From e9d343b9718aaccd0e19e3194fd0376cc49c6051 Mon Sep 17 00:00:00 2001 From: kgalli Date: Fri, 4 Sep 2015 16:10:50 +0000 Subject: [PATCH 1/4] Skip Cross-site request forgery (CSRF) protection for show action --- app/controllers/rb_server_variables_controller.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/controllers/rb_server_variables_controller.rb b/app/controllers/rb_server_variables_controller.rb index 7f4c05bf7e..0ca665330a 100644 --- a/app/controllers/rb_server_variables_controller.rb +++ b/app/controllers/rb_server_variables_controller.rb @@ -34,6 +34,7 @@ #++ class RbServerVariablesController < RbApplicationController + protect_from_forgery except: :show def show respond_to do |format| format.js { render layout: false } From d3d27ea2075e106c65c193ebb6dbc6ae1b2bafd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Fri, 4 Sep 2015 22:33:57 +0200 Subject: [PATCH 2/4] Remove unused CSRF data in js data view --- app/views/rb_server_variables/show.js.erb | 3 --- 1 file changed, 3 deletions(-) diff --git a/app/views/rb_server_variables/show.js.erb b/app/views/rb_server_variables/show.js.erb index a48789d7bb..2c7692b287 100644 --- a/app/views/rb_server_variables/show.js.erb +++ b/app/views/rb_server_variables/show.js.erb @@ -37,9 +37,6 @@ See doc/COPYRIGHT.rdoc for more details. RB.constants = { project_id: <%= @project.id %>, sprint_id: <%= @sprint ? @sprint.id : "null" %>, - protect_against_forgery: <%= protect_against_forgery? ? "true" : "false" %>, - request_forgery_protection_token: '<%= request_forgery_protection_token %>', - form_authenticity_token: '<%= form_authenticity_token %>' }; RB.i18n = { From 85cda7b63cf8c83090d2ca5b1c18d128f4d52bc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Fri, 4 Sep 2015 22:16:05 +0200 Subject: [PATCH 3/4] Force version of silent_list There's an old acts_as_silent_list out there that gets installed when not specifying our own finnlabs fork. This causes all sorts of problems on Rails4+, so we ensure the version is correct in this plugin, even if we can't force the source here ourselves. --- openproject-backlogs.gemspec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openproject-backlogs.gemspec b/openproject-backlogs.gemspec index 6e6b9c69be..434c892ad2 100644 --- a/openproject-backlogs.gemspec +++ b/openproject-backlogs.gemspec @@ -15,8 +15,8 @@ Gem::Specification.new do |s| s.files = Dir['{app,config,db,lib,doc}/**/*', 'README.md'] s.test_files = Dir['spec/**/*'] - s.add_dependency 'rails', '~> 4.1.11' - s.add_dependency 'acts_as_silent_list' + s.add_dependency 'rails', '~> 4.1.11' + s.add_dependency 'acts_as_silent_list', '~> 1.3.0' s.add_dependency 'openproject-pdf_export' From 7f078624da03cfd72dbcb1862ce916b698f8fc73 Mon Sep 17 00:00:00 2001 From: kgalli Date: Mon, 7 Sep 2015 13:44:10 +0000 Subject: [PATCH 4/4] Replacement of RbServerVariablesController show Move of all relevant parts into shared view. Rendering of this view inline. Inline JavaScript might not be the best solution but seems more suitable as having an extra controller for that. The whole CSRF problem is also fixed by doing so. --- .../rb_server_variables_controller.rb | 43 ----------------- app/views/rb_master_backlogs/index.html.erb | 6 +-- app/views/rb_taskboards/show.html.erb | 7 +-- app/views/shared/_backlogs_header.html.erb | 4 ++ .../_server_variables.js.erb} | 0 config/routes.rb | 2 - features/common.feature | 1 - features/step_definitions/_when_steps.rb | 4 -- lib/open_project/backlogs/engine.rb | 2 - .../rb_server_variables_routing_spec.rb | 47 ------------------- 10 files changed, 6 insertions(+), 110 deletions(-) delete mode 100644 app/controllers/rb_server_variables_controller.rb rename app/views/{rb_server_variables/show.js.erb => shared/_server_variables.js.erb} (100%) delete mode 100644 spec/routing/rb_server_variables_routing_spec.rb diff --git a/app/controllers/rb_server_variables_controller.rb b/app/controllers/rb_server_variables_controller.rb deleted file mode 100644 index 0ca665330a..0000000000 --- a/app/controllers/rb_server_variables_controller.rb +++ /dev/null @@ -1,43 +0,0 @@ -#-- copyright -# OpenProject Backlogs Plugin -# -# Copyright (C)2013-2014 the OpenProject Foundation (OPF) -# Copyright (C)2011 Stephan Eckardt, Tim Felgentreff, Marnen Laibow-Koser, Sandro Munda -# Copyright (C)2010-2011 friflaj -# Copyright (C)2010 Maxime Guilbot, Andrew Vit, Joakim Kolsjö, ibussieres, Daniel Passos, Jason Vasquez, jpic, Emiliano Heyns -# Copyright (C)2009-2010 Mark Maglana -# Copyright (C)2009 Joe Heck, Nate Lowrie -# -# This program is free software; you can redistribute it and/or modify it under -# the terms of the GNU General Public License version 3. -# -# OpenProject Backlogs is a derivative work based on ChiliProject Backlogs. -# The copyright follows: -# Copyright (C) 2010-2011 - Emiliano Heyns, Mark Maglana, friflaj -# Copyright (C) 2011 - Jens Ulferts, Gregor Schmidt - Finn GmbH - Berlin, Germany -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# See doc/COPYRIGHT.rdoc for more details. -#++ - -class RbServerVariablesController < RbApplicationController - protect_from_forgery except: :show - def show - respond_to do |format| - format.js { render layout: false } - end - end -end diff --git a/app/views/rb_master_backlogs/index.html.erb b/app/views/rb_master_backlogs/index.html.erb index 8f0675d8ee..a9e825d931 100644 --- a/app/views/rb_master_backlogs/index.html.erb +++ b/app/views/rb_master_backlogs/index.html.erb @@ -35,12 +35,8 @@ See doc/COPYRIGHT.rdoc for more details. ++#%> <% content_for :header_tags do %> -<%= render :partial => 'shared/backlogs_header' %> + <%= render :partial => 'shared/backlogs_header' %> <%= stylesheet_link_tag 'backlogs/master_backlog.css' %> - <%= javascript_include_tag url_for(:controller => '/rb_server_variables', - :action => 'show', - :project_id => @project, - authenticity_token: form_authenticity_token) %> <% end %>
diff --git a/app/views/rb_taskboards/show.html.erb b/app/views/rb_taskboards/show.html.erb index 45af568c9c..e4241c65ff 100644 --- a/app/views/rb_taskboards/show.html.erb +++ b/app/views/rb_taskboards/show.html.erb @@ -35,13 +35,8 @@ See doc/COPYRIGHT.rdoc for more details. ++#%> <% content_for :header_tags do %> -<%= render :partial => 'shared/backlogs_header' %> + <%= render :partial => 'shared/backlogs_header' %> <%= stylesheet_link_tag 'backlogs/taskboard.css' %> - <%= javascript_include_tag url_for(:controller => 'rb_server_variables', - :action => 'show', - :project_id => @project, - :sprint_id => @sprint, - authenticity_token: form_authenticity_token) %> <% end %> <%= toolbar title: h(@sprint.name) do %> diff --git a/app/views/shared/_backlogs_header.html.erb b/app/views/shared/_backlogs_header.html.erb index e275693717..9e1e90ae45 100644 --- a/app/views/shared/_backlogs_header.html.erb +++ b/app/views/shared/_backlogs_header.html.erb @@ -36,3 +36,7 @@ See doc/COPYRIGHT.rdoc for more details. <%= stylesheet_link_tag 'backlogs/backlogs.css' %> <%= javascript_include_tag 'backlogs/backlogs.js' %> + + diff --git a/app/views/rb_server_variables/show.js.erb b/app/views/shared/_server_variables.js.erb similarity index 100% rename from app/views/rb_server_variables/show.js.erb rename to app/views/shared/_server_variables.js.erb diff --git a/config/routes.rb b/config/routes.rb index 63798900fd..70c1e1eacd 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -38,8 +38,6 @@ OpenProject::Application.routes.draw do scope 'projects/:project_id', as: 'project' do resources :backlogs, controller: :rb_master_backlogs, only: :index - resource :server_variables, controller: :rb_server_variables, only: :show, format: :js - resources :sprints, controller: :rb_sprints, only: :update do resource :query, controller: :rb_queries, only: :show diff --git a/features/common.feature b/features/common.feature index 55a53137cc..418f1b250c 100644 --- a/features/common.feature +++ b/features/common.feature @@ -73,7 +73,6 @@ Feature: Common Scenario: View the product backlog When I go to the master backlog - And I request the server_variables resource Then the request should complete successfully Scenario: View the product backlog without any stories diff --git a/features/step_definitions/_when_steps.rb b/features/step_definitions/_when_steps.rb index c889bd022a..ec27cebbdc 100644 --- a/features/step_definitions/_when_steps.rb +++ b/features/step_definitions/_when_steps.rb @@ -113,10 +113,6 @@ When /^I move the (\d+)(?:st|nd|rd|th) story to the (\d+|last)(?:st|nd|rd|th)? p ), prev: (prev.nil? ? '' : prev.text), '_method' => 'put' end -When /^I request the server_variables resource$/ do - visit backlogs_project_server_variables_url(@project.id, format: 'js') -end - When /^I update the impediment$/ do page.driver.post backlogs_project_sprint_impediment_url( *@impediment_params.values_at('project_id', 'fixed_version_id', 'id') diff --git a/lib/open_project/backlogs/engine.rb b/lib/open_project/backlogs/engine.rb index f628e7f948..7479d3f9b3 100644 --- a/lib/open_project/backlogs/engine.rb +++ b/lib/open_project/backlogs/engine.rb @@ -67,7 +67,6 @@ module OpenProject::Backlogs rb_wikis: :show, rb_stories: [:index, :show], rb_queries: :show, - rb_server_variables: :show, rb_burndown_charts: :show, rb_export_card_configurations: [:index, :show] @@ -77,7 +76,6 @@ module OpenProject::Backlogs rb_tasks: [:index, :show], rb_impediments: [:index, :show], rb_wikis: :show, - rb_server_variables: :show, rb_burndown_charts: :show, rb_export_card_configurations: [:index, :show] diff --git a/spec/routing/rb_server_variables_routing_spec.rb b/spec/routing/rb_server_variables_routing_spec.rb deleted file mode 100644 index c708d938b0..0000000000 --- a/spec/routing/rb_server_variables_routing_spec.rb +++ /dev/null @@ -1,47 +0,0 @@ -#-- copyright -# OpenProject Backlogs Plugin -# -# Copyright (C)2013-2014 the OpenProject Foundation (OPF) -# Copyright (C)2011 Stephan Eckardt, Tim Felgentreff, Marnen Laibow-Koser, Sandro Munda -# Copyright (C)2010-2011 friflaj -# Copyright (C)2010 Maxime Guilbot, Andrew Vit, Joakim Kolsjö, ibussieres, Daniel Passos, Jason Vasquez, jpic, Emiliano Heyns -# Copyright (C)2009-2010 Mark Maglana -# Copyright (C)2009 Joe Heck, Nate Lowrie -# -# This program is free software; you can redistribute it and/or modify it under -# the terms of the GNU General Public License version 3. -# -# OpenProject Backlogs is a derivative work based on ChiliProject Backlogs. -# The copyright follows: -# Copyright (C) 2010-2011 - Emiliano Heyns, Mark Maglana, friflaj -# Copyright (C) 2011 - Jens Ulferts, Gregor Schmidt - Finn GmbH - Berlin, Germany -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# See doc/COPYRIGHT.rdoc for more details. -#++ - -require 'spec_helper' - -describe RbServerVariablesController, type: :routing do - describe 'routing' do - it { - expect(get('/projects/project_42/server_variables.js')).to route_to(controller: 'rb_server_variables', - action: 'show', - format: 'js', - project_id: 'project_42') - } - end -end