Merge pull request #126 from srgpqt/master
use Rails4-style strong parameters mass assignment protection
This commit is contained in:
commit
2f55605645
3
Gemfile
3
Gemfile
|
@ -12,9 +12,6 @@ gem "mysql2", ">= 0.3.14"
|
||||||
# NOTE: If you use PostgreSQL, you must still leave enabled the above mysql2 gem
|
# NOTE: If you use PostgreSQL, you must still leave enabled the above mysql2 gem
|
||||||
# for Sphinx full text search to function.
|
# for Sphinx full text search to function.
|
||||||
|
|
||||||
# Use Rails3-style mass assignment security
|
|
||||||
gem "protected_attributes"
|
|
||||||
|
|
||||||
# Use Uglifier as compressor for JavaScript assets
|
# Use Uglifier as compressor for JavaScript assets
|
||||||
gem "uglifier", ">= 1.3.0"
|
gem "uglifier", ">= 1.3.0"
|
||||||
|
|
||||||
|
|
|
@ -58,8 +58,6 @@ GEM
|
||||||
mini_portile (~> 0.5.0)
|
mini_portile (~> 0.5.0)
|
||||||
oauth (0.4.7)
|
oauth (0.4.7)
|
||||||
polyglot (0.3.3)
|
polyglot (0.3.3)
|
||||||
protected_attributes (1.0.5)
|
|
||||||
activemodel (>= 4.0.1, < 5.0)
|
|
||||||
rack (1.5.2)
|
rack (1.5.2)
|
||||||
rack-test (0.6.2)
|
rack-test (0.6.2)
|
||||||
rack (>= 1.0)
|
rack (>= 1.0)
|
||||||
|
@ -137,7 +135,6 @@ DEPENDENCIES
|
||||||
mysql2 (>= 0.3.14)
|
mysql2 (>= 0.3.14)
|
||||||
nokogiri
|
nokogiri
|
||||||
oauth
|
oauth
|
||||||
protected_attributes
|
|
||||||
rails (= 4.0.2)
|
rails (= 4.0.2)
|
||||||
rdiscount
|
rdiscount
|
||||||
rspec-rails (~> 2.6)
|
rspec-rails (~> 2.6)
|
||||||
|
|
|
@ -32,7 +32,7 @@ class MessagesController < ApplicationController
|
||||||
@cur_url = "/messages"
|
@cur_url = "/messages"
|
||||||
@title = "Messages"
|
@title = "Messages"
|
||||||
|
|
||||||
@new_message = Message.new(params[:message])
|
@new_message = Message.new(message_params)
|
||||||
@new_message.author_user_id = @user.id
|
@new_message.author_user_id = @user.id
|
||||||
|
|
||||||
@direction = :out
|
@direction = :out
|
||||||
|
@ -95,6 +95,13 @@ class MessagesController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
|
def message_params
|
||||||
|
params.require(:message).permit(
|
||||||
|
:recipient_username, :subject, :body,
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
def find_message
|
def find_message
|
||||||
if @message = Message.where(:short_id => params[:message_id] || params[:id]).first
|
if @message = Message.where(:short_id => params[:message_id] || params[:id]).first
|
||||||
if (@message.author_user_id == @user.id ||
|
if (@message.author_user_id == @user.id ||
|
||||||
|
|
|
@ -22,11 +22,23 @@ class SettingsController < ApplicationController
|
||||||
def update
|
def update
|
||||||
@edit_user = @user.clone
|
@edit_user = @user.clone
|
||||||
|
|
||||||
if @edit_user.update_attributes(params[:user])
|
if @edit_user.update_attributes(user_params)
|
||||||
flash.now[:success] = "Successfully updated settings."
|
flash.now[:success] = "Successfully updated settings."
|
||||||
@user = @edit_user
|
@user = @edit_user
|
||||||
end
|
end
|
||||||
|
|
||||||
render :action => "index"
|
render :action => "index"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def user_params
|
||||||
|
params.require(:user).permit(
|
||||||
|
:username, :email, :password, :password_confirmation, :about,
|
||||||
|
:email_replies, :email_messages, :email_mentions,
|
||||||
|
:pushover_replies, :pushover_messages, :pushover_mentions,
|
||||||
|
:pushover_user_key, :pushover_device, :pushover_sound,
|
||||||
|
:mailing_list_enabled,
|
||||||
|
)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -37,7 +37,7 @@ class SignupController < ApplicationController
|
||||||
|
|
||||||
@title = "Signup"
|
@title = "Signup"
|
||||||
|
|
||||||
@new_user = User.new(params[:user])
|
@new_user = User.new(user_params)
|
||||||
@new_user.invited_by_user_id = @invitation.user_id
|
@new_user.invited_by_user_id = @invitation.user_id
|
||||||
|
|
||||||
if @new_user.save
|
if @new_user.save
|
||||||
|
@ -53,4 +53,12 @@ class SignupController < ApplicationController
|
||||||
render :action => "invited"
|
render :action => "invited"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def user_params
|
||||||
|
params.require(:user).permit(
|
||||||
|
:username, :email, :password, :password_confirmation, :about,
|
||||||
|
)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -12,9 +12,7 @@ class StoriesController < ApplicationController
|
||||||
@title = "Submit Story"
|
@title = "Submit Story"
|
||||||
@cur_url = "/stories/new"
|
@cur_url = "/stories/new"
|
||||||
|
|
||||||
# we don't allow the url to be changed, so we have to set it manually
|
@story = Story.new(story_params)
|
||||||
@story = Story.new(params[:story].reject{|k,v| k == "url" })
|
|
||||||
@story.url = params[:story][:url]
|
|
||||||
@story.user_id = @user.id
|
@story.user_id = @user.id
|
||||||
|
|
||||||
if @story.valid? && !(@story.already_posted_story && !@story.seen_previous)
|
if @story.valid? && !(@story.already_posted_story && !@story.seen_previous)
|
||||||
|
@ -98,9 +96,7 @@ class StoriesController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def preview
|
def preview
|
||||||
# we don't allow the url to be changed, so we have to set it manually
|
@story = Story.new(story_params)
|
||||||
@story = Story.new(params[:story].reject{|k,v| k == "url" })
|
|
||||||
@story.url = params[:story][:url]
|
|
||||||
@story.user_id = @user.id
|
@story.user_id = @user.id
|
||||||
@story.previewing = true
|
@story.previewing = true
|
||||||
|
|
||||||
|
@ -173,9 +169,10 @@ class StoriesController < ApplicationController
|
||||||
@story.is_expired = false
|
@story.is_expired = false
|
||||||
@story.editor_user_id = @user.id
|
@story.editor_user_id = @user.id
|
||||||
|
|
||||||
@story.attributes = params[:story].except(:url)
|
|
||||||
if @story.url_is_editable_by_user?(@user)
|
if @story.url_is_editable_by_user?(@user)
|
||||||
@story.url = params[:story][:url]
|
@story.attributes = story_params
|
||||||
|
else
|
||||||
|
@story.attributes = story_params.except(:url)
|
||||||
end
|
end
|
||||||
|
|
||||||
if @story.save
|
if @story.save
|
||||||
|
@ -228,6 +225,12 @@ class StoriesController < ApplicationController
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
|
def story_params
|
||||||
|
params.require(:story).permit(
|
||||||
|
:title, :url, :description, :seen_previous, :tags_a => []
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
def find_story
|
def find_story
|
||||||
Story.where(:short_id => params[:story_id]).first
|
Story.where(:short_id => params[:story_id]).first
|
||||||
end
|
end
|
||||||
|
|
|
@ -9,8 +9,6 @@ class Comment < ActiveRecord::Base
|
||||||
has_one :moderation,
|
has_one :moderation,
|
||||||
:class_name => "Moderation"
|
:class_name => "Moderation"
|
||||||
|
|
||||||
attr_accessible :comment, :moderation_reason
|
|
||||||
|
|
||||||
attr_accessor :current_vote, :previewing, :indent_level, :highlighted
|
attr_accessor :current_vote, :previewing, :indent_level, :highlighted
|
||||||
|
|
||||||
before_validation :on => :create do
|
before_validation :on => :create do
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
class Invitation < ActiveRecord::Base
|
class Invitation < ActiveRecord::Base
|
||||||
belongs_to :user
|
belongs_to :user
|
||||||
|
|
||||||
attr_accessible nil
|
|
||||||
|
|
||||||
validate do
|
validate do
|
||||||
unless email.to_s.match(/\A[^@ ]+@[^ @]+\.[^ @]+\z/)
|
unless email.to_s.match(/\A[^@ ]+@[^ @]+\.[^ @]+\z/)
|
||||||
errors.add(:email, "is not valid")
|
errors.add(:email, "is not valid")
|
||||||
|
|
|
@ -1,6 +1,4 @@
|
||||||
class InvitationRequest < ActiveRecord::Base
|
class InvitationRequest < ActiveRecord::Base
|
||||||
attr_accessible nil
|
|
||||||
|
|
||||||
validates :name, :presence => true
|
validates :name, :presence => true
|
||||||
validates :email, :format => { :with => /\A[^@ ]+@[^@ ]+\.[^@ ]+\Z/ }
|
validates :email, :format => { :with => /\A[^@ ]+@[^@ ]+\.[^@ ]+\Z/ }
|
||||||
validates :memo, :format => { :with => /https?:\/\// }
|
validates :memo, :format => { :with => /https?:\/\// }
|
||||||
|
|
|
@ -11,8 +11,6 @@ class Message < ActiveRecord::Base
|
||||||
|
|
||||||
attr_accessor :recipient_username
|
attr_accessor :recipient_username
|
||||||
|
|
||||||
attr_accessible :recipient_username, :subject, :body
|
|
||||||
|
|
||||||
validates_length_of :subject, :in => 1..150
|
validates_length_of :subject, :in => 1..150
|
||||||
validates_length_of :body, :maximum => (64 * 1024)
|
validates_length_of :body, :maximum => (64 * 1024)
|
||||||
|
|
||||||
|
|
|
@ -6,8 +6,6 @@ class Moderation < ActiveRecord::Base
|
||||||
belongs_to :comment
|
belongs_to :comment
|
||||||
belongs_to :user
|
belongs_to :user
|
||||||
|
|
||||||
attr_accessible nil
|
|
||||||
|
|
||||||
after_create :send_message_to_moderated
|
after_create :send_message_to_moderated
|
||||||
|
|
||||||
def send_message_to_moderated
|
def send_message_to_moderated
|
||||||
|
|
|
@ -20,9 +20,6 @@ class Story < ActiveRecord::Base
|
||||||
:seen_previous
|
:seen_previous
|
||||||
attr_accessor :editor_user_id, :moderation_reason
|
attr_accessor :editor_user_id, :moderation_reason
|
||||||
|
|
||||||
attr_accessible :title, :description, :tags_a, :moderation_reason,
|
|
||||||
:seen_previous
|
|
||||||
|
|
||||||
before_validation :assign_short_id,
|
before_validation :assign_short_id,
|
||||||
:on => :create
|
:on => :create
|
||||||
before_save :log_moderation
|
before_save :log_moderation
|
||||||
|
|
|
@ -1,6 +1,4 @@
|
||||||
class TagFilter < ActiveRecord::Base
|
class TagFilter < ActiveRecord::Base
|
||||||
belongs_to :tag
|
belongs_to :tag
|
||||||
belongs_to :user
|
belongs_to :user
|
||||||
|
|
||||||
attr_accessible nil
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -36,11 +36,6 @@ class User < ActiveRecord::Base
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
attr_accessible :username, :email, :password, :password_confirmation,
|
|
||||||
