From 84fca12445ccd8d678cea755aa22865b39987717 Mon Sep 17 00:00:00 2001
From: rulingcom <orbit@rulingcom.com>
Date: Wed, 9 Apr 2025 15:24:44 +0800
Subject: [PATCH] modifications for security and stuff

---
 .../admin/ask_acknowledgements_controller.rb  |  5 ++--
 app/controllers/asks_controller.rb            |  2 +-
 app/helpers/admin/asks_helper.rb              | 27 +++++++++++++-----
 app/models/ask_acknowledgement.rb             |  3 +-
 .../admin/ask_acknowledgements/index.html.erb |  4 +++
 app/views/asks/_history.html.erb              | 28 +++++++++++--------
 6 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/app/controllers/admin/ask_acknowledgements_controller.rb b/app/controllers/admin/ask_acknowledgements_controller.rb
index 522380a..dfc760c 100644
--- a/app/controllers/admin/ask_acknowledgements_controller.rb
+++ b/app/controllers/admin/ask_acknowledgements_controller.rb
@@ -1,5 +1,6 @@
 class Admin::AskAcknowledgementsController < OrbitAdminController
   helper Admin::AsksHelper
+  before_action ->(module_app = "ask") { set_variables module_app }
   def initialize
     super
     @app_title = 'ask_acknowledgement'
@@ -8,13 +9,13 @@ class Admin::AskAcknowledgementsController < OrbitAdminController
   def index
     @ask_acknowledgements = AskAcknowledgement.first || AskAcknowledgement.create
     @url = admin_ask_acknowledgement_path(@ask_acknowledgements)
+    @categories = @module_app.categories.map{|cat| [cat.title, cat.id.to_s]}
   end
 
   def update
     @ask_acknowledgements = AskAcknowledgement.first
     @ask_acknowledgements.update_attributes(params.require(:ask_acknowledgement).permit!)
-    
     redirect_to admin_ask_acknowledgements_path, notice: t('ask.save_success')
   end
 
-end
\ No newline at end of file
+end
diff --git a/app/controllers/asks_controller.rb b/app/controllers/asks_controller.rb
index 8686aca..5486c3f 100644
--- a/app/controllers/asks_controller.rb
+++ b/app/controllers/asks_controller.rb
@@ -580,7 +580,7 @@ class AsksController < ApplicationController
     if host_url == "http://"
       host_url = request.protocol + request.host_with_port
     end
-    mail_subject = mail_from+"  #{t('ask.new_question')}："
+    mail_subject = mail_from + " ： " + email_er.category.title
     email_er.email.update_attributes(
       :mail_lang=> site.default_locale,
       :create_user=>(current_user rescue nil),
diff --git a/app/helpers/admin/asks_helper.rb b/app/helpers/admin/asks_helper.rb
index ac2416d..83cbe3e 100644
--- a/app/helpers/admin/asks_helper.rb
+++ b/app/helpers/admin/asks_helper.rb
@@ -68,7 +68,7 @@ module Admin::AsksHelper
         "<div class=\"show_field\" id=\"#{index1 ? "#{get_input_name_for_ask}[#{index1}][#{field}][#{locale}]" : "#{get_input_name_for_ask}[#{field}][#{locale}]"}\">#{value_locale}</div>".html_safe
       end
     end.join + create_lang_panel_for_ask(all_field)).html_safe + combine_element
-  
+
     if sortable
       if exteral_options['style'].nil?
         exteral_options['style'] = 'display: flex;align-items: center;flex-wrap: nowrap;'
@@ -80,7 +80,7 @@ module Admin::AsksHelper
           tmp
         end).html_safe
       end
-    else 
+    else
       tmp = content_tag(:div,{:class => "tab-panel"}.merge(exteral_options)) do
         tmp
       end
@@ -113,7 +113,7 @@ module Admin::AsksHelper
         end
       end
     end.join + create_lang_panel_for_ask(all_field)).html_safe + combine_element
-  
+
     if sortable
       if exteral_options['style'].nil?
         exteral_options['style'] = 'display: flex;align-items: center;flex-wrap: nowrap;'
@@ -125,7 +125,7 @@ module Admin::AsksHelper
           tmp
         end).html_safe
       end
-    else 
+    else
       content_tag(:div,{:class => "tab-panel"}.merge(exteral_options)) do
         tmp
       end
@@ -341,8 +341,21 @@ module Admin::AsksHelper
         file_value = value[0] rescue nil
         file_path = value[1] rescue nil
         file_required = v['required']=='true'
-        readonly ? (file_path ? "<a href=\"#{file_path}\" title=\"file\">#{file_value}</a>" : "") : "<div class=\"file-selector\"><label class=\"ui-button\">
-                                #{file_field_tag(field_name, {:data => {:src => file_path}, style: "position: absolute;width:0.1em;opacity: 0;padding: 0;border: 0;opacity: 0;left: 50%;top: 0;", :class => 'upload', :required => file_required, value: file_value})}
+        readonly ? (file_path ? "<a href=\"#{file_path}\" title=\"file\">#{file_value}</a>".html_safe : "") : "<div class=\"file-selector\"><label class=\"ui-button\">
+                                #{file_field_tag(field_name, {:data => {:src => file_path}, style: "position: absolute;width:0.1em;opacity: 0;padding: 0;border: 0;opacity: 0;left: 50%;top: 0;", :class => 'upload', :required => file_required, value: file_value, accept: ".doc,.docx,.xls,.xlsx,.ppt,.pptx,.txt,.pdf,.jpg,.jpeg,.bmp,.gif,.png,.odf,.ods,.odt",
+                                onchange: "
+                                var file = this.files[0];
+                                if (!file) return;
+                                var maxSize = 20 * 1024 * 1024; // 20MB
+                                var allowedExtensions = /\.(doc|docx|xls|xlsx|ppt|pptx|txt|pdf|jpg|jpeg|bmp|gif|png|odf|ods|odt)$/i;
+                                if (file.size > maxSize) {
+                                  alert('File exceeds 20MB limit.');
+                                  this.value = '';
+                                } else if (!allowedExtensions.test(file.name)) {
+                                  alert('Invalid file type. Allowed: doc, docx, xls, xlsx, ppt, pptx, txt, pdf, jpg, jpeg, bmp, gif, png, odf, ods, odt');
+                                  this.value = '';
+                                }
+                              "})}
                                 <i class=\"fa fa-file\"></i> #{t('ask.upload_file')}
                                 </label><div class=\"filename\"></div></div>"
       when 'image'
@@ -451,7 +464,7 @@ module Admin::AsksHelper
   def page_for_askquestion(askquestion)
     ann_page = nil
     pages = Page.where(:module=>'ask')
-    
+
     pages.each do |page|
       if page.categories.count ==1
         if page.categories.include?(askquestion.category.id.to_s)
diff --git a/app/models/ask_acknowledgement.rb b/app/models/ask_acknowledgement.rb
index 30d00da..bbf6e98 100644
--- a/app/models/ask_acknowledgement.rb
+++ b/app/models/ask_acknowledgement.rb
@@ -3,4 +3,5 @@ class AskAcknowledgement
   include Mongoid::Timestamps
 
   field :content, type: Hash,default:{}
-end
\ No newline at end of file
+  field :category_id, type: String
+end
diff --git a/app/views/admin/ask_acknowledgements/index.html.erb b/app/views/admin/ask_acknowledgements/index.html.erb
index 8535aaa..dbefed0 100644
--- a/app/views/admin/ask_acknowledgements/index.html.erb
+++ b/app/views/admin/ask_acknowledgements/index.html.erb
@@ -11,6 +11,10 @@
 </style>
 <div id="ask-acknowledgements">
   <%= form_for @ask_acknowledgements, url:  @url, html: { class: 'form-horizontal' } do |f| %>
+    <div class="control-group">
+      <%= f.label :content, t('category'), class: 'control-label' %>
+      <%= f.select :category_id, options_for_select(@categories) %>
+    </div>
     <div class="control-group">
       <%= f.label :content, t('ask.acknowledgements'), class: 'control-label' %>
       <%= multiple_lang_tag_for_ask(nil,'text_area','content',@ask_acknowledgements.content,{:class=>'ckeditor',placeholder: t('ask.acknowledgements'),rows:10},nil,{'class' => 'controls','style'=>'display: flex;flex-direction: column-reverse;'})
diff --git a/app/views/asks/_history.html.erb b/app/views/asks/_history.html.erb
index b771484..50fc7db 100644
--- a/app/views/asks/_history.html.erb
+++ b/app/views/asks/_history.html.erb
@@ -3,9 +3,11 @@
   <thead>
     <tr>
       <th><%= t('status') %></th>
-      <th><%= t('ask.modified_by') %></th>
-      <th><%= t('ask.remark') %></th>
-      <th><%= t('ask.attachment') %></th>
+      <% if !current_user.nil? %>
+        <th><%= t('ask.modified_by') %></th>
+        <th><%= t('ask.remark') %></th>
+        <th><%= t('ask.attachment') %></th>
+      <% end %>
       <th><%= t('ask.updated_at') %></th>
     </tr>
   </thead>
@@ -15,15 +17,17 @@
         <td>
           <%= @status_mapping[ask_status_history.status] %>
         </td>
-        <td>
-          <%= ask_status_history.modified_by_name %>
-        </td>
-        <td>
-          <%= ask_status_history.comment %>
-        </td>
-        <td>
-          <%= link_to(ask_status_history[:file], ask_status_history.file.url) if ask_status_history.file.present? %>
-        </td>
+        <% if !current_user.nil? %>
+          <td>
+            <%= ask_status_history.modified_by_name %>
+          </td>
+          <td>
+            <%= ask_status_history.comment %>
+          </td>
+          <td>
+            <%= link_to(ask_status_history[:file], ask_status_history.file.url) if ask_status_history.file.present? %>
+          </td>
+        <% end %>
         <td>
           <%= ask_status_history.created_at.strftime("%Y-%m-%d %H:%M:%S") %>
         </td>