Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
O
OHR Support
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
97
Issues
97
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
image/svg+xml
Discourse
Discourse
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Projects
OHR Support
Commits
2eeb4b13
Commit
2eeb4b13
authored
Mar 06, 2012
by
Jean-Philippe Lang
Committed by
Holger Just
Apr 04, 2012
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent mass-assignment vulnerability when adding a news comment (#922).
parent
0a7c6e67
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
12 additions
and
1 deletion
+12
-1
comments_controller.rb
app/controllers/comments_controller.rb
+4
-1
comment.rb
app/models/comment.rb
+3
-0
news.rb
app/models/news.rb
+5
-0
No files found.
app/controllers/comments_controller.rb
View file @
2eeb4b13
...
...
@@ -21,7 +21,10 @@ class CommentsController < ApplicationController
verify
:method
=>
:post
,
:only
=>
:create
,
:render
=>
{
:nothing
=>
true
,
:status
=>
:method_not_allowed
}
def
create
@comment
=
Comment
.
new
(
params
[
:comment
])
raise
Unauthorized
unless
@news
.
commentable?
@comment
=
Comment
.
new
@comment
.
safe_attributes
=
params
[
:comment
]
@comment
.
author
=
User
.
current
if
@news
.
comments
<<
@comment
flash
[
:notice
]
=
l
(
:label_comment_added
)
...
...
app/models/comment.rb
View file @
2eeb4b13
...
...
@@ -13,8 +13,11 @@
#++
class
Comment
<
ActiveRecord
::
Base
include
Redmine
::
SafeAttributes
belongs_to
:commented
,
:polymorphic
=>
true
,
:counter_cache
=>
true
belongs_to
:author
,
:class_name
=>
'User'
,
:foreign_key
=>
'author_id'
validates_presence_of
:commented
,
:author
,
:comments
safe_attributes
'comments'
end
app/models/news.rb
View file @
2eeb4b13
...
...
@@ -37,6 +37,11 @@ class News < ActiveRecord::Base
!
user
.
nil?
&&
user
.
allowed_to?
(
:view_news
,
project
)
end
# Returns true if the news can be commented by user
def
commentable?
(
user
=
User
.
current
)
user
.
allowed_to?
(
:comment_news
,
project
)
end
# returns latest news for projects visible by user
def
self
.
latest
(
user
=
User
.
current
,
count
=
5
)
find
(
:all
,
:limit
=>
count
,
:conditions
=>
Project
.
allowed_to_condition
(
user
,
:view_news
),
:include
=>
[
:author
,
:project
],
:order
=>
"
#{
News
.
table_name
}
.created_on DESC"
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment