github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-30 07:11:34 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

DEV: Quote values when constructing SQL (#18827)

Browse Source 
All of these cases should already be safe, but still good to quote for
"defense in depth".
This commit is contained in:
Daniel Waterworth
2022-11-01 14:05:13 -05:00
committed by GitHub
parent a356e2fe30
commit 167181f4b7
12 changed files with 39 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/groups_controller.rb
View File

@ -65,7 +65,7 @@ class GroupsController < ApplicationController
if !guardian.is_staff?
# hide automatic groups from all non stuff to de-clutter page
groups = groups.where("automatic IS FALSE OR groups.id = #{Group::AUTO_GROUPS[:moderators]}")
groups = groups.where("automatic IS FALSE OR groups.id = ?", Group::AUTO_GROUPS[:moderators])
type_filters.delete(:automatic)
end
@ -129,7 +129,7 @@ class GroupsController < ApplicationController
format.json do
groups = Group.visible_groups(current_user)
if !guardian.is_staff?
groups = groups.where("automatic IS FALSE OR groups.id = #{Group::AUTO_GROUPS[:moderators]}")
groups = groups.where("automatic IS FALSE OR groups.id = ?", Group::AUTO_GROUPS[:moderators])
end
render_json_dump(