Skip to content
Browse files

set activerecord whitelist_attributes to true

  • Loading branch information...
1 parent 4629cc4 commit 83efcabc829083f11553df0f1eb67a8fbbc3e000 @NARKOZ NARKOZ committed Sep 26, 2012
View
3 app/models/event.rb
@@ -1,6 +1,9 @@
class Event < ActiveRecord::Base
include PushEvent
+ attr_accessible :project, :action, :data, :author_id, :project_id,
+ :target_id, :target_type
+
default_scope where("author_id IS NOT NULL")
Created = 1
View
3 app/models/issue.rb
@@ -2,6 +2,9 @@ class Issue < ActiveRecord::Base
include IssueCommonality
include Votes
+ attr_accessible :title, :assignee_id, :closed, :position, :description,
+ :milestone_id, :label_list, :author_id_of_changes
+
acts_as_taggable_on :labels
belongs_to :milestone
View
2 app/models/key.rb
@@ -4,7 +4,7 @@ class Key < ActiveRecord::Base
belongs_to :user
belongs_to :project
- attr_protected :user_id
+ attr_accessible :key, :title
validates :title,
presence: true,
View
6 app/models/merge_request.rb
@@ -4,6 +4,9 @@ class MergeRequest < ActiveRecord::Base
include IssueCommonality
include Votes
+ attr_accessible :title, :assignee_id, :closed, :target_branch, :source_branch,
+ :author_id_of_changes
+
BROKEN_DIFF = "--broken-diff"
UNCHECKED = 1
@@ -48,7 +51,8 @@ def unchecked?
end
def mark_as_unchecked
- self.update_attributes(state: UNCHECKED)
+ self.state = UNCHECKED
+ self.save
end
def can_be_merged?
View
2 app/models/milestone.rb
@@ -13,6 +13,8 @@
#
class Milestone < ActiveRecord::Base
+ attr_accessible :title, :description, :due_date, :closed
+
belongs_to :project
has_many :issues
View
4 app/models/note.rb
@@ -2,6 +2,9 @@
require 'file_size_validator'
class Note < ActiveRecord::Base
+ attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
+ :attachment, :line_code
+
belongs_to :project
belongs_to :noteable, polymorphic: true
belongs_to :author,
@@ -16,7 +19,6 @@ class Note < ActiveRecord::Base
to: :author,
prefix: true
- attr_protected :author, :author_id
attr_accessor :notify
attr_accessor :notify_author
View
8 app/models/project.rb
@@ -6,6 +6,9 @@ class Project < ActiveRecord::Base
include Authority
include Team
+ attr_accessible :name, :path, :description, :code, :default_branch, :issues_enabled,
+ :wall_enabled, :merge_requests_enabled, :wiki_enabled
+
#
# Relations
#
@@ -26,11 +29,6 @@ class Project < ActiveRecord::Base
attr_accessor :error_code
#
- # Protected attributes
- #
- attr_protected :private_flag, :owner_id
-
- #
# Scopes
#
scope :public_only, where(private_flag: false)
View
2 app/models/protected_branch.rb
@@ -1,6 +1,8 @@
class ProtectedBranch < ActiveRecord::Base
include GitHost
+ attr_accessible :name
+
belongs_to :project
validates_presence_of :project_id
validates_presence_of :name
View
7 app/models/snippet.rb
@@ -1,6 +1,8 @@
class Snippet < ActiveRecord::Base
include Linguist::BlobHelper
+ attr_accessible :title, :content, :file_name, :expires_at
+
belongs_to :project
belongs_to :author, class_name: "User"
has_many :notes, as: :noteable, dependent: :destroy
@@ -9,7 +11,6 @@ class Snippet < ActiveRecord::Base
:email,
to: :author,
prefix: true
- attr_protected :author, :author_id, :project, :project_id
validates_presence_of :project_id
validates_presence_of :author_id
@@ -46,11 +47,11 @@ def size
0
end
- def name
+ def name
file_name
end
- def mode
+ def mode
nil
end
View
4 app/models/users_project.rb
@@ -6,11 +6,11 @@ class UsersProject < ActiveRecord::Base
DEVELOPER = 30
MASTER = 40
+ attr_accessible :user, :user_id, :project_access
+
belongs_to :user
belongs_to :project
- attr_protected :project_id, :project
-
after_save :update_repository
after_destroy :update_repository
View
6 app/models/web_hook.rb
@@ -1,6 +1,8 @@
class WebHook < ActiveRecord::Base
include HTTParty
+ attr_accessible :url
+
# HTTParty timeout
default_timeout 10
@@ -18,11 +20,11 @@ def execute(data)
post_url = url.gsub(parsed_url.userinfo+"@", "")
WebHook.post(post_url,
body: data.to_json,
- headers: { "Content-Type" => "application/json" },
+ headers: { "Content-Type" => "application/json" },
basic_auth: {username: parsed_url.user, password: parsed_url.password})
end
end
-
+
end
# == Schema Information
#
View
2 app/models/wiki.rb
@@ -1,4 +1,6 @@
class Wiki < ActiveRecord::Base
+ attr_accessible :title, :content, :slug
+
belongs_to :project
belongs_to :user
has_many :notes, as: :noteable, dependent: :destroy
View
2 app/roles/issue_commonality.rb
@@ -3,8 +3,6 @@ module IssueCommonality
extend ActiveSupport::Concern
included do
- attr_protected :author, :author_id, :project, :project_id
-
belongs_to :project
belongs_to :author, class_name: "User"
belongs_to :assignee, class_name: "User"
View
6 config/application.rb
@@ -39,6 +39,12 @@ class Application < Rails::Application
# Configure sensitive parameters which will be filtered from the log file.
config.filter_parameters += [:password]
+ # Enforce whitelist mode for mass assignment.
+ # This will create an empty whitelist of attributes available for mass-assignment for all models
+ # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
+ # parameters by using an attr_accessible or attr_protected declaration.
+ config.active_record.whitelist_attributes = true
+
# Enable the asset pipeline
config.assets.enabled = true
View
2 config/environments/development.rb
@@ -33,7 +33,7 @@
# Raise exception on mass assignment protection for Active Record models
config.active_record.mass_assignment_sanitizer = :strict
-
+
# Log the query plan for queries taking more than this (works
# with SQLite, MySQL, and PostgreSQL)
config.active_record.auto_explain_threshold_in_seconds = 0.5
View
3 config/environments/test.rb
@@ -34,6 +34,9 @@
# like if you have constraints or database-specific column types
# config.active_record.schema_format = :sql
+ # Raise exception on mass assignment protection for Active Record models
+ # config.active_record.mass_assignment_sanitizer = :strict
+
# Print deprecation notices to the stderr
config.active_support.deprecation = :stderr
View
5 spec/models/issue_spec.rb
@@ -5,6 +5,11 @@
it { should belong_to(:milestone) }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:author_id) }
+ it { should_not allow_mass_assignment_of(:project_id) }
+ end
+
describe "Validation" do
it { should ensure_length_of(:description).is_within(0..2000) }
it { should ensure_inclusion_of(:closed).in_array([true, false]) }
View
5 spec/models/key_spec.rb
@@ -6,6 +6,11 @@
it { should belong_to(:project) }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:project_id) }
+ it { should_not allow_mass_assignment_of(:user_id) }
+ end
+
describe "Validation" do
it { should validate_presence_of(:title) }
it { should validate_presence_of(:key) }
View
5 spec/models/merge_request_spec.rb
@@ -6,6 +6,11 @@
it { should validate_presence_of(:source_branch) }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:author_id) }
+ it { should_not allow_mass_assignment_of(:project_id) }
+ end
+
describe 'modules' do
it { should include_module(IssueCommonality) }
it { should include_module(Votes) }
View
4 spec/models/milestone_spec.rb
@@ -6,6 +6,10 @@
it { should have_many(:issues) }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:project_id) }
+ end
+
describe "Validation" do
it { should validate_presence_of(:title) }
it { should validate_presence_of(:project_id) }
View
5 spec/models/note_spec.rb
@@ -7,6 +7,11 @@
it { should belong_to(:author).class_name('User') }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:author) }
+ it { should_not allow_mass_assignment_of(:author_id) }
+ end
+
describe "Validation" do
it { should validate_presence_of(:note) }
it { should validate_presence_of(:project) }
View
5 spec/models/project_spec.rb
@@ -17,6 +17,11 @@
it { should have_many(:protected_branches).dependent(:destroy) }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:owner_id) }
+ it { should_not allow_mass_assignment_of(:private_flag) }
+ end
+
describe "Validation" do
let!(:project) { create(:project) }
View
4 spec/models/protected_branch_spec.rb
@@ -5,6 +5,10 @@
it { should belong_to(:project) }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:project_id) }
+ end
+
describe 'Validation' do
it { should validate_presence_of(:project_id) }
it { should validate_presence_of(:name) }
View
5 spec/models/snippet_spec.rb
@@ -7,6 +7,11 @@
it { should have_many(:notes).dependent(:destroy) }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:author_id) }
+ it { should_not allow_mass_assignment_of(:project_id) }
+ end
+
describe "Validation" do
it { should validate_presence_of(:author_id) }
it { should validate_presence_of(:project_id) }
View
31 spec/models/user_spec.rb
@@ -15,6 +15,11 @@
it { should have_many(:assigned_merge_requests).dependent(:destroy) }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:projects_limit) }
+ it { should allow_mass_assignment_of(:projects_limit).as(:admin) }
+ end
+
describe 'validations' do
it { should validate_presence_of(:projects_limit) }
it { should validate_numericality_of(:projects_limit) }
@@ -73,30 +78,4 @@
user.authentication_token.should_not be_blank
end
end
-
- describe "attributes can be changed by a regular user" do
- before do
- @user = Factory :user
- @user.update_attributes(skype: "testskype", linkedin: "testlinkedin")
- end
- it { @user.skype.should == 'testskype' }
- it { @user.linkedin.should == 'testlinkedin' }
- end
-
- describe "attributes that shouldn't be changed by a regular user" do
- before do
- @user = Factory :user
- @user.update_attributes(projects_limit: 50)
- end
- it { @user.projects_limit.should_not == 50 }
- end
-
- describe "attributes can be changed by an admin user" do
- before do
- @admin_user = Factory :admin
- @admin_user.update_attributes({ skype: "testskype", projects_limit: 50 }, as: :admin)
- end
- it { @admin_user.skype.should == 'testskype' }
- it { @admin_user.projects_limit.should == 50 }
- end
end
View
4 spec/models/users_project_spec.rb
@@ -6,6 +6,10 @@
it { should belong_to(:user) }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:project_id) }
+ end
+
describe "Validation" do
let!(:users_project) { create(:users_project) }
View
4 spec/models/web_hook_spec.rb
@@ -5,6 +5,10 @@
it { should belong_to :project }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:project_id) }
+ end
+
describe "Validations" do
it { should validate_presence_of(:url) }
View
5 spec/models/wiki_spec.rb
@@ -7,6 +7,11 @@
it { should have_many(:notes).dependent(:destroy) }
end
+ describe "Mass assignment" do
+ it { should_not allow_mass_assignment_of(:project_id) }
+ it { should_not allow_mass_assignment_of(:user_id) }
+ end
+
describe "Validation" do
it { should validate_presence_of(:title) }
it { should ensure_length_of(:title).is_within(1..250) }

0 comments on commit 83efcab

Please sign in to comment.
Something went wrong with that request. Please try again.