Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
O
OHR Support
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
97
Issues
97
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
image/svg+xml
Discourse
Discourse
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Projects
OHR Support
Commits
275163ea
Commit
275163ea
authored
Mar 06, 2012
by
Jean-Philippe Lang
Committed by
Holger Just
Apr 04, 2012
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent mass-assignment vulnerability when adding/updating a wiki (#922).
parent
fc5dfd58
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
4 additions
and
1 deletion
+4
-1
wikis_controller.rb
app/controllers/wikis_controller.rb
+1
-1
wiki.rb
app/models/wiki.rb
+3
-0
No files found.
app/controllers/wikis_controller.rb
View file @
275163ea
...
@@ -19,7 +19,7 @@ class WikisController < ApplicationController
...
@@ -19,7 +19,7 @@ class WikisController < ApplicationController
# Create or update a project's wiki
# Create or update a project's wiki
def
edit
def
edit
@wiki
=
@project
.
wiki
||
Wiki
.
new
(
:project
=>
@project
)
@wiki
=
@project
.
wiki
||
Wiki
.
new
(
:project
=>
@project
)
@wiki
.
attributes
=
params
[
:wiki
]
@wiki
.
safe_
attributes
=
params
[
:wiki
]
@wiki
.
save
if
request
.
post?
@wiki
.
save
if
request
.
post?
render
(
:update
)
{
|
page
|
page
.
replace_html
"tab-content-wiki"
,
:partial
=>
'projects/settings/wiki'
}
render
(
:update
)
{
|
page
|
page
.
replace_html
"tab-content-wiki"
,
:partial
=>
'projects/settings/wiki'
}
end
end
...
...
app/models/wiki.rb
View file @
275163ea
...
@@ -13,6 +13,7 @@
...
@@ -13,6 +13,7 @@
#++
#++
class
Wiki
<
ActiveRecord
::
Base
class
Wiki
<
ActiveRecord
::
Base
include
Redmine
::
SafeAttributes
belongs_to
:project
belongs_to
:project
has_many
:pages
,
:class_name
=>
'WikiPage'
,
:dependent
=>
:destroy
,
:order
=>
'title'
has_many
:pages
,
:class_name
=>
'WikiPage'
,
:dependent
=>
:destroy
,
:order
=>
'title'
has_many
:redirects
,
:class_name
=>
'WikiRedirect'
,
:dependent
=>
:delete_all
has_many
:redirects
,
:class_name
=>
'WikiRedirect'
,
:dependent
=>
:delete_all
...
@@ -22,6 +23,8 @@ class Wiki < ActiveRecord::Base
...
@@ -22,6 +23,8 @@ class Wiki < ActiveRecord::Base
validates_presence_of
:start_page
validates_presence_of
:start_page
validates_format_of
:start_page
,
:with
=>
/^[^,\.\/\?\;\|\:]*$/
validates_format_of
:start_page
,
:with
=>
/^[^,\.\/\?\;\|\:]*$/
safe_attributes
'start_page'
def
visible?
(
user
=
User
.
current
)
def
visible?
(
user
=
User
.
current
)
!
user
.
nil?
&&
user
.
allowed_to?
(
:view_wiki_pages
,
project
)
!
user
.
nil?
&&
user
.
allowed_to?
(
:view_wiki_pages
,
project
)
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment