Skip to content
Permalink
Browse files Browse the repository at this point in the history
Refactor activity_user to remove possible SQL injection points.
  • Loading branch information
steveyken committed Dec 27, 2013
1 parent 078035f commit d4b2de8
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 6 deletions.
10 changes: 6 additions & 4 deletions app/controllers/home_controller.rb
Expand Up @@ -122,6 +122,9 @@ def activity_event
end

#----------------------------------------------------------------------------
# TODO: this is ugly, ugly code. It's being security patched now but urgently
# needs refactoring to use user id instead. Permuations based on name or email
# yield incorrect results.
def activity_user
user = current_user.pref[:activity_user]
if user && user != "all_users"
Expand All @@ -130,12 +133,11 @@ def activity_user
else # first_name middle_name last_name any_name
name_query = if user.include?(" ")
user.name_permutations.map{ |first, last|
"(upper(first_name) LIKE upper('%#{first}%') AND upper(last_name) LIKE upper('%#{last}%'))"
}.join(" OR ")
User.where(:first_name => first, :last_name => last)
}.map(&:to_a).flatten.first
else
"upper(first_name) LIKE upper('%#{user}%') OR upper(last_name) LIKE upper('%#{user}%')"
[User.where(:first_name => user), User.where(:last_name => user)].map(&:to_a).flatten.first
end
User.where(name_query).first
end
end
user.is_a?(User) ? user.id : nil
Expand Down
6 changes: 4 additions & 2 deletions spec/controllers/home_controller_spec.rb
Expand Up @@ -171,14 +171,16 @@
it "should find a user by first name or last name" do
@cur_user.stub(:pref).and_return(:activity_user => 'Billy')
controller.instance_variable_set(:@current_user, @cur_user)
User.should_receive(:where).with("upper(first_name) LIKE upper('%Billy%') OR upper(last_name) LIKE upper('%Billy%')").and_return([@user])
User.should_receive(:where).with(:first_name => 'Billy').and_return([@user])
User.should_receive(:where).with(:last_name => 'Billy').and_return([@user])
controller.send(:activity_user).should == 1
end

it "should find a user by first name and last name" do
@cur_user.stub(:pref).and_return(:activity_user => 'Billy Elliot')
controller.instance_variable_set(:@current_user, @cur_user)
User.should_receive(:where).with("(upper(first_name) LIKE upper('%Billy%') AND upper(last_name) LIKE upper('%Elliot%')) OR (upper(first_name) LIKE upper('%Elliot%') AND upper(last_name) LIKE upper('%Billy%'))").and_return([@user])
User.should_receive(:where).with(:first_name => 'Billy', :last_name => "Elliot").and_return([@user])
User.should_receive(:where).with(:first_name => 'Elliot', :last_name => "Billy").and_return([@user])
controller.send(:activity_user).should == 1
end

Expand Down

0 comments on commit d4b2de8

Please sign in to comment.