Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
0439387b
Commit
0439387b
authored
Sep 26, 2012
by
Dmitriy Zaporozhets
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #1567 from NARKOZ/mass-assignment
set activerecord whitelist_attributes to true [2]
parents
dddb5b5d
83efcabc
Changes
29
Hide whitespace changes
Inline
Side-by-side
Showing
29 changed files
with
102 additions
and
46 deletions
+102
-46
app/models/event.rb
app/models/event.rb
+3
-0
app/models/issue.rb
app/models/issue.rb
+3
-0
app/models/key.rb
app/models/key.rb
+1
-1
app/models/merge_request.rb
app/models/merge_request.rb
+5
-1
app/models/milestone.rb
app/models/milestone.rb
+2
-0
app/models/note.rb
app/models/note.rb
+3
-1
app/models/project.rb
app/models/project.rb
+3
-5
app/models/protected_branch.rb
app/models/protected_branch.rb
+2
-0
app/models/snippet.rb
app/models/snippet.rb
+4
-3
app/models/users_project.rb
app/models/users_project.rb
+2
-2
app/models/web_hook.rb
app/models/web_hook.rb
+4
-2
app/models/wiki.rb
app/models/wiki.rb
+2
-0
app/roles/issue_commonality.rb
app/roles/issue_commonality.rb
+0
-2
config/application.rb
config/application.rb
+6
-0
config/environments/development.rb
config/environments/development.rb
+1
-1
config/environments/test.rb
config/environments/test.rb
+3
-0
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+2
-2
spec/models/issue_spec.rb
spec/models/issue_spec.rb
+5
-0
spec/models/key_spec.rb
spec/models/key_spec.rb
+5
-0
spec/models/merge_request_spec.rb
spec/models/merge_request_spec.rb
+5
-0
spec/models/milestone_spec.rb
spec/models/milestone_spec.rb
+4
-0
spec/models/note_spec.rb
spec/models/note_spec.rb
+5
-0
spec/models/project_spec.rb
spec/models/project_spec.rb
+5
-0
spec/models/protected_branch_spec.rb
spec/models/protected_branch_spec.rb
+4
-0
spec/models/snippet_spec.rb
spec/models/snippet_spec.rb
+5
-0
spec/models/user_spec.rb
spec/models/user_spec.rb
+5
-26
spec/models/users_project_spec.rb
spec/models/users_project_spec.rb
+4
-0
spec/models/web_hook_spec.rb
spec/models/web_hook_spec.rb
+4
-0
spec/models/wiki_spec.rb
spec/models/wiki_spec.rb
+5
-0
No files found.
app/models/event.rb
View file @
0439387b
class
Event
<
ActiveRecord
::
Base
include
PushEvent
attr_accessible
:project
,
:action
,
:data
,
:author_id
,
:project_id
,
:target_id
,
:target_type
default_scope
where
(
"author_id IS NOT NULL"
)
Created
=
1
...
...
app/models/issue.rb
View file @
0439387b
...
...
@@ -2,6 +2,9 @@ class Issue < ActiveRecord::Base
include
IssueCommonality
include
Votes
attr_accessible
:title
,
:assignee_id
,
:closed
,
:position
,
:description
,
:milestone_id
,
:label_list
,
:author_id_of_changes
acts_as_taggable_on
:labels
belongs_to
:milestone
...
...
app/models/key.rb
View file @
0439387b
...
...
@@ -4,7 +4,7 @@ class Key < ActiveRecord::Base
belongs_to
:user
belongs_to
:project
attr_
protected
:user_id
attr_
accessible
:key
,
:title
validates
:title
,
presence:
true
,
...
...
app/models/merge_request.rb
View file @
0439387b
...
...
@@ -4,6 +4,9 @@ class MergeRequest < ActiveRecord::Base
include
IssueCommonality
include
Votes
attr_accessible
:title
,
:assignee_id
,
:closed
,
:target_branch
,
:source_branch
,
:author_id_of_changes
BROKEN_DIFF
=
"--broken-diff"
UNCHECKED
=
1
...
...
@@ -48,7 +51,8 @@ class MergeRequest < ActiveRecord::Base
end
def
mark_as_unchecked
self
.
update_attributes
(
state:
UNCHECKED
)
self
.
state
=
UNCHECKED
self
.
save
end
def
can_be_merged?
...
...
app/models/milestone.rb
View file @
0439387b
...
...
@@ -13,6 +13,8 @@
#
class
Milestone
<
ActiveRecord
::
Base
attr_accessible
:title
,
:description
,
:due_date
,
:closed
belongs_to
:project
has_many
:issues
...
...
app/models/note.rb
View file @
0439387b
...
...
@@ -2,6 +2,9 @@ require 'carrierwave/orm/activerecord'
require
'file_size_validator'
class
Note
<
ActiveRecord
::
Base
attr_accessible
:note
,
:noteable
,
:noteable_id
,
:noteable_type
,
:project_id
,
:attachment
,
:line_code
belongs_to
:project
belongs_to
:noteable
,
polymorphic:
true
belongs_to
:author
,
...
...
@@ -16,7 +19,6 @@ class Note < ActiveRecord::Base
to: :author
,
prefix:
true
attr_protected
:author
,
:author_id
attr_accessor
:notify
attr_accessor
:notify_author
...
...
app/models/project.rb
View file @
0439387b
...
...
@@ -6,6 +6,9 @@ class Project < ActiveRecord::Base
include
Authority
include
Team
attr_accessible
:name
,
:path
,
:description
,
:code
,
:default_branch
,
:issues_enabled
,
:wall_enabled
,
:merge_requests_enabled
,
:wiki_enabled
#
# Relations
#
...
...
@@ -25,11 +28,6 @@ class Project < ActiveRecord::Base
attr_accessor
:error_code
#
# Protected attributes
#
attr_protected
:private_flag
,
:owner_id
#
# Scopes
#
...
...
app/models/protected_branch.rb
View file @
0439387b
class
ProtectedBranch
<
ActiveRecord
::
Base
include
GitHost
attr_accessible
:name
belongs_to
:project
validates_presence_of
:project_id
validates_presence_of
:name
...
...
app/models/snippet.rb
View file @
0439387b
class
Snippet
<
ActiveRecord
::
Base
include
Linguist
::
BlobHelper
attr_accessible
:title
,
:content
,
:file_name
,
:expires_at
belongs_to
:project
belongs_to
:author
,
class_name:
"User"
has_many
:notes
,
as: :noteable
,
dependent: :destroy
...
...
@@ -9,7 +11,6 @@ class Snippet < ActiveRecord::Base
:email
,
to: :author
,
prefix:
true
attr_protected
:author
,
:author_id
,
:project
,
:project_id
validates_presence_of
:project_id
validates_presence_of
:author_id
...
...
@@ -46,11 +47,11 @@ class Snippet < ActiveRecord::Base
0
end
def
name
def
name
file_name
end
def
mode
def
mode
nil
end
...
...
app/models/users_project.rb
View file @
0439387b
...
...
@@ -6,11 +6,11 @@ class UsersProject < ActiveRecord::Base
DEVELOPER
=
30
MASTER
=
40
attr_accessible
:user
,
:user_id
,
:project_access
belongs_to
:user
belongs_to
:project
attr_protected
:project_id
,
:project
after_save
:update_repository
after_destroy
:update_repository
...
...
app/models/web_hook.rb
View file @
0439387b
class
WebHook
<
ActiveRecord
::
Base
include
HTTParty
attr_accessible
:url
# HTTParty timeout
default_timeout
10
...
...
@@ -18,11 +20,11 @@ class WebHook < ActiveRecord::Base
post_url
=
url
.
gsub
(
parsed_url
.
userinfo
+
"@"
,
""
)
WebHook
.
post
(
post_url
,
body:
data
.
to_json
,
headers:
{
"Content-Type"
=>
"application/json"
},
headers:
{
"Content-Type"
=>
"application/json"
},
basic_auth:
{
username:
parsed_url
.
user
,
password:
parsed_url
.
password
})
end
end
end
# == Schema Information
#
...
...
app/models/wiki.rb
View file @
0439387b
class
Wiki
<
ActiveRecord
::
Base
attr_accessible
:title
,
:content
,
:slug
belongs_to
:project
belongs_to
:user
has_many
:notes
,
as: :noteable
,
dependent: :destroy
...
...
app/roles/issue_commonality.rb
View file @
0439387b
...
...
@@ -3,8 +3,6 @@ module IssueCommonality
extend
ActiveSupport
::
Concern
included
do
attr_protected
:author
,
:author_id
,
:project
,
:project_id
belongs_to
:project
belongs_to
:author
,
class_name:
"User"
belongs_to
:assignee
,
class_name:
"User"
...
...
config/application.rb
View file @
0439387b
...
...
@@ -39,6 +39,12 @@ module Gitlab
# Configure sensitive parameters which will be filtered from the log file.
config
.
filter_parameters
+=
[
:password
]
# Enforce whitelist mode for mass assignment.
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
config
.
active_record
.
whitelist_attributes
=
true
# Enable the asset pipeline
config
.
assets
.
enabled
=
true
...
...
config/environments/development.rb
View file @
0439387b
...
...
@@ -33,7 +33,7 @@ Gitlab::Application.configure do
# Raise exception on mass assignment protection for Active Record models
config
.
active_record
.
mass_assignment_sanitizer
=
:strict
# Log the query plan for queries taking more than this (works
# with SQLite, MySQL, and PostgreSQL)
config
.
active_record
.
auto_explain_threshold_in_seconds
=
0.5
...
...
config/environments/test.rb
View file @
0439387b
...
...
@@ -34,6 +34,9 @@ Gitlab::Application.configure do
# like if you have constraints or database-specific column types
# config.active_record.schema_format = :sql
# Raise exception on mass assignment protection for Active Record models
# config.active_record.mass_assignment_sanitizer = :strict
# Print deprecation notices to the stderr
config
.
active_support
.
deprecation
=
:stderr
...
...
lib/gitlab/auth.rb
View file @
0439387b
...
...
@@ -30,7 +30,7 @@ module Gitlab
log
.
info
"
#{
ldap_prefix
}
Creating user from
#{
provider
}
login"
\
" {uid =>
#{
uid
}
, name =>
#{
name
}
, email =>
#{
email
}
}"
password
=
Devise
.
friendly_token
[
0
,
8
].
downcase
@user
=
User
.
new
(
@user
=
User
.
new
(
{
extern_uid:
uid
,
provider:
provider
,
name:
name
,
...
...
@@ -38,7 +38,7 @@ module Gitlab
password:
password
,
password_confirmation:
password
,
projects_limit:
Gitlab
.
config
.
default_projects_limit
,
)
},
as: :admin
)
if
Gitlab
.
config
.
omniauth
[
'block_auto_created_users'
]
&&
!
ldap
@user
.
blocked
=
true
end
...
...
spec/models/issue_spec.rb
View file @
0439387b
...
...
@@ -5,6 +5,11 @@ describe Issue do
it
{
should
belong_to
(
:milestone
)
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:author_id
)
}
it
{
should_not
allow_mass_assignment_of
(
:project_id
)
}
end
describe
"Validation"
do
it
{
should
ensure_length_of
(
:description
).
is_within
(
0
..
2000
)
}
it
{
should
ensure_inclusion_of
(
:closed
).
in_array
([
true
,
false
])
}
...
...
spec/models/key_spec.rb
View file @
0439387b
...
...
@@ -6,6 +6,11 @@ describe Key do
it
{
should
belong_to
(
:project
)
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:project_id
)
}
it
{
should_not
allow_mass_assignment_of
(
:user_id
)
}
end
describe
"Validation"
do
it
{
should
validate_presence_of
(
:title
)
}
it
{
should
validate_presence_of
(
:key
)
}
...
...
spec/models/merge_request_spec.rb
View file @
0439387b
...
...
@@ -6,6 +6,11 @@ describe MergeRequest do
it
{
should
validate_presence_of
(
:source_branch
)
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:author_id
)
}
it
{
should_not
allow_mass_assignment_of
(
:project_id
)
}
end
describe
'modules'
do
it
{
should
include_module
(
IssueCommonality
)
}
it
{
should
include_module
(
Votes
)
}
...
...
spec/models/milestone_spec.rb
View file @
0439387b
...
...
@@ -6,6 +6,10 @@ describe Milestone do
it
{
should
have_many
(
:issues
)
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:project_id
)
}
end
describe
"Validation"
do
it
{
should
validate_presence_of
(
:title
)
}
it
{
should
validate_presence_of
(
:project_id
)
}
...
...
spec/models/note_spec.rb
View file @
0439387b
...
...
@@ -7,6 +7,11 @@ describe Note do
it
{
should
belong_to
(
:author
).
class_name
(
'User'
)
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:author
)
}
it
{
should_not
allow_mass_assignment_of
(
:author_id
)
}
end
describe
"Validation"
do
it
{
should
validate_presence_of
(
:note
)
}
it
{
should
validate_presence_of
(
:project
)
}
...
...
spec/models/project_spec.rb
View file @
0439387b
...
...
@@ -17,6 +17,11 @@ describe Project do
it
{
should
have_many
(
:protected_branches
).
dependent
(
:destroy
)
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:owner_id
)
}
it
{
should_not
allow_mass_assignment_of
(
:private_flag
)
}
end
describe
"Validation"
do
let!
(
:project
)
{
create
(
:project
)
}
...
...
spec/models/protected_branch_spec.rb
View file @
0439387b
...
...
@@ -5,6 +5,10 @@ describe ProtectedBranch do
it
{
should
belong_to
(
:project
)
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:project_id
)
}
end
describe
'Validation'
do
it
{
should
validate_presence_of
(
:project_id
)
}
it
{
should
validate_presence_of
(
:name
)
}
...
...
spec/models/snippet_spec.rb
View file @
0439387b
...
...
@@ -7,6 +7,11 @@ describe Snippet do
it
{
should
have_many
(
:notes
).
dependent
(
:destroy
)
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:author_id
)
}
it
{
should_not
allow_mass_assignment_of
(
:project_id
)
}
end
describe
"Validation"
do
it
{
should
validate_presence_of
(
:author_id
)
}
it
{
should
validate_presence_of
(
:project_id
)
}
...
...
spec/models/user_spec.rb
View file @
0439387b
...
...
@@ -15,6 +15,11 @@ describe User do
it
{
should
have_many
(
:assigned_merge_requests
).
dependent
(
:destroy
)
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:projects_limit
)
}
it
{
should
allow_mass_assignment_of
(
:projects_limit
).
as
(
:admin
)
}
end
describe
'validations'
do
it
{
should
validate_presence_of
(
:projects_limit
)
}
it
{
should
validate_numericality_of
(
:projects_limit
)
}
...
...
@@ -73,30 +78,4 @@ describe User do
user
.
authentication_token
.
should_not
be_blank
end
end
describe
"attributes can be changed by a regular user"
do
before
do
@user
=
Factory
:user
@user
.
update_attributes
(
skype:
"testskype"
,
linkedin:
"testlinkedin"
)
end
it
{
@user
.
skype
.
should
==
'testskype'
}
it
{
@user
.
linkedin
.
should
==
'testlinkedin'
}
end
describe
"attributes that shouldn't be changed by a regular user"
do
before
do
@user
=
Factory
:user
@user
.
update_attributes
(
projects_limit:
50
)
end
it
{
@user
.
projects_limit
.
should_not
==
50
}
end
describe
"attributes can be changed by an admin user"
do
before
do
@admin_user
=
Factory
:admin
@admin_user
.
update_attributes
({
skype:
"testskype"
,
projects_limit:
50
},
as: :admin
)
end
it
{
@admin_user
.
skype
.
should
==
'testskype'
}
it
{
@admin_user
.
projects_limit
.
should
==
50
}
end
end
spec/models/users_project_spec.rb
View file @
0439387b
...
...
@@ -6,6 +6,10 @@ describe UsersProject do
it
{
should
belong_to
(
:user
)
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:project_id
)
}
end
describe
"Validation"
do
let!
(
:users_project
)
{
create
(
:users_project
)
}
...
...
spec/models/web_hook_spec.rb
View file @
0439387b
...
...
@@ -5,6 +5,10 @@ describe ProjectHook do
it
{
should
belong_to
:project
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:project_id
)
}
end
describe
"Validations"
do
it
{
should
validate_presence_of
(
:url
)
}
...
...
spec/models/wiki_spec.rb
View file @
0439387b
...
...
@@ -7,6 +7,11 @@ describe Wiki do
it
{
should
have_many
(
:notes
).
dependent
(
:destroy
)
}
end
describe
"Mass assignment"
do
it
{
should_not
allow_mass_assignment_of
(
:project_id
)
}
it
{
should_not
allow_mass_assignment_of
(
:user_id
)
}
end
describe
"Validation"
do
it
{
should
validate_presence_of
(
:title
)
}
it
{
should
ensure_length_of
(
:title
).
is_within
(
1
..
250
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment