protect from mass assignment attacks

13 years ago · d75043e9ca
parent b18fb9bd99
commit d75043e9ca
4 changed files with 17 additions and 7 deletions
--- a/app/models/meeting.rb
+++ b/app/models/meeting.rb
@ -8,6 +8,8 @@ class Meeting < ActiveRecord::Base
  has_many :contents, :class_name => 'MeetingContent', :readonly => true
  has_many :participants, :dependent => :destroy, :class_name => 'MeetingParticipant'
  
+  attr_protected :project_id, :author_id, :created_at, :updated_at
+
  acts_as_watchable
  
  acts_as_searchable :columns => ["#{table_name}.title", "#{MeetingContent.table_name}.text"],
@ -90,4 +92,4 @@ class Meeting < ActiveRecord::Base
  def add_author_as_watcher
    add_watcher(author)
  end
-end
+end
--- a/app/models/meeting_agenda.rb
+++ b/app/models/meeting_agenda.rb
@ -13,11 +13,15 @@ class MeetingAgenda < MeetingContent
  
  # TODO: internationalize the comments
  def lock!(user = User.current)
-    update_attributes :locked => true, :author => user, :comment => "Agenda closed"
+    self.attributes = {:author => user, :comment => "Agenda closed"}
+    self.locked = true
+    self.save
  end
  
  def unlock!(user = User.current)
-    update_attributes :locked => false, :author => user, :comment => "Agenda opened"
+    self.attributes = {:author => user, :comment => "Agenda opened"}
+    self.locked = false
+    self.save
  end
  
  def editable?
@ -75,4 +79,4 @@ class MeetingAgenda < MeetingContent
      false
    end
  end
-end
+end
--- a/app/models/meeting_content.rb
+++ b/app/models/meeting_content.rb
@ -8,6 +8,8 @@ class MeetingContent < ActiveRecord::Base

  validates_length_of :comment, :maximum => 255, :allow_nil => true

+  attr_protected :author_id, :type, :meeting_id, :created_at, :updated_at, :locked
+
  before_save :comment_to_journal_notes

  def editable?
@ -48,4 +50,4 @@ class MeetingContent < ActiveRecord::Base
  def comment_to_journal_notes
    init_journal(author, comment) unless changes.empty?
  end
-end
+end
--- a/app/models/meeting_participant.rb
+++ b/app/models/meeting_participant.rb
@ -3,12 +3,14 @@ class MeetingParticipant < ActiveRecord::Base
  
  belongs_to :meeting
  belongs_to :user
-  
+
  named_scope :invited, :conditions => {:invited => true}
  named_scope :attended, :conditions => {:attended => true}
  
  after_create :add_participant_as_watcher
-  
+
+  attr_protected :user_id, :meeting_id, :meeting_role_id, :created_at, :updated_at
+
  def name
    user.present? ? user.name : self.name
  end