mirror of
https://github.com/discourse/discourse.git
synced 2025-05-30 07:11:34 +08:00
DEV: Quote values when constructing SQL (#18827)
All of these cases should already be safe, but still good to quote for "defense in depth".
This commit is contained in:

committed by
GitHub

parent
a356e2fe30
commit
167181f4b7
@ -65,7 +65,7 @@ class GroupsController < ApplicationController
|
||||
|
||||
if !guardian.is_staff?
|
||||
# hide automatic groups from all non stuff to de-clutter page
|
||||
groups = groups.where("automatic IS FALSE OR groups.id = #{Group::AUTO_GROUPS[:moderators]}")
|
||||
groups = groups.where("automatic IS FALSE OR groups.id = ?", Group::AUTO_GROUPS[:moderators])
|
||||
type_filters.delete(:automatic)
|
||||
end
|
||||
|
||||
@ -129,7 +129,7 @@ class GroupsController < ApplicationController
|
||||
format.json do
|
||||
groups = Group.visible_groups(current_user)
|
||||
if !guardian.is_staff?
|
||||
groups = groups.where("automatic IS FALSE OR groups.id = #{Group::AUTO_GROUPS[:moderators]}")
|
||||
groups = groups.where("automatic IS FALSE OR groups.id = ?", Group::AUTO_GROUPS[:moderators])
|
||||
end
|
||||
|
||||
render_json_dump(
|
||||
|
Reference in New Issue
Block a user