asset && (asset.object == self || asset_team_id != asset.team_id)
          new_image = asset.image
        else
--- a/app/models/tiny_mce_asset.rb
+++ b/app/models/tiny_mce_asset.rb
@ -41,7 +41,9 @@ class TinyMceAsset < ApplicationRecord
    end
    images.each do |image|
      image_to_update = find_by_id(Base62.decode(image))
-      image_to_update&.update(object: object, saved: true) unless image_to_update.object
+      next if image_to_update.object || image_to_update.team_id != Team.find_by_object(object)
      image_to_update&.update(object: object, saved: true)
    end
    where(id: images_to_delete).destroy_all
@ -58,7 +60,7 @@ class TinyMceAsset < ApplicationRecord
    tm_assets = description.css('img[data-mce-token]')
    tm_assets.each do |tm_asset|
      asset_id = tm_asset.attr('data-mce-token')
-      new_asset_url = find_by_id(Base62.decode(asset_id))
+      new_asset_url = obj.tiny_mce_assets.find_by_id(Base62.decode(asset_id))
      if new_asset_url
        tm_asset.attributes['src'].value = new_asset_url.url
        tm_asset['class'] = 'img-responsive'