Fixes #16971 - CVE-2016-7077 remove unauthorized checkboxes

theforeman · Oct 25, 2016 · 6727094 · 6727094
1 parent dc9bd44
commit 6727094
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 45 deletions.
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -50,11 +50,6 @@ def show_habtm(associations)
     render :partial => 'common/show_habtm', :collection => associations, :as => :association
   end
 
-  def edit_habtm(klass, association, prefix = nil, options = {})
-    render :partial => 'common/edit_habtm', :locals =>{:prefix => prefix, :klass => klass, :options => options,
-                                                       :associations => association.all.sort.delete_if{|e| e == klass}}
-  end
-
   def link_to_remove_puppetclass(klass, type)
     options = options_for_puppetclass_selection(klass, type)
     text = remove_link_to_function(truncate(klass.name, :length => 28), options)
@@ -156,13 +151,6 @@ def new_link(name, options = {}, html_options = {})
     display_link_if_authorized(name, options, html_options)
   end
 
-  def authorized_edit_habtm(klass, association, prefix = nil, options = {})
-    if authorized_for :controller => params[:controller], :action => params[:action]
-      return edit_habtm(klass, association, prefix, options)
-    end
-    show_habtm klass.send(association.name.pluralize.downcase)
-  end
-
   # renders a style=display based on an attribute properties
   def display?(attribute = true)
     "style=#{display(attribute)}"

diff --git a/app/helpers/form_helper.rb b/app/helpers/form_helper.rb
@@ -46,15 +46,9 @@ def checkbox_f(f, attr, options = {}, checked_value = "1", unchecked_value = "0"
   end
 
   def multiple_checkboxes(f, attr, klass, associations, options = {}, html_options = {})
-    if associations.count > 5
-      associated_obj = klass.send(ActiveModel::Naming.plural(associations.first))
-      selected_ids = associated_obj.select("#{associations.first.class.table_name}.id").map(&:id)
-      multiple_selects(f, attr, associations, selected_ids, options, html_options)
-    else
-      field(f, attr, options) do
-        authorized_edit_habtm klass, associations, options[:prefix], html_options
-      end
-    end
+    associated_obj = klass.send(ActiveModel::Naming.plural(associations.first))
+    selected_ids = associated_obj.select("#{associations.first.class.table_name}.id").map(&:id)
+    multiple_selects(f, attr, associations, selected_ids, options, html_options)
   end
 
   # add hidden field for options[:disabled]

diff --git a/app/views/common/_edit_habtm.html.erb b/app/views/common/_edit_habtm.html.erb
diff --git a/test/integration/puppetclass_test.rb b/test/integration/puppetclass_test.rb
@@ -1,11 +1,11 @@
 require 'integration_test_helper'
 
-class PuppetclassIntegrationTest < ActionDispatch::IntegrationTest
+class PuppetclassIntegrationTest < IntegrationTestWithJavascript
   test "edit page" do
     visit puppetclasses_path
     click_link "vim"
-    refute page.has_link? 'Common'
-    click_link "Select All"
+    assert page.has_no_link? 'Common'
+    find(:xpath, "//a[@data-original-title='Select All']").click
     assert_submit_button(puppetclasses_path)
     assert page.has_link? 'vim'
     assert page.has_link? 'Common'