TheDude
/
openproject
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoiding update_attributes and new for Issues

Browse Source 
Using safe_attributes= from core instead to avoid mass assignment vulnerability
pull/6827/head
Gregor Schmidt 13 years ago
parent b5c6b69d2d
commit 61936a8475
3 changed files with 10 additions and 9 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      app/controllers/rb_stories_controller.rb
  2. 14
      app/models/story.rb
  3. 2
      features/step_definitions/_given_steps.rb

3
app/controllers/rb_stories_controller.rb
Unescape View File

@ -14,7 +14,8 @@ class RbStoriesController < RbApplicationController
def create def create
params['author_id'] = User.current.id params['author_id'] = User.current.id
story = Story.create_and_position(params) story = Story.create_and_position(params, :project => @project,
:author => User.current)
status = (story.id ? 200 : 400) status = (story.id ? 200 : 400)
respond_to do |format| respond_to do |format|

14
app/models/story.rb
Unescape View File

@ -40,11 +40,12 @@ class Story < Issue
Story.backlog(project.id, sprint.id, options) Story.backlog(project.id, sprint.id, options)
end end
def self.create_and_position(params) def self.create_and_position(params, safer_attributes)
attribs = params.select{|k,v| k != 'prev_id' and k != 'id' and Story.column_names.include? k } Story.new.tap do |s|
attribs = Hash[*attribs.flatten] s.safe_attributes = params
s.author = safer_attributes[:author] if safer_attributes[:author]
s.project = safer_attributes[:project] if safer_attributes[:project]
Story.new(attribs).tap do |s|
if s.save if s.save
s.move_after(params['prev_id']) s.move_after(params['prev_id'])
end end
@ -122,10 +123,9 @@ class Story < Issue
end end
def update_and_position!(params) def update_and_position!(params)
attribs = params.select { |k,v| k != 'id' and Story.column_names.include?(k) } self.safe_attributes = params
attribs = Hash[*attribs.flatten]
journalized_update_attributes(attribs).tap do |result| save.tap do |result|
if result and params[:prev] if result and params[:prev]
reload reload
move_after(params[:prev]) move_after(params[:prev])

2
features/step_definitions/_given_steps.rb
Unescape View File

@ -158,7 +158,7 @@ Given /^the [pP]roject(?: "([^\"]*)")? has the following stories in the followin
# NOTE: We're bypassing the controller here because we're just # NOTE: We're bypassing the controller here because we're just
# setting up the database for the actual tests. The actual tests, # setting up the database for the actual tests. The actual tests,
# however, should NOT bypass the controller # however, should NOT bypass the controller
s = Story.create_and_position params s = Story.create_and_position params, :project => project
prev_id = s.id prev_id = s.id
end end
end end

Write Preview
Loading…
Cancel
Save