github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-01-19 05:43:16 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Sanitize SQL arguments to prevent injections.

Browse Source
This commit is contained in:
Guo Xiang Tan 2017-07-26 17:10:13 +09:00
parent 3d330f8c5e
commit 3a46ea8bad
1 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
app/models/group.rb
View File

@ -438,17 +438,24 @@ class Group < ActiveRecord::Base
def bulk_add(user_ids)
if user_ids.present?
Group.exec_sql("INSERT INTO group_users
(group_id, user_id, created_at, updated_at)
SELECT #{self.id},
u.id,
CURRENT_TIMESTAMP,
CURRENT_TIMESTAMP
FROM users AS u
WHERE u.id IN (#{user_ids.join(', ')})
AND NOT EXISTS(SELECT 1 FROM group_users AS gu
WHERE gu.user_id = u.id AND
gu.group_id = #{self.id})")
sql = <<~SQL
INSERT INTO group_users
(group_id, user_id, created_at, updated_at)
SELECT
#{self.id},
u.id,
CURRENT_TIMESTAMP,
CURRENT_TIMESTAMP
FROM users AS u
WHERE u.id IN (:user_ids)
AND NOT EXISTS (
SELECT 1 FROM group_users AS gu
WHERE gu.user_id = u.id AND
gu.group_id = :group_id
)
SQL
Group.exec_sql(sql, group_id: self.id, user_ids: user_ids)
if self.primary_group?
User.where(id: user_ids).update_all(primary_group_id: self.id)