use Rails4-style strong parameters mass assignment protection
This commit is contained in:
Serge Paquet
parent
7584a15e53
commit
519427586a
3
Gemfile
3
Gemfile
|
|
@ -12,9 +12,6 @@ gem "mysql2", ">= 0.3.14"
|
|||
# NOTE: If you use PostgreSQL, you must still leave enabled the above mysql2 gem
|
||||
# for Sphinx full text search to function.
|
||||
|
||||
# Use Rails3-style mass assignment security
|
||||
gem "protected_attributes"
|
||||
|
||||
# Use Uglifier as compressor for JavaScript assets
|
||||
gem "uglifier", ">= 1.3.0"
|
||||
|
||||
|
|
|
|||
|
|
@ -58,8 +58,6 @@ GEM
|
|||
mini_portile (~> 0.5.0)
|
||||
oauth (0.4.7)
|
||||
polyglot (0.3.3)
|
||||
protected_attributes (1.0.5)
|
||||
activemodel (>= 4.0.1, < 5.0)
|
||||
rack (1.5.2)
|
||||
rack-test (0.6.2)
|
||||
rack (>= 1.0)
|
||||
|
|
@ -137,7 +135,6 @@ DEPENDENCIES
|
|||
mysql2 (>= 0.3.14)
|
||||
nokogiri
|
||||
oauth
|
||||
protected_attributes
|
||||
rails (= 4.0.2)
|
||||
rdiscount
|
||||
rspec-rails (~> 2.6)
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ class MessagesController < ApplicationController
|
|||
@cur_url = "/messages"
|
||||
@title = "Messages"
|
||||
|
||||
@new_message = Message.new(params[:message])
|
||||
@new_message = Message.new(message_params)
|
||||
@new_message.author_user_id = @user.id
|
||||
|
||||
@direction = :out
|
||||
|
|
@ -95,6 +95,13 @@ class MessagesController < ApplicationController
|
|||
end
|
||||
|
||||
private
|
||||
|
||||
def message_params
|
||||
params.require(:message).permit(
|
||||
:recipient_username, :subject, :body,
|
||||
)
|
||||
end
|
||||
|
||||
def find_message
|
||||
if @message = Message.where(:short_id => params[:message_id] || params[:id]).first
|
||||
if (@message.author_user_id == @user.id ||
|
||||
|
|
|
|||
|
|
@ -22,11 +22,23 @@ class SettingsController < ApplicationController
|
|||
def update
|
||||
@edit_user = @user.clone
|
||||
|
||||
if @edit_user.update_attributes(params[:user])
|
||||
if @edit_user.update_attributes(user_params)
|
||||
flash.now[:success] = "Successfully updated settings."
|
||||
@user = @edit_user
|
||||
end
|
||||
|
||||
render :action => "index"
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def user_params
|
||||
params.require(:user).permit(
|
||||
:username, :email, :password, :password_confirmation, :about,
|
||||
:email_replies, :email_messages, :email_mentions,
|
||||
:pushover_replies, :pushover_messages, :pushover_mentions,
|
||||
:pushover_user_key, :pushover_device, :pushover_sound,
|
||||
:mailing_list_enabled,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ class SignupController < ApplicationController
|
|||
|
||||
@title = "Signup"
|
||||
|
||||
@new_user = User.new(params[:user])
|
||||
@new_user = User.new(user_params)
|
||||
@new_user.invited_by_user_id = @invitation.user_id
|
||||
|
||||
if @new_user.save
|
||||
|
|
@ -53,4 +53,12 @@ class SignupController < ApplicationController
|
|||
render :action => "invited"
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def user_params
|
||||
params.require(:user).permit(
|
||||
:username, :email, :password, :password_confirmation, :about,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -12,9 +12,7 @@ class StoriesController < ApplicationController
|
|||
@title = "Submit Story"
|
||||
@cur_url = "/stories/new"
|
||||
|
||||
# we don't allow the url to be changed, so we have to set it manually
|
||||
@story = Story.new(params[:story].reject{|k,v| k == "url" })
|
||||
@story.url = params[:story][:url]
|
||||
@story = Story.new(story_params)
|
||||
@story.user_id = @user.id
|
||||
|
||||
if @story.valid? && !(@story.already_posted_story && !@story.seen_previous)
|
||||
|
|
@ -98,9 +96,7 @@ class StoriesController < ApplicationController
|
|||
end
|
||||
|
||||
def preview
|
||||
# we don't allow the url to be changed, so we have to set it manually
|
||||
@story = Story.new(params[:story].reject{|k,v| k == "url" })
|
||||
@story.url = params[:story][:url]
|
||||
@story = Story.new(story_params)
|
||||
@story.user_id = @user.id
|
||||
@story.previewing = true
|
||||
|
||||
|
|
@ -173,9 +169,10 @@ class StoriesController < ApplicationController
|
|||
@story.is_expired = false
|
||||
@story.editor_user_id = @user.id
|
||||
|
||||
@story.attributes = params[:story].except(:url)
|
||||
if @story.url_is_editable_by_user?(@user)
|
||||
@story.url = params[:story][:url]
|
||||
@story.attributes = story_params
|
||||
else
|
||||
@story.attributes = story_params.except(:url)
|
||||
end
|
||||
|
||||
if @story.save
|
||||
|
|
@ -228,6 +225,13 @@ class StoriesController < ApplicationController
|
|||
|
||||
private
|
||||
|
||||
def story_params
|
||||
params.require(:story).permit(
|
||||
:title, :url, :description, :moderation_reason, :seen_previous,
|
||||
:tags_a => []
