Merge remote-tracking branch 'origin/dev' into 243_3.26_SendEmailsFor…

…AcceptanceOfAlternatives
hpi-swt2 · Feb 7, 2017 · f6da30d · f6da30d
2 parents e9af033 + f80e24a
commit f6da30d
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 11 deletions.
diff --git a/app/helpers/applicants_overview_helper.rb b/app/helpers/applicants_overview_helper.rb
@@ -3,7 +3,7 @@ def sort_caret(label, attr)
     is_sorted_ascending = (params[:sort] == attr.to_s) && params[:order] != 'descending'
     url = "?sort=#{attr.to_s}" +
       "#{'&order=descending' if is_sorted_ascending}" +
-      "#{'&' + params[:filter].map { |k,v| "filter[#{k}]=#{v}" }.join('&') if params[:filter]}"
+      "#{'&' + params[:filter].map { |k,v| "filter[#{h(k)}]=#{h(v)}" }.join('&') if params[:filter]}"
 
     "<a class=\"#{'dropup' if is_sorted_ascending}\" href=\"#{url}\">
       #{label} <span class=\"caret\"></span>
@@ -12,12 +12,12 @@ def sort_caret(label, attr)
 
   def sort_application_letters
 
-    if params[:sort] && params[:sort] != 'applicant_age_when_event_starts' && params[:sort] != 'eating-habits'
-      @application_letters.sort_by! {|l| l.user.profile.send(params[:sort]) } 
-    end
-
-    if params[:sort] && params[:sort] == 'applicant_age_when_event_starts' && params[:sort] != 'eating-habits'
-      @application_letters.sort_by! {|l| l.send(params[:sort]) } 
+    if params[:sort]
+      unless Profile.allowed_sort_methods.include? params[:sort].to_sym
+        raise CanCan::AccessDenied
+      else
+        @application_letters.sort_by! {|l| l.user.profile.send(params[:sort]) }
+      end
     end
 
     @application_letters.reverse! if params[:order] == 'descending'

diff --git a/app/models/profile.rb b/app/models/profile.rb
@@ -68,6 +68,15 @@ def self.allowed_params
     [:first_name, :last_name, :gender, :birth_date, :street_name, :zip_code, :city, :state, :country, :discovery_of_site]
   end
 
+
+  # Returns an array containing the allowed methods to sort by
+  #
+  # @param none
+  # @return [Symbol] List of methods
+  def self.allowed_sort_methods
+    Profile.allowed_params + [:address, :name, :age]
+  end
+
   private
   def birthdate_not_in_future
     if birth_date.present? and birth_date > Date.current

diff --git a/app/views/application_letters/check.html.erb b/app/views/application_letters/check.html.erb
@@ -18,6 +18,7 @@
 <% end %>
 
 <h3><%= t('.my_application') %></h3>
+
 <table id='application_details' class="table application-details-table">
   <col width="250">
   <tr>
@@ -59,6 +60,7 @@
     <th><%= ApplicationLetter.human_attribute_name(:annotation) %>:</th>
     <td><%= @application_letter.annotation %></td>
   </tr>
+
   <% @application_letter.event.custom_application_fields
     .zip(@application_letter.custom_application_fields)
     .each do |field_name, field_value| %>

diff --git a/app/views/events/_applicants_overview.html.erb b/app/views/events/_applicants_overview.html.erb
@@ -14,7 +14,7 @@
         <%= sort_caret(Profile.human_attribute_name(:gender), :gender) %>
       </th>
       <th style="max-width: 100px">
-        <%= sort_caret(( t('.age_when_event_starts')), :applicant_age_when_event_starts ) %>
+        <%= sort_caret(( t('.age_when_event_starts')), :age ) %>
       </th>
       <th>
         <%= t '.participations' %> <br>

diff --git a/app/views/events/archive.html.erb b/app/views/events/archive.html.erb
@@ -1,3 +1,6 @@
+<div class="page-header">
+  <h1><%=t 'events.archive'%></h1>
+</div>
 <div class="row">
   <div class="event-list col-md-10 col-md-offset-1">
     <%= link_to events_path, :class => 'btn btn-default' do

diff --git a/db/sample_data/application_letters.rb b/db/sample_data/application_letters.rb
@@ -52,7 +52,8 @@ def application_letter_applicant_programmierkurs_1(user, event)
     allergies: "Tomaten",
     annotation: "Euer Angebot find ich echt super.",
     user: user,
-    event: event
+    event: event,
+    custom_application_fields: ['Dooodlejump', '8', 'Java']
   )
 end
 
@@ -66,7 +67,8 @@ def application_letter_applicant_programmierkurs_2(user, event)
     allergies: "",
     annotation: "Euer Angebot find ich echt super.",
     user: user,
-    event: event
+    event: event,
+    custom_application_fields: ['Snapchat', '10', 'Python']
   )
 end
 
@@ -80,6 +82,7 @@ def application_letter_applicant_programmierkurs_3(user, event)
       allergies: "",
       annotation: "Euer Angebot find ich echt super.",
       user: user,
-      event: event
+      event: event,
+      custom_application_fields: ['Facebook, Twitter', '9', 'C++, C#']
   )
 end
diff --git a/spec/helpers/applicants_overview_helper_spec.rb b/spec/helpers/applicants_overview_helper_spec.rb
@@ -0,0 +1,16 @@
+require "rails_helper"
+require "spec_helper"
+
+describe ApplicantsOverviewHelper do
+  describe "#sort_application_letters" do
+    it "should not be exploitable to execute arbitrary methods" do
+
+    	dangerous_methods = ["destroy", "destroy_all", "create!", "delete_all"]
+
+    	dangerous_methods.each do |method|
+    		controller.params[:sort] = method
+      	expect{helper.sort_application_letters}.to raise_error(CanCan::AccessDenied)
+    	end
+    end
+  end
+end