Skip to content

O
OHR Support
Commit 4c322d37 authored by Jean-Philippe Lang's avatar Jean-Philippe Lang Committed by Holger Just
Browse files
Options

Prevent mass-assignment vulnerability when adding/updating a forum message (#922).

parent f12b9fca
Show whitespace changes
Inline Side-by-side
Showing with 20 additions and 16 deletions
app/controllers/messages_controller.rb
View file @ 4c322d37
...@@ -48,26 +48,26 @@ class MessagesController < ApplicationController ...@@ -48,26 +48,26 @@ class MessagesController < ApplicationController
# Create a new topic # Create a new topic
def new def new
@message = Message.new(params[:message]) @message = Message.new
@message.author = User.current @message.author = User.current
@message.board = @board @message.board = @board
if params[:message] && User.current.allowed_to?(:edit_messages, @project) @message.safe_attributes = params[:message]
@message.locked = params[:message]['locked'] if request.post?
@message.sticky = params[:message]['sticky'] if @message.save
end
if request.post? && @message.save
call_hook(:controller_messages_new_after_save, { :params => params, :message => @message}) call_hook(:controller_messages_new_after_save, { :params => params, :message => @message})
attachments = Attachment.attach_files(@message, params[:attachments]) attachments = Attachment.attach_files(@message, params[:attachments])
render_attachment_warning_if_needed(@message) render_attachment_warning_if_needed(@message)
redirect_to :action => 'show', :id => @message redirect_to :action => 'show', :id => @message
end end
end end
end
# Reply to a topic # Reply to a topic
def reply def reply
@reply = Message.new(params[:reply]) @reply = Message.new
@reply.author = User.current @reply.author = User.current
@reply.board = @board @reply.board = @board
@reply.safe_attributes = params[:reply]
@topic.children << @reply @topic.children << @reply
if !@reply.new_record? if !@reply.new_record?
call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply}) call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply})
...@@ -80,11 +80,8 @@ class MessagesController < ApplicationController ...@@ -80,11 +80,8 @@ class MessagesController < ApplicationController
# Edit a message # Edit a message
def edit def edit
(render_403; return false) unless @message.editable_by?(User.current) (render_403; return false) unless @message.editable_by?(User.current)
if params[:message] @message.safe_attributes = params[:message]
@message.locked = params[:message]['locked'] if request.post? && @message.save
@message.sticky = params[:message]['sticky']
end
if request.post? && @message.update_attributes(params[:message])
attachments = Attachment.attach_files(@message, params[:attachments]) attachments = Attachment.attach_files(@message, params[:attachments])
render_attachment_warning_if_needed(@message) render_attachment_warning_if_needed(@message)
flash[:notice] = l(:notice_successful_update) flash[:notice] = l(:notice_successful_update)
......
app/models/message.rb
View file @ 4c322d37
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
#++ #++
class Message < ActiveRecord::Base class Message < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :board belongs_to :board
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id' belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC" acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC"
...@@ -49,6 +50,12 @@ class Message < ActiveRecord::Base ...@@ -49,6 +50,12 @@ class Message < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => {:board => :project}, named_scope :visible, lambda {|*args| { :include => {:board => :project},
:conditions => Project.allowed_to_condition(args.first || User.current, :view_messages) } } :conditions => Project.allowed_to_condition(args.first || User.current, :view_messages) } }
safe_attributes 'subject', 'content'
safe_attributes 'locked', 'sticky',
:if => lambda {|message, user|
user.allowed_to?(:edit_messages, message.project)
}
def visible?(user=User.current) def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_messages, project) !user.nil? && user.allowed_to?(:view_messages, project)
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment