rogee/quyun-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: group keyword filters to avoid OR bypass

Browse Source
This commit is contained in:
Rogee
2026-01-12 10:28:41 +08:00
parent 9a8dd96b55
commit 75d13b5c4e
2 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
backend/app/services/content.go
View File

@@ -11,6 +11,7 @@ import (
"quyun/v2/database/models" "quyun/v2/database/models"
"quyun/v2/pkg/consts" "quyun/v2/pkg/consts"
"go.ipao.vip/gen/field"
"go.ipao.vip/gen/types" "go.ipao.vip/gen/types"
"gorm.io/gorm" "gorm.io/gorm"
) )
@@ -24,7 +25,7 @@ func (s *content) List(ctx context.Context, tenantID int64, filter *content_dto.
// Filters // Filters
if filter.Keyword != nil && *filter.Keyword != "" { if filter.Keyword != nil && *filter.Keyword != "" {
keyword := "%" + *filter.Keyword + "%" keyword := "%" + *filter.Keyword + "%"
q = q.Where(tbl.Title.Like(keyword)).Or(tbl.Description.Like(keyword)) q = q.Where(field.Or(tbl.Title.Like(keyword), tbl.Description.Like(keyword)))
} }
q = q.Where(tbl.Status.Eq(consts.ContentStatusPublished)) q = q.Where(tbl.Status.Eq(consts.ContentStatusPublished))
if tenantID > 0 { if tenantID > 0 {

11
backend/app/services/super.go
View File

@@ -16,6 +16,7 @@ import (
"github.com/google/uuid" "github.com/google/uuid"
"github.com/spf13/cast" "github.com/spf13/cast"
"go.ipao.vip/gen/field"
"go.ipao.vip/gen/types" "go.ipao.vip/gen/types"
"gorm.io/gorm" "gorm.io/gorm"
) )
@@ -90,7 +91,7 @@ func (s *super) ListUsers(ctx context.Context, filter *super_dto.UserListFilter)
tbl, q := models.UserQuery.QueryContext(ctx) tbl, q := models.UserQuery.QueryContext(ctx)
if filter.Username != nil && strings.TrimSpace(*filter.Username) != "" { if filter.Username != nil && strings.TrimSpace(*filter.Username) != "" {
keyword := "%" + strings.TrimSpace(*filter.Username) + "%" keyword := "%" + strings.TrimSpace(*filter.Username) + "%"
q = q.Where(tbl.Username.Like(keyword)).Or(tbl.Nickname.Like(keyword)) q = q.Where(field.Or(tbl.Username.Like(keyword), tbl.Nickname.Like(keyword)))
} }
if filter.ID != nil && *filter.ID > 0 { if filter.ID != nil && *filter.ID > 0 {
q = q.Where(tbl.ID.Eq(*filter.ID)) q = q.Where(tbl.ID.Eq(*filter.ID))
@@ -656,7 +657,11 @@ func (s *super) ListContents(ctx context.Context, filter *super_dto.SuperContent
if filter.Keyword != nil && strings.TrimSpace(*filter.Keyword) != "" { if filter.Keyword != nil && strings.TrimSpace(*filter.Keyword) != "" {
keyword := "%" + strings.TrimSpace(*filter.Keyword) + "%" keyword := "%" + strings.TrimSpace(*filter.Keyword) + "%"
q = q.Where(tbl.Title.Like(keyword)).Or(tbl.Description.Like(keyword)).Or(tbl.Summary.Like(keyword)) q = q.Where(field.Or(
tbl.Title.Like(keyword),
tbl.Description.Like(keyword),
tbl.Summary.Like(keyword),
))
} }
if filter.ID != nil && *filter.ID > 0 { if filter.ID != nil && *filter.ID > 0 {
q = q.Where(tbl.ID.Eq(*filter.ID)) q = q.Where(tbl.ID.Eq(*filter.ID))
@@ -1376,7 +1381,7 @@ func (s *super) lookupUserIDs(ctx context.Context, username *string) ([]int64, b
tbl, q := models.UserQuery.QueryContext(ctx) tbl, q := models.UserQuery.QueryContext(ctx)
keyword := "%" + text + "%" keyword := "%" + text + "%"
q = q.Where(tbl.Username.Like(keyword)).Or(tbl.Nickname.Like(keyword)) q = q.Where(field.Or(tbl.Username.Like(keyword), tbl.Nickname.Like(keyword)))
users, err := q.Select(tbl.ID).Find() users, err := q.Select(tbl.ID).Find()
if err != nil { if err != nil {
return nil, true, errorx.ErrDatabaseError.WithCause(err) return nil, true, errorx.ErrDatabaseError.WithCause(err)