Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
O
OHR Support
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
97
Issues
97
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
image/svg+xml
Discourse
Discourse
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Projects
OHR Support
Commits
4c322d37
Commit
4c322d37
authored
Mar 06, 2012
by
Jean-Philippe Lang
Committed by
Holger Just
Apr 04, 2012
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent mass-assignment vulnerability when adding/updating a forum message (#922).
parent
f12b9fca
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
20 additions
and
16 deletions
+20
-16
messages_controller.rb
app/controllers/messages_controller.rb
+13
-16
message.rb
app/models/message.rb
+7
-0
No files found.
app/controllers/messages_controller.rb
View file @
4c322d37
...
...
@@ -48,26 +48,26 @@ class MessagesController < ApplicationController
# Create a new topic
def
new
@message
=
Message
.
new
(
params
[
:message
])
@message
=
Message
.
new
@message
.
author
=
User
.
current
@message
.
board
=
@board
if
params
[
:message
]
&&
User
.
current
.
allowed_to?
(
:edit_messages
,
@project
)
@message
.
locked
=
params
[
:message
][
'locked'
]
@message
.
sticky
=
params
[
:message
][
'sticky'
]
end
if
request
.
post?
&&
@message
.
save
call_hook
(
:controller_messages_new_after_save
,
{
:params
=>
params
,
:message
=>
@message
})
attachments
=
Attachment
.
attach_files
(
@message
,
params
[
:attachments
])
render_attachment_warning_if_needed
(
@message
)
redirect_to
:action
=>
'show'
,
:id
=>
@message
@message
.
safe_attributes
=
params
[
:message
]
if
request
.
post?
if
@message
.
save
call_hook
(
:controller_messages_new_after_save
,
{
:params
=>
params
,
:message
=>
@message
})
attachments
=
Attachment
.
attach_files
(
@message
,
params
[
:attachments
])
render_attachment_warning_if_needed
(
@message
)
redirect_to
:action
=>
'show'
,
:id
=>
@message
end
end
end
# Reply to a topic
def
reply
@reply
=
Message
.
new
(
params
[
:reply
])
@reply
=
Message
.
new
@reply
.
author
=
User
.
current
@reply
.
board
=
@board
@reply
.
safe_attributes
=
params
[
:reply
]
@topic
.
children
<<
@reply
if
!
@reply
.
new_record?
call_hook
(
:controller_messages_reply_after_save
,
{
:params
=>
params
,
:message
=>
@reply
})
...
...
@@ -80,11 +80,8 @@ class MessagesController < ApplicationController
# Edit a message
def
edit
(
render_403
;
return
false
)
unless
@message
.
editable_by?
(
User
.
current
)
if
params
[
:message
]
@message
.
locked
=
params
[
:message
][
'locked'
]
@message
.
sticky
=
params
[
:message
][
'sticky'
]
end
if
request
.
post?
&&
@message
.
update_attributes
(
params
[
:message
])
@message
.
safe_attributes
=
params
[
:message
]
if
request
.
post?
&&
@message
.
save
attachments
=
Attachment
.
attach_files
(
@message
,
params
[
:attachments
])
render_attachment_warning_if_needed
(
@message
)
flash
[
:notice
]
=
l
(
:notice_successful_update
)
...
...
app/models/message.rb
View file @
4c322d37
...
...
@@ -13,6 +13,7 @@
#++
class
Message
<
ActiveRecord
::
Base
include
Redmine
::
SafeAttributes
belongs_to
:board
belongs_to
:author
,
:class_name
=>
'User'
,
:foreign_key
=>
'author_id'
acts_as_tree
:counter_cache
=>
:replies_count
,
:order
=>
"
#{
Message
.
table_name
}
.created_on ASC"
...
...
@@ -49,6 +50,12 @@ class Message < ActiveRecord::Base
named_scope
:visible
,
lambda
{
|*
args
|
{
:include
=>
{
:board
=>
:project
},
:conditions
=>
Project
.
allowed_to_condition
(
args
.
first
||
User
.
current
,
:view_messages
)
}
}
safe_attributes
'subject'
,
'content'
safe_attributes
'locked'
,
'sticky'
,
:if
=>
lambda
{
|
message
,
user
|
user
.
allowed_to?
(
:edit_messages
,
message
.
project
)
}
def
visible?
(
user
=
User
.
current
)
!
user
.
nil?
&&
user
.
allowed_to?
(
:view_messages
,
project
)
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment