Re: [PATCH conductor] redmine #3601: whitelist all attributes as needing to be explicitly set by default

Wed, 10 Oct 2012 10:29:28 -0700 

please ignore this patch

On 10/10/2012 07:23 PM, [email protected] wrote:

From: Mo Morsi <[email protected]>

   Note this patch requires rails 3.2 to work (which will be in Fedora soon [1])

   This changes the application so that no mass assigments are permitted by 
default.

   I added the neccessary model changes so that things should be working again 
with the
   current mass assignments in place in the application (specs pass after this 
patch)

   Obviously this still doesn't solve the mass assignment issue, but the items 
that should
   be removed and explicitly set are marked with comments and thus we can 
tackle them one
   by one in the various areas that they need to be set explicitly in the 
application

[1] http://lists.fedoraproject.org/pipermail/ruby-sig/2012-July/001077.html
---
  src/app/models/session_entity.rb | 3 +++
  src/app/models/user.rb           | 2 ++
  src/app/models/view_state.rb     | 2 ++
  3 files changed, 7 insertions(+)

diff --git a/src/app/models/session_entity.rb b/src/app/models/session_entity.rb
index 98ac974..9a2d23a 100644
--- a/src/app/models/session_entity.rb
+++ b/src/app/models/session_entity.rb
@@ -19,6 +19,9 @@ class SessionEntity < ActiveRecord::Base
    belongs_to :entity
    belongs_to :permission_session
+ attr_accessible :user, :session, :entity, 
+                  :user_id, :session_id, :entity_id
+
    validates_presence_of :user_id
    validates_presence_of :permission_session_id
    validates_presence_of :entity_id
diff --git a/src/app/models/user.rb b/src/app/models/user.rb
index 5db8e95..937abd1 100644
--- a/src/app/models/user.rb
+++ b/src/app/models/user.rb
@@ -77,6 +77,8 @@ class User < ActiveRecord::Base
    before_validation :strip_whitespace
    after_save :update_entity
+ attr_accessible :login, :password, :password_confirmation, :first_name, :last_name, :quota, :email, :ignore_password 
+
    validate :validate_ldap_changes, :if => Proc.new {|user|
      !user.new_record? && SETTINGS_CONFIG[:auth][:strategy] == "ldap"}
    validates_presence_of :quota
diff --git a/src/app/models/view_state.rb b/src/app/models/view_state.rb
index bc1f0fe..bfa2171 100644
--- a/src/app/models/view_state.rb
+++ b/src/app/models/view_state.rb
@@ -33,6 +33,8 @@ class ViewState < ActiveRecord::Base
    self.primary_key = :uuid
    belongs_to :user
+ attr_accessible :name, :controller, :action, :station, :association 
+
    validates_presence_of :name
    validates_uniqueness_of :name
    validates_presence_of :user_id

Reply via email to