Skip to content
Permalink
Browse files Browse the repository at this point in the history
Reinforcement of security.
Signed-off-by: MORITA Shintaro <shin@sysphonic.com>
  • Loading branch information
MORITA Shintaro committed Jul 9, 2015
1 parent d9ed965 commit 842e44f
Show file tree
Hide file tree
Showing 29 changed files with 552 additions and 171 deletions.
13 changes: 12 additions & 1 deletion app/controllers/addressbook_controller.rb
Expand Up @@ -58,6 +58,8 @@ def new
Log.add_info(request, params.inspect)
end

return unless request.post?

render(:action => 'edit', :layout => (!request.xhr?))
end

Expand All @@ -68,6 +70,8 @@ def new
def create
Log.add_info(request, params.inspect)

return unless request.post?

@address = Address.new(params.require(:address).permit(Address::PERMIT_BASE))

@address = AddressbookHelper.arrange_per_scope(@address, @login_user, params[:scope], params[:groups], params[:teams])
Expand Down Expand Up @@ -106,6 +110,7 @@ def edit
begin
@address = Address.find(address_id)
rescue => evar
@address = nil
Log.add_error(request, evar)
redirect_to(:controller => 'login', :action => 'logout')
return
Expand Down Expand Up @@ -142,6 +147,8 @@ def show
def update
Log.add_info(request, params.inspect)

return unless request.post?

@address = Address.find(params[:id])
@address.attributes = params[:address]

Expand Down Expand Up @@ -242,6 +249,8 @@ def search
def destroy
Log.add_info(request, params.inspect)

return unless request.post?

if params[:check_address].nil?
list
render(:action => 'list')
Expand Down Expand Up @@ -296,6 +305,8 @@ def export_csv
def import_csv
Log.add_info(request, params.inspect)

return unless request.post?

file = params[:imp_file]
mode = params[:mode]
enc = params[:enc]
Expand Down Expand Up @@ -436,7 +447,7 @@ def import_csv
#
def check_owner

return if (params[:id].nil? or params[:id].empty? or @login_user.nil?)
return if (params[:id].blank? or @login_user.nil?)

address = Address.find(params[:id])

Expand Down
14 changes: 12 additions & 2 deletions app/controllers/config_controller.rb
Expand Up @@ -3,7 +3,7 @@
#
#Original by:: Sysphonic
#Authors:: MORITA Shintaro
#Copyright:: Copyright (c) 2007-2011 MORITA Shintaro, Sysphonic. All rights reserved.
#Copyright:: Copyright (c) 2007-2015 MORITA Shintaro, Sysphonic. All rights reserved.
#License:: New BSD License (See LICENSE file)
#URL:: {http&#58;//sysphonic.com/}[http://sysphonic.com/]
#
Expand Down Expand Up @@ -39,13 +39,15 @@ def edit
def update_by_ajax
Log.add_info(request, params.inspect)

return unless request.post?

cat_h = {:desktop => User::AUTH_DESKTOP, :user => User::AUTH_USER, :log => User::AUTH_LOG}

yaml = ApplicationHelper.get_config_yaml

cat_h.keys.each do |cat|

next if params[cat].nil? or params[cat].empty?
next if params[cat].blank?

unless @login_user.admin?(cat_h[cat])
render(:text => t('msg.need_to_be_admin'))
Expand All @@ -71,6 +73,8 @@ def update_by_ajax
def update
Log.add_info(request, params.inspect)

return unless request.post?

categories = [:general, :menu, :topic, :note, :smtp, :feed, :user, :log]

yaml = ApplicationHelper.get_config_yaml
Expand Down Expand Up @@ -149,6 +153,8 @@ def edit_header_menu
def destroy_header_menu
Log.add_info(request, params.inspect)

return unless request.post?

@yaml = ApplicationHelper.get_config_yaml

unless params[:org_name].nil? or @yaml[:general]['header_menus'].nil?
Expand All @@ -172,6 +178,8 @@ def destroy_header_menu
def update_header_menu
Log.add_info(request, params.inspect)

return unless request.post?

@yaml = ApplicationHelper.get_config_yaml

@yaml[:general]['header_menus'] = [] if @yaml[:general]['header_menus'].nil?
Expand Down Expand Up @@ -221,6 +229,8 @@ def update_header_menu
def update_header_menus_order
Log.add_info(request, params.inspect)

return unless request.post?

header_menus = params[:header_menus_order]

yaml = ApplicationHelper.get_config_yaml
Expand Down
26 changes: 24 additions & 2 deletions app/controllers/desktop_controller.rb
Expand Up @@ -3,7 +3,7 @@
#
#Original by:: Sysphonic
#Authors:: MORITA Shintaro
#Copyright:: Copyright (c) 2007-2011 MORITA Shintaro, Sysphonic. All rights reserved.
#Copyright:: Copyright (c) 2007-2015 MORITA Shintaro, Sysphonic. All rights reserved.
#License:: New BSD License (See LICENSE file)
#URL:: {http&#58;//sysphonic.com/}[http://sysphonic.com/]
#
Expand Down Expand Up @@ -36,6 +36,8 @@ class DesktopController < ApplicationController
def drop_file
Log.add_info(request, '') # Not to show passwords.

return unless request.post?

if params[:file].nil? or params[:file].size <= 0
render(:text => '')
return
Expand Down Expand Up @@ -126,6 +128,8 @@ def edit_config
def update_pref
Log.add_info(request, params.inspect)

return unless request.post?

desktop = Desktop.get_for(@login_user, true)

params[:desktop].delete(:user_id)
Expand All @@ -145,9 +149,11 @@ def update_pref
def update_config
Log.add_info(request, params.inspect)

return unless request.post?

@yaml = ApplicationHelper.get_config_yaml

unless params[:desktop].nil? or params[:desktop].empty?
unless params[:desktop].blank?
@yaml[:desktop] = Hash.new if @yaml[:desktop].nil?

params[:desktop].each do |key, val|
Expand Down Expand Up @@ -294,6 +300,8 @@ def get_news_tray
def drop_on_desktop
Log.add_info(request, params.inspect)

return unless request.post?

if @login_user.nil?
t = Time.now
render(:text => (t.hour.to_s + t.min.to_s + t.sec.to_s))
Expand All @@ -319,6 +327,8 @@ def drop_on_desktop
def add_toy
Log.add_info(request, params.inspect)

return unless request.post?

if @login_user.nil?
render(:text => '0')
return
Expand All @@ -343,6 +353,9 @@ def add_toy
def drop_on_recyclebox
Log.add_info(request, params.inspect)

return unless request.post?

SqlHelper.validate_token([params[:id]])
unless @login_user.nil?
Toy.destroy(params[:id])
end
Expand All @@ -358,10 +371,13 @@ def drop_on_recyclebox
def on_toys_moved
Log.add_info(request, params.inspect)

return unless request.post?

unless @login_user.nil?
begin
toy = Toy.find(params[:id])
rescue
toy = nil
end

unless toy.nil?
Expand All @@ -381,6 +397,8 @@ def on_toys_moved
def create_label
Log.add_info(request, params.inspect)

return unless request.post?

if params[:thetisBoxEdit].empty?
render(:partial => 'ajax_label', :layout => false)
return
Expand Down Expand Up @@ -411,6 +429,8 @@ def create_label
def update_label
Log.add_info(request, params.inspect)

return unless request.post?

msg = params[:thetisBoxEdit]

if params[:thetisBoxEdit].empty?
Expand Down Expand Up @@ -455,6 +475,8 @@ def show_biorhythm
def post_label
Log.add_info(request, params.inspect)

return unless request.post?

if params[:txaPostLabel].empty? or params[:post_to].empty?
render(:text => '')
return
Expand Down
19 changes: 15 additions & 4 deletions app/controllers/equipment_controller.rb
Expand Up @@ -3,7 +3,7 @@
#
#Original by:: Sysphonic
#Authors:: MORITA Shintaro
#Copyright:: Copyright (c) 2007-2011 MORITA Shintaro, Sysphonic. All rights reserved.
#Copyright:: Copyright (c) 2007-2015 MORITA Shintaro, Sysphonic. All rights reserved.
#License:: New BSD License (See LICENSE file)
#URL:: {http&#58;//sysphonic.com/}[http://sysphonic.com/]
#
Expand Down Expand Up @@ -42,6 +42,10 @@ def new
def create
Log.add_info(request, params.inspect)

return unless request.post?

SqlHelper.validate_token([params[:groups], params[:teams]])

if params[:groups].blank?
params[:equipment][:groups] = nil
else
Expand Down Expand Up @@ -101,15 +105,19 @@ def show
def update
Log.add_info(request, params.inspect)

return unless request.post?

SqlHelper.validate_token([params[:groups], params[:teams]])

@equipment = Equipment.find(params[:id])

if (params[:groups].nil? or params[:groups].empty?)
if params[:groups].blank?
params[:equipment][:groups] = nil
else
params[:equipment][:groups] = '|' + params[:groups].join('|') + '|'
end

if (params[:teams].nil? or params[:teams].empty?)
if params[:teams].blank?
params[:equipment][:teams] = nil
else
params[:equipment][:teams] = '|' + params[:teams].join('|') + '|'
Expand Down Expand Up @@ -178,6 +186,8 @@ def list
def destroy
Log.add_info(request, params.inspect)

return unless request.post?

if params[:check_equipment].nil?
list
render(:action => 'list')
Expand All @@ -186,6 +196,7 @@ def destroy

count = 0
params[:check_equipment].each do |equipment_id, value|
SqlHelper.validate_token([equipment_id])
if value == '1'
Equipment.delete(equipment_id)

Expand All @@ -205,7 +216,7 @@ def schedule_all
Log.add_info(request, params.inspect)

date_s = params[:date]
if date_s.nil? or date_s.empty?
if date_s.blank?
@date = Date.today
else
@date = Date.parse(date_s)
Expand Down

0 comments on commit 842e44f

Please sign in to comment.