Commit d97ec280 authored by Mario Manno's avatar Mario Manno

add strong parameters for rails 3

parent a650357e
......@@ -33,6 +33,8 @@ gem 'transitions', :require => ["transitions", "active_record/transitions"]
gem 'twitter-bootstrap-rails', :git => "git://github.com/frab/twitter-bootstrap-rails.git", :ref => "5e62b21c8f258010af7f5bc858b89a24f16936a9"
gem 'will_paginate'
gem 'strong_parameters'
group :development, :test do
gem 'bullet'
gem 'pry-rails'
......
......@@ -196,6 +196,11 @@ GEM
rack (~> 1.0)
tilt (~> 1.1, != 1.3.0)
sqlite3 (1.3.9)
strong_parameters (0.2.3)
actionpack (~> 3.0)
activemodel (~> 3.0)
activesupport (~> 3.0)
railties (~> 3.0)
sucker_punch (1.0.3)
celluloid (~> 0.15.2)
thor (0.19.1)
......@@ -259,6 +264,7 @@ DEPENDENCIES
settingslogic
shotgun
sqlite3
strong_parameters
sucker_punch (~> 1.0)
transitions
turn
......
......@@ -5,7 +5,7 @@ class CallForPapersController < ApplicationController
load_and_authorize_resource
def show
@call_for_papers = @conference.call_for_papers
@call_for_papers = @conference.call_for_papers
end
def new
......@@ -13,7 +13,7 @@ class CallForPapersController < ApplicationController
end
def create
@call_for_papers = CallForPapers.new(params[:call_for_papers])
@call_for_papers = CallForPapers.new(call_for_papers_params)
@call_for_papers.conference = @conference
if @call_for_papers.save
......@@ -33,7 +33,7 @@ class CallForPapersController < ApplicationController
def update
@call_for_papers = @conference.call_for_papers
if @call_for_papers.update_attributes(params[:call_for_papers])
if @call_for_papers.update_attributes(call_for_papers_params)
redirect_to call_for_papers_path, notice: "Changes saved successfully!"
else
flash[:alert] = "Failed to update notifications"
......@@ -51,4 +51,10 @@ class CallForPapersController < ApplicationController
format.json { render json: notification.to_json }
end
end
private
def call_for_papers_params
params.require(:call_for_papers).permit(:start_date, :end_date, :hard_deadline, :welcome_text, :info_url, :contact_email, notifications_attributes: %i(id locale accept_subject accept_body reject_subject reject_body _destroy))
end
end
......@@ -17,9 +17,15 @@ class Cfp::AvailabilitiesController < ApplicationController
def update
authorize! :update, current_user.person
if params.has_key? :person
current_user.person.update_attributes_from_slider_form(params[:person])
current_user.person.update_attributes_from_slider_form(person_params)
end
redirect_to cfp_root_path, notice: t("cfp.update_availability_notice")
redirect_to cfp_root_path, notice: t("cfp.update_availability_notice")
end
private
def person_params
params.require(:person).permit(:first_name, :last_name, :public_name, :email, :email_public, :gender, :avatar_file_name, :abstract, :description, :include_in_mailings, availabilities_attributes: %i(id start_date end_date conference_id day_id))
end
end
......@@ -49,7 +49,7 @@ class Cfp::EventsController < ApplicationController
# POST /cfp/events.xml
def create
authorize! :submit, Event
@event = Event.new(params[:event].merge(recording_license: @conference.default_recording_license))
@event = Event.new(event_params.merge(recording_license: @conference.default_recording_license))
@event.conference = @conference
@event.event_people << EventPerson.new(person: current_user.person, event_role: "submitter")
@event.event_people << EventPerson.new(person: current_user.person, event_role: "speaker")
......@@ -70,7 +70,6 @@ class Cfp::EventsController < ApplicationController
def update
authorize! :submit, Event
@event = current_user.person.events.find(params[:id], readonly: false)
# TODO strong params needed
params[:event].delete('recording_license')
@event.recording_license = @event.conference.default_recording_license unless @event.recording_license
if @event.accepted?
......@@ -78,7 +77,7 @@ class Cfp::EventsController < ApplicationController
end
respond_to do |format|
if @event.update_attributes(params[:event])
if @event.update_attributes(event_params)
format.html { redirect_to(cfp_person_path, notice: t("cfp.event_updated_notice")) }
format.xml { head :ok }
else
......@@ -120,4 +119,14 @@ class Cfp::EventsController < ApplicationController
end
end
private
def event_params
params.require(:event).permit(
:title, :subtitle, :event_type, :time_slots, :language, :abstract, :description, :logo, :track_id, :submission_note, :do_not_record,
event_attachments_attributes: %i(id title attachment public _destroy),
links_attributes: %i(id title url _destroy)
)
end
end
......@@ -9,7 +9,7 @@ class Cfp::PeopleController < ApplicationController
@person = current_user.person
if not @conference.in_the_past and @person.events_in(@conference).size > 0 and @person.availabilities_in(@conference).count == 0
flash[:alert] = t("cfp.specify_availability")
flash[:alert] = t("cfp.specify_availability")
end
return redirect_to :action => "new" unless @person
......@@ -29,7 +29,7 @@ class Cfp::PeopleController < ApplicationController
end
def edit
@person = current_user.person
@person = current_user.person
if @person.nil?
flash[:alert] = "Not a valid person"
return redirect_to action: :index
......@@ -37,9 +37,9 @@ class Cfp::PeopleController < ApplicationController
end
def create
@person = current_user.person
@person = current_user.person
if @person.nil?
@person = Person.new(params[:person])
@person = Person.new(person_params)
@person.user = current_user
end
......@@ -55,10 +55,10 @@ class Cfp::PeopleController < ApplicationController
end
def update
@person = current_user.person
@person = current_user.person
respond_to do |format|
if @person.update_attributes(params[:person])
if @person.update_attributes(person_params)
format.html { redirect_to(cfp_person_path, notice: t("cfp.person_updated_notice")) }
format.xml { head :ok }
else
......@@ -68,4 +68,16 @@ class Cfp::PeopleController < ApplicationController
end
end
private
def person_params
params.require(:person).permit(
:first_name, :last_name, :public_name, :email, :email_public, :gender, :avatar, :abstract, :description, :include_in_mailings,
im_accounts_attributes: %i(id im_type im_address _destroy),
languages_attributes: %i(id code _destroy),
links_attributes: %i(id title url _destroy),
phone_numbers_attributes: %i(id phone_type phone_number _destroy)
)
end
end
......@@ -9,7 +9,7 @@ class Cfp::UsersController < ApplicationController
end
def create
@user = User.new(params[:user])
@user = User.new(user_params)
@user.call_for_papers = @conference.call_for_papers
@user.person = Person.new(email: @user.email, public_name: @user.email)
......@@ -27,11 +27,17 @@ class Cfp::UsersController < ApplicationController
def update
@user = current_user
if @user.save
if @user.update_attributes(user_params)
redirect_to cfp_person_path, notice: t(:"cfp.updated")
else
render action: "new"
end
end
private
def user_params
params.require(:user).permit(:email, :password, :password_confirmation)
end
end
......@@ -51,7 +51,7 @@ class ConferencesController < ApplicationController
# POST /conferences
# POST /conferences.xml
def create
@conference = Conference.new(params[:conference])
@conference = Conference.new(conference_params)
respond_to do |format|
if @conference.save
......@@ -66,11 +66,11 @@ class ConferencesController < ApplicationController
# PUT /conferences/1.xml
def update
respond_to do |format|
if @conference.update_attributes(params[:conference])
if @conference.update_attributes(conference_params)
format.html { redirect_to(edit_conference_path(conference_acronym: @conference.acronym), notice: 'Conference was successfully updated.') }
else
# redirect to the right nested form page
format.html { render action: get_previous_nested_form(params[:conference]) }
format.html { render action: get_previous_nested_form(conference_params) }
end
end
end
......@@ -100,4 +100,15 @@ class ConferencesController < ApplicationController
return "edit"
end
def conference_params
params.require(:conference).permit(
:acronym, :title, :timezone, :timeslot_duration, :default_timeslots, :max_timeslots, :feedback_enabled, :email, :program_export_base_url, :schedule_version, :schedule_public, :color, :ticket_type, :event_state_visible, :schedule_custom_css, :schedule_html_intro, :default_recording_license,
rooms_attributes: %i(name size public rank _destroy id),
days_attributes: %i(start_date end_date _destroy id),
tracks_attributes: %i(name color _destroy id),
languages_attributes: %i(language_id code _destroy id),
ticket_server_attributes: %i(url user password queue _destroy id)
)
end
end
......@@ -15,10 +15,10 @@ class EventRatingsController < ApplicationController
def create
# only one rating allowed, if one exists update instead
if @event.event_ratings.find_by_person_id(current_user.person.id)
update
update
return
end
@rating = EventRating.new(params[:event_rating])
@rating = EventRating.new(event_rating_params)
@rating.event = @event
@rating.person = current_user.person
authorize! :create, @rating
......@@ -35,7 +35,7 @@ class EventRatingsController < ApplicationController
@rating = @event.event_ratings.find_by_person_id(current_user.person.id)
authorize! :update, @rating
if @rating.update_attributes(params[:event_rating])
if @rating.update_attributes(event_rating_params)
redirect_to event_event_rating_path, notice: "Rating updated successfully."
else
flash[:alert] = "Failed to update event rating"
......@@ -53,4 +53,8 @@ class EventRatingsController < ApplicationController
end
end
def event_rating_params
params.require(:event_rating).permit(:rating, :comment, :text)
end
end
......@@ -132,7 +132,7 @@ class EventsController < ApplicationController
# POST /events
# POST /events.xml
def create
@event = Event.new(params[:event])
@event = Event.new(event_params)
@event.conference = @conference
authorize! :create, @event
......@@ -154,7 +154,7 @@ class EventsController < ApplicationController
authorize! :update, @event
respond_to do |format|
if @event.update_attributes(params[:event])
if @event.update_attributes(event_params)
format.html { redirect_to(@event, notice: 'Event was successfully updated.') }
format.xml { head :ok }
format.js { head :ok }
......@@ -223,4 +223,12 @@ class EventsController < ApplicationController
end
end
def event_params
params.require(:event).permit(
:id, :title, :subtitle, :event_type, :time_slots, :state, :start_time, :public, :language, :abstract, :description, :logo, :track_id, :room_id, :note, :submission_note, :do_not_record, :recording_license,
ticket_attributes: %i(id remote_ticket_id),
links_attributes: %i(id title url _destroy)
)
end
end
......@@ -102,7 +102,7 @@ class PeopleController < ApplicationController
# POST /people
# POST /people.xml
def create
@person = Person.new(params[:person])
@person = Person.new(person_params)
authorize! :manage, @person
respond_to do |format|
......@@ -123,7 +123,7 @@ class PeopleController < ApplicationController
authorize! :manage, @person
respond_to do |format|
if @person.update_attributes(params[:person])
if @person.update_attributes(person_params)
format.html { redirect_to(@person, notice: 'Person was successfully updated.') }
format.xml { head :ok }
else
......@@ -154,4 +154,8 @@ class PeopleController < ApplicationController
end
end
def person_params
params.require(:person).permit(:first_name, :last_name, :public_name, :email, :email_public, :gender, :avatar_file_name, :abstract, :description, :include_in_mailings, :note)
end
end
......@@ -10,8 +10,8 @@ class Public::FeedbackController < ApplicationController
def create
@event = @conference.events.find(params[:event_id])
@feedback = @event.event_feedbacks.new(params[:event_feedback])
@feedback = @event.event_feedbacks.new(event_feedback_params)
if @feedback.save
render action: "thank_you"
else
......@@ -19,4 +19,10 @@ class Public::FeedbackController < ApplicationController
end
end
private
def event_feedback_params
params.require(:event_feedback).permit(:rating, :comment)
end
end
......@@ -15,20 +15,20 @@ class SessionsController < ApplicationController
end
def create
@user = User.confirmed.find_by_email(params[:user][:email])
@user = User.confirmed.find_by_email(user_params[:email])
if @user and @user.authenticate(params[:user][:password])
login_as @user
redirect_to successful_sign_in_path, notice: t(:sign_in_successful)
else
@user = User.new
flash[:alert] = t(:error_signing_in)
flash[:alert] = t(:error_signing_in)
render action: "new"
end
end
def destroy
reset_session
redirect_to scoped_sign_in_path
redirect_to scoped_sign_in_path
end
protected
......@@ -42,19 +42,25 @@ class SessionsController < ApplicationController
end
def check_pentabarf_credentials
User.check_pentabarf_credentials(params[:user][:email], params[:user][:password])
User.check_pentabarf_credentials(user_params[:email], user_params[:password])
end
def check_user_params
if params.has_key?(:user)
user = params[:user]
return true if user.has_key?(:email) and user.has_key?(:password)
return true if user.key?(:email) and user.key?(:password)
end
@user = User.new
flash[:alert] = t(:error_signing_in)
flash[:alert] = t(:error_signing_in)
# abort processing
render action: "new"
end
private
def user_params
params.require(:user).permit(:password, :email, :remember_me)
end
end
......@@ -27,7 +27,7 @@ class UsersController < ApplicationController
# GET /users/1/edit
def edit
@user = @person.user
@user = @person.user
can_manage_user!
@user.conference_users.select! { |cu|
......@@ -38,11 +38,11 @@ class UsersController < ApplicationController
# POST /users
# POST /users.xml
def create
@user = User.new(params[:user])
@user = User.new(user_params)
can_manage_user!
if can? :assign_roles, User
@user.role = params[:user][:role]
@user.role = user_params[:role]
else
@user.role = 'submitter'
end
......@@ -64,7 +64,7 @@ class UsersController < ApplicationController
# PUT /users/1
# PUT /users/1.xml
def update
@user = @person.user
@user = @person.user
can_manage_user!
[:password, :password_confirmation].each do |password_key|
......@@ -75,7 +75,7 @@ class UsersController < ApplicationController
if can? :assign_roles, User
@user.role = params[:user][:role]
elsif can_only_manage_crew_roles
role = params[:user][:role]
role = params[:user][:role]
@user.role = role if User::USER_ROLES.include? role
end
params[:user].delete(:role)
......@@ -86,7 +86,7 @@ class UsersController < ApplicationController
end
respond_to do |format|
if @user.update_attributes(params[:user])
if @user.update_attributes(user_params)
format.html { redirect_to(person_user_path(@person), notice: 'User was successfully updated.') }
format.xml { head :ok }
else
......@@ -103,6 +103,11 @@ class UsersController < ApplicationController
private
def user_params
params.require(:user).permit(:id, :role, :email, :password, :password_confirmation,
conference_users_attributes: %i(role conference_id))
end
def can_manage_user!
if @user.nil? or @user.id.nil?
authorize! :administrate, User
......
class ConferenceExport < ActiveRecord::Base
belongs_to :conference
attr_accessible :locale, :tarball
has_attached_file :tarball
validates_attachment_content_type :tarball, content_type: [/gzip/]
validates_presence_of :locale, :conference
end
......@@ -3,7 +3,6 @@ class ConferenceUser < ActiveRecord::Base
belongs_to :conference
belongs_to :user
attr_accessible :role, :conference_id, :user_id
validates :conference, :user, :role, presence: true
validate :user_role_is_crew
......
......@@ -21,11 +21,11 @@ class Event < ActiveRecord::Base
belongs_to :track
belongs_to :room
has_attached_file :logo,
has_attached_file :logo,
styles: {tiny: "16x16>", small: "32x32>", large: "128x128>"},
default_url: "event_:style.png"
accepts_nested_attributes_for :event_people, allow_destroy: true, reject_if: Proc.new {|attr| attr[:person_id].blank?}
accepts_nested_attributes_for :event_people, allow_destroy: true, reject_if: Proc.new {|attr| attr[:person_id].blank?}
accepts_nested_attributes_for :links, allow_destroy: true, reject_if: :all_blank
accepts_nested_attributes_for :event_attachments, allow_destroy: true, reject_if: :all_blank
accepts_nested_attributes_for :ticket, allow_destroy: true, reject_if: :all_blank
......@@ -43,14 +43,14 @@ class Event < ActiveRecord::Base
scope :no_conflicts, includes(:conflicts).where(:"conflicts.event_id" => nil)
scope :public, where(public: true)
scope :scheduled_on, lambda {|day| where(self.arel_table[:start_time].gteq(day.start_date.to_datetime)).where(self.arel_table[:start_time].lteq(day.end_date.to_datetime)).where(self.arel_table[:room_id].not_eq(nil)) }
scope :scheduled, where(self.arel_table[:start_time].not_eq(nil).and(self.arel_table[:room_id].not_eq(nil)))
scope :unscheduled, where(self.arel_table[:start_time].eq(nil).or(self.arel_table[:room_id].eq(nil)))
scope :scheduled, where(self.arel_table[:start_time].not_eq(nil).and(self.arel_table[:room_id].not_eq(nil)))
scope :unscheduled, where(self.arel_table[:start_time].eq(nil).or(self.arel_table[:room_id].eq(nil)))
scope :without_speaker, where("speaker_count = 0")
scope :with_speaker, where("speaker_count > 0")
acts_as_indexed fields: [:title, :subtitle, :event_type, :abstract, :description, :track_name]
has_paper_trail
has_paper_trail
state_machine do
state :new
......@@ -204,7 +204,7 @@ class Event < ActiveRecord::Base
def slug
truncate(
[
[
self.conference.acronym,
self.id,
self.title.parameterize("_")
......
......@@ -16,8 +16,6 @@ class User < ActiveRecord::Base
attr_accessor :remember_me
attr_accessible :email, :password, :password_confirmation, :remember_me, :call_for_papers_id, :conference_users_attributes
after_initialize :check_default_values
before_create :generate_confirmation_token, unless: :confirmed_at
after_create :send_confirmation_instructions, unless: :confirmed_at
......
class Video < ActiveRecord::Base
belongs_to :event
attr_accessible :mimetype, :url
end
......@@ -9,7 +9,7 @@ if defined?(Bundler)
# Bundler.require(:default, :assets, Rails.env)
end
module Frab
module Frab
class Application < Rails::Application
# Settings in config/environments/* take precedence over those specified here.
# Application configuration should go into files in config/initializers
......@@ -18,7 +18,7 @@ module Frab
# Custom directories with classes and modules you want to be autoloadable.
# config.autoload_paths += %W(#{config.root}/extras)
config.autoload_paths += %W(#{config.root}/lib)
# Only load the plugins named here, in the order given (default is alphabetical).
# :all can be used as a placeholder for all plugins not explicitly named.
# config.plugins = [ :exception_notification, :ssl_requirement, :all ]
......@@ -42,13 +42,17 @@ module Frab
# Configure sensitive parameters which will be filtered from the log file.
config.filter_parameters += [:password, :password_confirmation]
# Enable the asset pipeline
config.assets.enabled = true
# Version of your assets, change this if you want to expire all your assets
config.assets.version = '1.0'
# Use strong parameters
config.active_record.whitelist_attributes = false
config.action_controller.action_on_unpermitted_parameters = :raise
# smaller whitelist of allowed tags
config.after_initialize do
ActionView::Base.sanitized_allowed_tags.delete 'img'
......
ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)
......@@ -8,6 +8,13 @@ class CallForPapersControllerTest < ActionController::TestCase
login_as(:admin)
end
def call_for_papers_params
{
start_date: Date.today.ago(1.days).strftime('%Y-%m-%d'),
end_date: Date.today.since(6.days).strftime('%Y-%m-%d')
}
end
test "should show cfp" do
get :show, conference_acronym: @conference.acronym
assert_response :success
......@@ -20,9 +27,12 @@ class CallForPapersControllerTest < ActionController::TestCase
test "should create cfp" do
new_conference = FactoryGirl.create(:conference)
params = {
call_for_papers: call_for_papers_params,
conference_acronym: new_conference.acronym
}
assert_difference('CallForPapers.count') do
call_for_papers = FactoryGirl.build(:call_for_papers, conference: new_conference)
post :create, call_for_papers: call_for_papers.attributes, conference_acronym: new_conference.acronym
post :create, params
end
end
......@@ -32,7 +42,11 @@ class CallForPapersControllerTest < ActionController::TestCase
end
test "should update cfp" do
put :update, call_for_papers: @call_for_papers.attributes.merge(welcome_text: "welcome"), conference_acronym: @conference.acronym
params = {
call_for_papers: call_for_papers_params.merge(welcome_text: "welcome"),
conference_acronym: @conference.acronym
}
put :update, params
assert_redirected_to call_for_papers_path(conference_acronym: @conference.acronym)
end
......@@ -42,9 +56,23 @@ class CallForPapersControllerTest < ActionController::TestCase
end
test "should add cfp notification" do
params = {
conference_acronym: @conference.acronym,
call_for_papers: call_for_papers_params.merge(
welcome_text: "welcome",
notifications_attributes: {
"0" => {
reject_body: 'reject body text',
reject_subject: 'rejected subject',
accept_body: 'accept body text',
accept_subject: 'accepted subject',
locale: 'en'
}
}
)
}
assert_difference('Notification.count') do
@call_for_papers.notifications << FactoryGirl.create(:notification)
put :update, call_for_papers: @call_for_papers.attributes, conference_acronym: @conference.acronym
put :update, params
end
end
......
......@@ -7,6 +7,10 @@ class Cfp::EventsControllerTest < ActionController::TestCase
@user = login_as(:submitter)
end
def event_params
@event.attributes.except(*%w(id created_at updated_at conference_id logo_file_name logo_content_type logo_file_size logo_updated_at average_rating event_ratings_count speaker_count event_feedbacks_count average_feedback guid number_of_repeats other_locations methods resources target_audience_experience target_audience_experience_text state start_time public room_id note recording_license))
end
test "should get new" do
get :new, conference_acronym: @conference.acronym
assert_response :success
......@@ -14,7 +18,7 @@ class Cfp::EventsControllerTest < ActionController::TestCase
test "should create event" do
assert_difference('Event.count') do
post :create, event: @event.attributes, conference_acronym: @conference.acronym
post :create, event: event_params, conference_acronym: @conference.acronym
end
assert_response :redirect
end
......@@ -27,7 +31,7 @@ class Cfp::EventsControllerTest < ActionController::TestCase
test "should update event" do
FactoryGirl.create(:event_person, event: @event, person: @user.person)
put :update, id: @event.to_param, event: @event.attributes, conference_acronym: @conference.acronym
put :update, id: @event.to_param, event: event_params, conference_acronym: @conference.acronym
assert_response :redirect
end
......@@ -42,7 +46,7 @@ class Cfp::EventsControllerTest < ActionController::TestCase
assert_equal "confirmed", @event.state
assert_not_nil session[:user_id]
end
test "should confirm event without user" do
session[:user_id] = nil
@event.update_attributes(state: "unconfirmed")
......
......@@ -8,6 +8,10 @@ class Cfp::PeopleControllerTest < ActionController::TestCase
login_as(:submitter)
end
def cfp_person_params
@cfp_person.attributes.except(*%w(id avatar_file_name avatar_content_type avatar_file_size avatar_updated_at created_at updated_at user_id note))
end
test "should get new" do
get :new, conference_acronym: @conference.acronym
assert_response :success
......@@ -16,15 +20,15 @@ class Cfp::PeopleControllerTest < ActionController::TestCase
test "should create cfp_person" do
# can't have two persons on one user, so delete the one from login_as
user = FactoryGirl.create(
:user,
:user,
role: 'submitter'
)
)