Skip to content

Commit

Permalink
Merge pull request #2929 from evazion/fix-post-events-mods
Browse files Browse the repository at this point in the history 
Fix exceptions on /posts/:id/events, /moderator/dashboard; fix XSS in data-source.
  • Loading branch information
@r888888888
r888888888 committed Mar 21, 2017
2 parents c4b5998 + d1debec commit 30cef2e
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 4 deletions.
2 changes: 1 addition & 1 deletion app/logical/moderator/dashboard/queries/tag.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ class Tag
attr_reader :user, :count

def self.all(min_date, max_level)
return unless PostArchive.enabled?
return [] unless PostArchive.enabled?

records = PostArchive.where("updated_at > ?", min_date).group(:updater).count.map do |user, count|
new(user, count)
Expand Down
2 changes: 1 addition & 1 deletion app/models/post_event.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ class PostEvent
include ActiveModel::Serializers::Xml

attr_accessor :event
delegate :creator_id, :reason, :is_resolved, :created_at, to: :event
delegate :creator, :creator_id, :reason, :is_resolved, :created_at, to: :event

def self.find_for_post(post_id)
post = Post.find(post_id)
Expand Down
4 changes: 2 additions & 2 deletions app/presenters/post_presenter.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,8 @@ def self.data_attributes(post)
data-file-url="#{post.file_url}"
data-large-file-url="#{post.large_file_url}"
data-preview-file-url="#{post.preview_file_url}"
data-source="#{post.source}"
data-normalized-source="#{post.normalized_source}"
data-source="#{h(post.source}"
data-normalized-source="#{h(post.normalized_source)}"
}.html_safe
end

Expand Down
5 changes: 5 additions & 0 deletions test/functional/post_events_controller_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ def teardown
get :index, {:post_id => @post.id}, {:user_id => CurrentUser.user.id}
assert_response :ok
end

should "render for mods" do
get :index, {:post_id => @post.id}, {:user_id => FactoryGirl.create(:moderator_user).id }
assert_response :success
end
end

context "GET /posts/:post_id/events.xml" do
Expand Down

0 comments on commit 30cef2e

Please sign in to comment.