修复漏洞

app/controllers/question_banks_controller.rb

@@ -10,7 +10,7 @@ class QuestionBanksController < ApplicationController
   def bank_list
     page = params[:page] || 1
     limit = params[:limit] || 15
-    @certification_teacher = current_user.is_teacher? || current_user.admin?
+    @certification_teacher = current_user.is_certification_teacher || current_user.admin_or_business?
     @objects = @object_type.classify.constantize.where(@object_filter)
     @objects =
         if params[:search]
@@ -18,19 +18,17 @@ class QuestionBanksController < ApplicationController
             # 已认证才能获取题库
             if @certification_teacher
               sql = %Q{
-              #{@objects.table_name}.is_public = 1 and concat(#{@objects.table_name}.name, course_lists.name) like
-                    '%#{params[:search]}%'
+              #{@objects.table_name}.is_public = 1 and concat(#{@objects.table_name}.name, course_lists.name) like :keyword
               }
-              @objects.joins(:course_list).where(sql)
+              @objects.joins(:course_list).where(sql, keyword: "%#{params[:search]}%")
             else
               @objects.none
             end
           else
             sql = %Q{
-            #{@objects.table_name}.user_id = #{current_user.id} and concat(#{@objects.table_name}.name, course_lists.name) like
-                    '%#{params[:search]}%'
+            #{@objects.table_name}.user_id = #{current_user.id} and concat(#{@objects.table_name}.name, course_lists.name) like :keyword
             }
-            @objects.joins(:course_list).where(sql)
+            @objects.joins(:course_list).where(sql, keyword: "%#{params[:search]}%")
           end
         else
           if params[:filter] == 'public'