:about, :email_replies, :pushover_replies, :pushover_user_key,
|
|
||||||
:pushover_device, :pushover_sound, :email_messages, :pushover_messages,
|
|
||||||
:email_mentions, :pushover_mentions, :mailing_list_enabled, :delete_me
|
|
||||||
|
|
||||||
before_save :check_session_token
|
before_save :check_session_token
|
||||||
before_validation :on => :create do
|
before_validation :on => :create do
|
||||||
self.create_rss_token
|
self.create_rss_token
|
||||||
|
|
|
@ -21,8 +21,6 @@ class Vote < ActiveRecord::Base
|
||||||
"" => "Cancel",
|
"" => "Cancel",
|
||||||
}
|
}
|
||||||
|
|
||||||
attr_accessible nil
|
|
||||||
|
|
||||||
def self.votes_by_user_for_stories_hash(user, stories)
|
def self.votes_by_user_for_stories_hash(user, stories)
|
||||||
votes = {}
|
votes = {}
|
||||||
|
|
||||||
|
|
|
@ -24,15 +24,12 @@ module Lobsters
|
||||||
# config.i18n.default_locale = :de
|
# config.i18n.default_locale = :de
|
||||||
config.i18n.enforce_available_locales = true
|
config.i18n.enforce_available_locales = true
|
||||||
|
|
||||||
# Enforce whitelist mode for mass assignment.
|
|
||||||
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
|
||||||
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
|
||||||
# parameters by using an attr_accessible or attr_protected declaration.
|
|
||||||
config.active_record.whitelist_attributes = true
|
|
||||||
|
|
||||||
# Future Rails version will disable implicit joins, so we'll be prepared.
|
# Future Rails version will disable implicit joins, so we'll be prepared.
|
||||||
config.active_record.disable_implicit_join_references = true
|
config.active_record.disable_implicit_join_references = true
|
||||||
|
|
||||||
|
# Raise an exception when using mass assignment with unpermitted attributes
|
||||||
|
config.action_controller.action_on_unpermitted_parameters = :raise
|
||||||
|
|
||||||
config.cache_store = :memory_store
|
config.cache_store = :memory_store
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -22,9 +22,6 @@ Lobsters::Application.configure do
|
||||||
# Raise an error on page load if there are pending migrations
|
# Raise an error on page load if there are pending migrations
|
||||||
config.active_record.migration_error = :page_load
|
config.active_record.migration_error = :page_load
|
||||||
|
|
||||||
# Raise exception on mass assignment protection for Active Record models
|
|
||||||
config.active_record.mass_assignment_sanitizer = :strict
|
|
||||||
|
|
||||||
# Debug mode disables concatenation and preprocessing of assets.
|
# Debug mode disables concatenation and preprocessing of assets.
|
||||||
# This option may cause significant delays in view rendering with a large
|
# This option may cause significant delays in view rendering with a large
|
||||||
# number of complex assets.
|
# number of complex assets.
|
||||||
|
|
|
@ -31,9 +31,6 @@ Lobsters::Application.configure do
|
||||||
# ActionMailer::Base.deliveries array.
|
# ActionMailer::Base.deliveries array.
|
||||||
config.action_mailer.delivery_method = :test
|
config.action_mailer.delivery_method = :test
|
||||||
|
|
||||||
# Raise exception on mass assignment protection for Active Record models.
|
|
||||||
config.active_record.mass_assignment_sanitizer = :strict
|
|
||||||
|
|
||||||
# Print deprecation notices to the stderr.
|
# Print deprecation notices to the stderr.
|
||||||
config.active_support.deprecation = :stderr
|
config.active_support.deprecation = :stderr
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue