Permalink
Browse files

Fixed mass assignemnt vulnerability

  • Loading branch information...
1 parent e4d2244 commit ab636d677295cca9c42e525bc737dc6978e1a663 @fredwu committed Mar 6, 2012
@@ -10,13 +10,19 @@ module Commentable
def add_comment(user, content, options = {})
options = { :is_private => false }.merge(options)
- Message.create(
+ message = Message.create(
:content => content,
:is_private => options[:is_private],
:target_id => id,
- :target_type => self.class.name,
- :user_id => user.id
- ) && reload
+ :target_type => self.class.name
+ )
+
+ message.user_id = user.id
+ message.save
+
+ reload
+
+ message
end
def add_private_comment(user, content, options = {})
@@ -6,6 +6,11 @@ class Message < ActiveRecord::Base
belongs_to :topic, :class_name => 'Message', :foreign_key => 'topic_id'
has_many :replies, :class_name => 'Message', :foreign_key => 'topic_id'
+ attr_accessible :content,
+ :is_private,
+ :target_id,
+ :target_type
+
validates :content, :presence => true,
:length => { :maximum => 140 }
@@ -3,6 +3,11 @@ class Proposal < ActiveRecord::Base
belongs_to :startup
has_and_belongs_to_many :investors, :join_table => :proposal_for_investors, :class_name => 'User'
+ attr_protected :proposal_stage_identifier,
@chloerei
chloerei Mar 6, 2012

最好用 attr_accessible 哦

+ :startup_id,
+ :created_at,
+ :updated_at
+
validates :pitch, :presence => true,
:length => { :within => 10..140 }
validates :introduction, :presence => true,
@@ -16,6 +16,14 @@ class Startup < ActiveRecord::Base
has_many :proposals
+ attr_accessible :name,
+ :pitch,
+ :funds_to_raise,
+ :stage_identifier,
+ :market_identifier,
+ :location,
+ :description
+
accepts_nested_attributes_for :photos, :limit => 5, :allow_destroy => true, :reject_if => :all_blank
validates :name, :presence => true,
@@ -1,4 +1,8 @@
class StartupUser < ActiveRecord::Base
belongs_to :user, :foreign_key => 'user_email', :primary_key => 'email'
belongs_to :startup
+
+ attr_accessible :user_email,
+ :role_identifier,
+ :member_title
end
@@ -2,4 +2,7 @@ class TargetFollower < ActiveRecord::Base
belongs_to :user, :foreign_key => :follower_id
belongs_to :follower, :polymorphic => true, :counter_cache => :followed_count
belongs_to :target, :polymorphic => true, :counter_cache => :followers_count
+
+ attr_accessible :follower_id,
+ :follower_type
end
View
@@ -112,22 +112,36 @@ def avatar(size = 80)
end
def send_private_message(target_user, content, extras = {})
- messages.create!({
+ message = messages.create!({
:content => content,
:is_private => true,
:target_id => target_user.id,
:target_type => 'User'
- }.merge(extras)) && reload
+ })
+
+ extras.each { |k, v| message.update_attribute k, v }
+ message.save
+
+ reload
+
+ message
end
def reply_private_message(topic, content, extras = {})
- messages.create!({
+ message = messages.create!({
:content => content,
:is_private => true,
:target_id => topic.user.id,
- :target_type => 'User',
- :topic_id => topic.id
- }.merge(extras)) && reload
+ :target_type => 'User'
+ })
+
+ extras.each { |k, v| message.update_attribute k, v }
+ message.topic_id = topic.id
+ message.save
+
+ reload
+
+ message
end
def add_micro_post(content)
View
@@ -43,22 +43,29 @@ class Application < Rails::Application
# config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
# config.i18n.default_locale = :de
- # Please note that JavaScript expansions are *ignored altogether* if the asset
- # pipeline is enabled (see config.assets.enabled below). Put your defaults in
- # app/assets/javascripts/application.js in that case.
- #
- # JavaScript files you want as :defaults (application.js is always included).
- # config.action_view.javascript_expansions[:defaults] = %w(prototype prototype_ujs)
-
# Configure the default encoding used in templates for Ruby 1.9.
config.encoding = "utf-8"
# Configure sensitive parameters which will be filtered from the log file.
config.filter_parameters += [:password, :password_confirmation]
+ # Use SQL instead of Active Record's schema dumper when creating the database.
+ # This is necessary if your schema can't be completely dumped by the schema dumper,
+ # like if you have constraints or database-specific column types
+ # config.active_record.schema_format = :sql
+
+ # Enforce whitelist mode for mass assignment.
+ # This will create an empty whitelist of attributes available for mass-assignment for all models
+ # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
+ # parameters by using an attr_accessible or attr_protected declaration.
+ config.active_record.whitelist_attributes = true
+
# Enable the asset pipeline
config.assets.enabled = true
+ # Version of your assets, change this if you want to expire all your assets
+ config.assets.version = '1.0'
+
config.generators do |g|
g.template_engine :slim
g.test_framework :rspec

0 comments on commit ab636d6

Please sign in to comment.