Prevent mass-assignment vulnerability when adding a news comment (#922).

2eeb4b13 · Jean-Philippe Lang · Holger Just · 0a7c6e67 · 2eeb4b13 · 2eeb4b13
Commit 2eeb4b13 authored Mar 06, 2012 by Jean-Philippe Lang Committed by Holger Just Apr 04, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 1 deletion

comments_controller.rb app/controllers/comments_controller.rb +4 -1

comment.rb app/models/comment.rb +3 -0

news.rb app/models/news.rb +5 -0

No files found.
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -21,7 +21,10 @@ class CommentsController < ApplicationController

  verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
  def create
-    @comment = Comment.new(params[:comment])
+    raise Unauthorized unless @news.commentable?
+
+    @comment = Comment.new
+    @comment.safe_attributes = params[:comment]
    @comment.author = User.current
    if @news.comments << @comment
      flash[:notice] = l(:label_comment_added)

--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -13,8 +13,11 @@
 #++

 class Comment < ActiveRecord::Base
+  include Redmine::SafeAttributes
  belongs_to :commented, :polymorphic => true, :counter_cache => true
  belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'

  validates_presence_of :commented, :author, :comments
+
+  safe_attributes 'comments'
 end
--- a/app/models/news.rb
+++ b/app/models/news.rb
@@ -37,6 +37,11 @@ class News < ActiveRecord::Base
    !user.nil? && user.allowed_to?(:view_news, project)
  end

+  # Returns true if the news can be commented by user
+  def commentable?(user=User.current)
+    user.allowed_to?(:comment_news, project)
+  end
+
  # returns latest news for projects visible by user
  def self.latest(user = User.current, count = 5)
    find(:all, :limit => count, :conditions => Project.allowed_to_condition(user, :view_news), :include => [ :author, :project ], :order => "#{News.table_name}.created_on DESC")