Merge pull request #1567 from NARKOZ/mass-assignment
set activerecord whitelist_attributes to true [2]
This commit is contained in:
commit
0439387be0
|
@ -1,6 +1,9 @@
|
|||
class Event < ActiveRecord::Base
|
||||
include PushEvent
|
||||
|
||||
attr_accessible :project, :action, :data, :author_id, :project_id,
|
||||
:target_id, :target_type
|
||||
|
||||
default_scope where("author_id IS NOT NULL")
|
||||
|
||||
Created = 1
|
||||
|
|
|
@ -2,6 +2,9 @@ class Issue < ActiveRecord::Base
|
|||
include IssueCommonality
|
||||
include Votes
|
||||
|
||||
attr_accessible :title, :assignee_id, :closed, :position, :description,
|
||||
:milestone_id, :label_list, :author_id_of_changes
|
||||
|
||||
acts_as_taggable_on :labels
|
||||
|
||||
belongs_to :milestone
|
||||
|
|
|
@ -4,7 +4,7 @@ class Key < ActiveRecord::Base
|
|||
belongs_to :user
|
||||
belongs_to :project
|
||||
|
||||
attr_protected :user_id
|
||||
attr_accessible :key, :title
|
||||
|
||||
validates :title,
|
||||
presence: true,
|
||||
|
|
|
@ -4,6 +4,9 @@ class MergeRequest < ActiveRecord::Base
|
|||
include IssueCommonality
|
||||
include Votes
|
||||
|
||||
attr_accessible :title, :assignee_id, :closed, :target_branch, :source_branch,
|
||||
:author_id_of_changes
|
||||
|
||||
BROKEN_DIFF = "--broken-diff"
|
||||
|
||||
UNCHECKED = 1
|
||||
|
@ -48,7 +51,8 @@ class MergeRequest < ActiveRecord::Base
|
|||
end
|
||||
|
||||
def mark_as_unchecked
|
||||
self.update_attributes(state: UNCHECKED)
|
||||
self.state = UNCHECKED
|
||||
self.save
|
||||
end
|
||||
|
||||
def can_be_merged?
|
||||
|
|
|
@ -13,6 +13,8 @@
|
|||
#
|
||||
|
||||
class Milestone < ActiveRecord::Base
|
||||
attr_accessible :title, :description, :due_date, :closed
|
||||
|
||||
belongs_to :project
|
||||
has_many :issues
|
||||
|
||||
|
|
|
@ -2,6 +2,9 @@ require 'carrierwave/orm/activerecord'
|
|||
require 'file_size_validator'
|
||||
|
||||
class Note < ActiveRecord::Base
|
||||
attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
|
||||
:attachment, :line_code
|
||||
|
||||
belongs_to :project
|
||||
belongs_to :noteable, polymorphic: true
|
||||
belongs_to :author,
|
||||
|
@ -16,7 +19,6 @@ class Note < ActiveRecord::Base
|
|||
to: :author,
|
||||
prefix: true
|
||||
|
||||
attr_protected :author, :author_id
|
||||
attr_accessor :notify
|
||||
attr_accessor :notify_author
|
||||
|
||||
|
|
|
@ -6,6 +6,9 @@ class Project < ActiveRecord::Base
|
|||
include Authority
|
||||
include Team
|
||||
|
||||
attr_accessible :name, :path, :description, :code, :default_branch, :issues_enabled,
|
||||
:wall_enabled, :merge_requests_enabled, :wiki_enabled
|
||||
|
||||
#
|
||||
# Relations
|
||||
#
|
||||
|
@ -25,11 +28,6 @@ class Project < ActiveRecord::Base
|
|||
|
||||
attr_accessor :error_code
|
||||
|
||||
#
|
||||
# Protected attributes
|
||||
#
|
||||
attr_protected :private_flag, :owner_id
|
||||
|
||||
#
|
||||
# Scopes
|
||||
#
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
class ProtectedBranch < ActiveRecord::Base
|
||||
include GitHost
|
||||
|
||||
attr_accessible :name
|
||||
|
||||
belongs_to :project
|
||||
validates_presence_of :project_id
|
||||
validates_presence_of :name
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
class Snippet < ActiveRecord::Base
|
||||
include Linguist::BlobHelper
|
||||
|
||||
attr_accessible :title, :content, :file_name, :expires_at
|
||||
|
||||
belongs_to :project
|
||||
belongs_to :author, class_name: "User"
|
||||
has_many :notes, as: :noteable, dependent: :destroy
|
||||
|
@ -9,7 +11,6 @@ class Snippet < ActiveRecord::Base
|
|||
:email,
|
||||
to: :author,
|
||||
prefix: true
|
||||
attr_protected :author, :author_id, :project, :project_id
|
||||
|
||||
validates_presence_of :project_id
|
||||
validates_presence_of :author_id
|
||||
|
@ -46,11 +47,11 @@ class Snippet < ActiveRecord::Base
|
|||
0
|
||||
end
|
||||
|
||||
def name
|
||||
def name
|
||||
file_name
|
||||
end
|
||||
|
||||
def mode
|
||||
def mode
|
||||
nil
|
||||
end
|
||||
|
||||
|
|
|
@ -6,11 +6,11 @@ class UsersProject < ActiveRecord::Base
|
|||
DEVELOPER = 30
|
||||
MASTER = 40
|
||||
|
||||
attr_accessible :user, :user_id, :project_access
|
||||
|
||||
belongs_to :user
|
||||
belongs_to :project
|
||||
|
||||
attr_protected :project_id, :project
|
||||
|
||||
after_save :update_repository
|
||||
after_destroy :update_repository
|
||||
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
class WebHook < ActiveRecord::Base
|
||||
include HTTParty
|
||||
|
||||
attr_accessible :url
|
||||
|
||||
# HTTParty timeout
|
||||
default_timeout 10
|
||||
|
||||
|
@ -18,11 +20,11 @@ class WebHook < ActiveRecord::Base
|
|||
post_url = url.gsub(parsed_url.userinfo+"@", "")
|
||||
WebHook.post(post_url,
|
||||
body: data.to_json,
|
||||
headers: { "Content-Type" => "application/json" },
|
||||
headers: { "Content-Type" => "application/json" },
|
||||
basic_auth: {username: parsed_url.user, password: parsed_url.password})
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
# == Schema Information
|
||||
#
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
class Wiki < ActiveRecord::Base
|
||||
attr_accessible :title, :content, :slug
|
||||
|
||||
belongs_to :project
|
||||
belongs_to :user
|
||||
has_many :notes, as: :noteable, dependent: :destroy
|
||||
|
|
|
@ -3,8 +3,6 @@ module IssueCommonality
|
|||
extend ActiveSupport::Concern
|
||||
|
||||
included do
|
||||
attr_protected :author, :author_id, :project, :project_id
|
||||
|
||||
belongs_to :project
|
||||
belongs_to :author, class_name: "User"
|
||||
belongs_to :assignee, class_name: "User"
|
||||
|
|
|
@ -39,6 +39,12 @@ module Gitlab
|
|||
# Configure sensitive parameters which will be filtered from the log file.
|
||||
config.filter_parameters += [:password]
|
||||
|
||||
# Enforce whitelist mode for mass assignment.
|
||||
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
||||
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
||||
# parameters by using an attr_accessible or attr_protected declaration.
|
||||
config.active_record.whitelist_attributes = true
|
||||
|
||||
# Enable the asset pipeline
|
||||
config.assets.enabled = true
|
||||
|
||||
|
|
|
@ -33,7 +33,7 @@ Gitlab::Application.configure do
|
|||
|
||||
# Raise exception on mass assignment protection for Active Record models
|
||||
config.active_record.mass_assignment_sanitizer = :strict
|
||||
|
||||
|
||||
# Log the query plan for queries taking more than this (works
|
||||
# with SQLite, MySQL, and PostgreSQL)
|
||||
config.active_record.auto_explain_threshold_in_seconds = 0.5
|
||||
|
|
|
@ -34,6 +34,9 @@ Gitlab::Application.configure do
|
|||
# like if you have constraints or database-specific column types
|
||||
# config.active_record.schema_format = :sql
|
||||
|
||||
# Raise exception on mass assignment protection for Active Record models
|
||||
# config.active_record.mass_assignment_sanitizer = :strict
|
||||
|
||||
# Print deprecation notices to the stderr
|
||||
config.active_support.deprecation = :stderr
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@ module Gitlab
|
|||
log.info "#{ldap_prefix}Creating user from #{provider} login"\
|
||||
" {uid => #{uid}, name => #{name}, email => #{email}}"
|
||||
password = Devise.friendly_token[0, 8].downcase
|
||||
@user = User.new(
|
||||
@user = User.new({
|
||||
extern_uid: uid,
|
||||
provider: provider,
|
||||
name: name,
|
||||
|
@ -38,7 +38,7 @@ module Gitlab
|
|||
password: password,
|
||||
password_confirmation: password,
|
||||
projects_limit: Gitlab.config.default_projects_limit,
|
||||
)
|
||||
}, as: :admin)
|
||||
if Gitlab.config.omniauth['block_auto_created_users'] && !ldap
|
||||
@user.blocked = true
|
||||
end
|
||||
|
|
|
@ -5,6 +5,11 @@ describe Issue do
|
|||
it { should belong_to(:milestone) }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:author_id) }
|
||||
it { should_not allow_mass_assignment_of(:project_id) }
|
||||
end
|
||||
|
||||
describe "Validation" do
|
||||
it { should ensure_length_of(:description).is_within(0..2000) }
|
||||
it { should ensure_inclusion_of(:closed).in_array([true, false]) }
|
||||
|
|
|
@ -6,6 +6,11 @@ describe Key do
|
|||
it { should belong_to(:project) }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:project_id) }
|
||||
it { should_not allow_mass_assignment_of(:user_id) }
|
||||
end
|
||||
|
||||
describe "Validation" do
|
||||
it { should validate_presence_of(:title) }
|
||||
it { should validate_presence_of(:key) }
|
||||
|
|
|
@ -6,6 +6,11 @@ describe MergeRequest do
|
|||
it { should validate_presence_of(:source_branch) }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:author_id) }
|
||||
it { should_not allow_mass_assignment_of(:project_id) }
|
||||
end
|
||||
|
||||
describe 'modules' do
|
||||
it { should include_module(IssueCommonality) }
|
||||
it { should include_module(Votes) }
|
||||
|
|
|
@ -6,6 +6,10 @@ describe Milestone do
|
|||
it { should have_many(:issues) }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:project_id) }
|
||||
end
|
||||
|
||||
describe "Validation" do
|
||||
it { should validate_presence_of(:title) }
|
||||
it { should validate_presence_of(:project_id) }
|
||||
|
|
|
@ -7,6 +7,11 @@ describe Note do
|
|||
it { should belong_to(:author).class_name('User') }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:author) }
|
||||
it { should_not allow_mass_assignment_of(:author_id) }
|
||||
end
|
||||
|
||||
describe "Validation" do
|
||||
it { should validate_presence_of(:note) }
|
||||
it { should validate_presence_of(:project) }
|
||||
|
|
|
@ -17,6 +17,11 @@ describe Project do
|
|||
it { should have_many(:protected_branches).dependent(:destroy) }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:owner_id) }
|
||||
it { should_not allow_mass_assignment_of(:private_flag) }
|
||||
end
|
||||
|
||||
describe "Validation" do
|
||||
let!(:project) { create(:project) }
|
||||
|
||||
|
|
|
@ -5,6 +5,10 @@ describe ProtectedBranch do
|
|||
it { should belong_to(:project) }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:project_id) }
|
||||
end
|
||||
|
||||
describe 'Validation' do
|
||||
it { should validate_presence_of(:project_id) }
|
||||
it { should validate_presence_of(:name) }
|
||||
|
|
|
@ -7,6 +7,11 @@ describe Snippet do
|
|||
it { should have_many(:notes).dependent(:destroy) }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:author_id) }
|
||||
it { should_not allow_mass_assignment_of(:project_id) }
|
||||
end
|
||||
|
||||
describe "Validation" do
|
||||
it { should validate_presence_of(:author_id) }
|
||||
it { should validate_presence_of(:project_id) }
|
||||
|
|
|
@ -15,6 +15,11 @@ describe User do
|
|||
it { should have_many(:assigned_merge_requests).dependent(:destroy) }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:projects_limit) }
|
||||
it { should allow_mass_assignment_of(:projects_limit).as(:admin) }
|
||||
end
|
||||
|
||||
describe 'validations' do
|
||||
it { should validate_presence_of(:projects_limit) }
|
||||
it { should validate_numericality_of(:projects_limit) }
|
||||
|
@ -73,30 +78,4 @@ describe User do
|
|||
user.authentication_token.should_not be_blank
|
||||
end
|
||||
end
|
||||
|
||||
describe "attributes can be changed by a regular user" do
|
||||
before do
|
||||
@user = Factory :user
|
||||
@user.update_attributes(skype: "testskype", linkedin: "testlinkedin")
|
||||
end
|
||||
it { @user.skype.should == 'testskype' }
|
||||
it { @user.linkedin.should == 'testlinkedin' }
|
||||
end
|
||||
|
||||
describe "attributes that shouldn't be changed by a regular user" do
|
||||
before do
|
||||
@user = Factory :user
|
||||
@user.update_attributes(projects_limit: 50)
|
||||
end
|
||||
it { @user.projects_limit.should_not == 50 }
|
||||
end
|
||||
|
||||
describe "attributes can be changed by an admin user" do
|
||||
before do
|
||||
@admin_user = Factory :admin
|
||||
@admin_user.update_attributes({ skype: "testskype", projects_limit: 50 }, as: :admin)
|
||||
end
|
||||
it { @admin_user.skype.should == 'testskype' }
|
||||
it { @admin_user.projects_limit.should == 50 }
|
||||
end
|
||||
end
|
||||
|
|
|
@ -6,6 +6,10 @@ describe UsersProject do
|
|||
it { should belong_to(:user) }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:project_id) }
|
||||
end
|
||||
|
||||
describe "Validation" do
|
||||
let!(:users_project) { create(:users_project) }
|
||||
|
||||
|
|
|
@ -5,6 +5,10 @@ describe ProjectHook do
|
|||
it { should belong_to :project }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:project_id) }
|
||||
end
|
||||
|
||||
describe "Validations" do
|
||||
it { should validate_presence_of(:url) }
|
||||
|
||||
|
|
|
@ -7,6 +7,11 @@ describe Wiki do
|
|||
it { should have_many(:notes).dependent(:destroy) }
|
||||
end
|
||||
|
||||
describe "Mass assignment" do
|
||||
it { should_not allow_mass_assignment_of(:project_id) }
|
||||
it { should_not allow_mass_assignment_of(:user_id) }
|
||||
end
|
||||
|
||||
describe "Validation" do
|
||||
it { should validate_presence_of(:title) }
|
||||
it { should ensure_length_of(:title).is_within(1..250) }
|
||||
|
|
Loading…
Reference in a new issue