|
||||
)
|
||||
end
|
||||
|
||||
def find_story
|
||||
Story.where(:short_id => params[:story_id]).first
|
||||
end
|
||||
|
|
|
|||
|
|
@ -9,8 +9,6 @@ class Comment < ActiveRecord::Base
|
|||
has_one :moderation,
|
||||
:class_name => "Moderation"
|
||||
|
||||
attr_accessible :comment, :moderation_reason
|
||||
|
||||
attr_accessor :current_vote, :previewing, :indent_level, :highlighted
|
||||
|
||||
before_validation :on => :create do
|
||||
|
|
|
|||
|
|
@ -1,8 +1,6 @@
|
|||
class Invitation < ActiveRecord::Base
|
||||
belongs_to :user
|
||||
|
||||
attr_accessible nil
|
||||
|
||||
validate do
|
||||
unless email.to_s.match(/\A[^@ ]+@[^ @]+\.[^ @]+\z/)
|
||||
errors.add(:email, "is not valid")
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
class InvitationRequest < ActiveRecord::Base
|
||||
attr_accessible nil
|
||||
|
||||
validates :name, :presence => true
|
||||
validates :email, :format => { :with => /\A[^@ ]+@[^@ ]+\.[^@ ]+\Z/ }
|
||||
validates :memo, :format => { :with => /https?:\/\// }
|
||||
|
|
|
|||
|
|
@ -11,8 +11,6 @@ class Message < ActiveRecord::Base
|
|||
|
||||
attr_accessor :recipient_username
|
||||
|
||||
attr_accessible :recipient_username, :subject, :body
|
||||
|
||||
validates_length_of :subject, :in => 1..150
|
||||
validates_length_of :body, :maximum => (64 * 1024)
|
||||
|
||||
|
|
|
|||
|
|
@ -6,8 +6,6 @@ class Moderation < ActiveRecord::Base
|
|||
belongs_to :comment
|
||||
belongs_to :user
|
||||
|
||||
attr_accessible nil
|
||||
|
||||
after_create :send_message_to_moderated
|
||||
|
||||
def send_message_to_moderated
|
||||
|
|
|
|||
|
|
@ -20,9 +20,6 @@ class Story < ActiveRecord::Base
|
|||
:seen_previous
|
||||
attr_accessor :editor_user_id, :moderation_reason
|
||||
|
||||
attr_accessible :title, :description, :tags_a, :moderation_reason,
|
||||
:seen_previous
|
||||
|
||||
before_validation :assign_short_id,
|
||||
:on => :create
|
||||
before_save :log_moderation
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
class TagFilter < ActiveRecord::Base
|
||||
belongs_to :tag
|
||||
belongs_to :user
|
||||
|
||||
attr_accessible nil
|
||||
end
|
||||
|
|
|
|||
|
|
@ -36,11 +36,6 @@ class User < ActiveRecord::Base
|
|||
end
|
||||
end
|
||||
|
||||
attr_accessible :username, :email, :password, :password_confirmation,
|
||||
:about, :email_replies, :pushover_replies, :pushover_user_key,
|
||||
:pushover_device, :pushover_sound, :email_messages, :pushover_messages,
|
||||
:email_mentions, :pushover_mentions, :mailing_list_enabled, :delete_me
|
||||
|
||||
before_save :check_session_token
|
||||
before_validation :on => :create do
|
||||
self.create_rss_token
|
||||
|
|
|
|||
|
|
@ -21,8 +21,6 @@ class Vote < ActiveRecord::Base
|
|||
"" => "Cancel",
|
||||
}
|
||||
|
||||
attr_accessible nil
|
||||
|
||||
def self.votes_by_user_for_stories_hash(user, stories)
|
||||
votes = {}
|
||||
|
||||
|
|
|
|||
|
|
@ -24,15 +24,12 @@ module Lobsters
|
|||
# config.i18n.default_locale = :de
|
||||
config.i18n.enforce_available_locales = true
|
||||
|
||||
# Enforce whitelist mode for mass assignment.
|
||||
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
||||
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
||||
# parameters by using an attr_accessible or attr_protected declaration.
|
||||
config.active_record.whitelist_attributes = true
|
||||
|
||||
# Future Rails version will disable implicit joins, so we'll be prepared.
|
||||
config.active_record.disable_implicit_join_references = true
|
||||
|
||||
# Raise an exception when using mass assignment with unpermitted attributes
|
||||
config.action_controller.action_on_unpermitted_parameters = :raise
|
||||
|
||||
config.cache_store = :memory_store
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -22,9 +22,6 @@ Lobsters::Application.configure do
|
|||
# Raise an error on page load if there are pending migrations
|
||||
config.active_record.migration_error = :page_load
|
||||
|
||||
# Raise exception on mass assignment protection for Active Record models
|
||||
config.active_record.mass_assignment_sanitizer = :strict
|
||||
|
||||
# Debug mode disables concatenation and preprocessing of assets.
|
||||
# This option may cause significant delays in view rendering with a large
|
||||
# number of complex assets.
|
||||
|
|
|
|||
|
|
@ -31,9 +31,6 @@ Lobsters::Application.configure do
|
|||
# ActionMailer::Base.deliveries array.
|
||||
config.action_mailer.delivery_method = :test
|
||||
|
||||
# Raise exception on mass assignment protection for Active Record models.
|
||||
config.active_record.mass_assignment_sanitizer = :strict
|
||||
|
||||
# Print deprecation notices to the stderr.
|
||||
config.active_support.deprecation = :stderr
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in a new issue