0
0
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2025-01-05 08:34:35 +01:00

Made the issues query more secure and simpler

This commit is contained in:
Thomas Boerger 2016-03-27 23:26:45 +02:00
parent 79a1bfd963
commit b5948f2e71

View file

@ -547,27 +547,16 @@ func Issues(opts *IssuesOptions) ([]*Issue, error) {
} }
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ",")) labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
if len(labelIDs) > 0 { if len(labelIDs) > 1 {
validJoin := false sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("issue_label.label_id", labelIDs)
queryStr := "issue.id=issue_label.issue_id"
for _, id := range labelIDs {
if id == 0 {
continue
}
validJoin = true
queryStr += " AND issue_label.label_id=" + com.ToStr(id)
}
if validJoin {
sess.Join("INNER", "issue_label", queryStr)
}
} }
if opts.IsMention { if opts.IsMention {
queryStr := "issue.id=issue_user.issue_id AND issue_user.is_mentioned=1" sess.Join("INNER", "issue_user", "issue.id = issue_user.issue_id AND issue_user.is_mentioned = 1")
if opts.UserID > 0 { if opts.UserID > 0 {
queryStr += " AND issue_user.uid=" + com.ToStr(opts.UserID) sess.Where("issue_user.uid = ?", opts.UserID)
} }
sess.Join("INNER", "issue_user", queryStr)
} }
issues := make([]*Issue, 0, setting.IssuePagingNum) issues := make([]*Issue, 0, setting.IssuePagingNum)