Commit 0439387b authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge pull request #1567 from NARKOZ/mass-assignment

set activerecord whitelist_attributes to true [2]
parents dddb5b5d 83efcabc
class Event < ActiveRecord::Base
include PushEvent
attr_accessible :project, :action, :data, :author_id, :project_id,
:target_id, :target_type
default_scope where("author_id IS NOT NULL")
Created = 1
......
......@@ -2,6 +2,9 @@ class Issue < ActiveRecord::Base
include IssueCommonality
include Votes
attr_accessible :title, :assignee_id, :closed, :position, :description,
:milestone_id, :label_list, :author_id_of_changes
acts_as_taggable_on :labels
belongs_to :milestone
......
......@@ -4,7 +4,7 @@ class Key < ActiveRecord::Base
belongs_to :user
belongs_to :project
attr_protected :user_id
attr_accessible :key, :title
validates :title,
presence: true,
......
......@@ -4,6 +4,9 @@ class MergeRequest < ActiveRecord::Base
include IssueCommonality
include Votes
attr_accessible :title, :assignee_id, :closed, :target_branch, :source_branch,
:author_id_of_changes
BROKEN_DIFF = "--broken-diff"
UNCHECKED = 1
......@@ -48,7 +51,8 @@ class MergeRequest < ActiveRecord::Base
end
def mark_as_unchecked
self.update_attributes(state: UNCHECKED)
self.state = UNCHECKED
self.save
end
def can_be_merged?
......
......@@ -13,6 +13,8 @@
#
class Milestone < ActiveRecord::Base
attr_accessible :title, :description, :due_date, :closed
belongs_to :project
has_many :issues
......
......@@ -2,6 +2,9 @@ require 'carrierwave/orm/activerecord'
require 'file_size_validator'
class Note < ActiveRecord::Base
attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
:attachment, :line_code
belongs_to :project
belongs_to :noteable, polymorphic: true
belongs_to :author,
......@@ -16,7 +19,6 @@ class Note < ActiveRecord::Base
to: :author,
prefix: true
attr_protected :author, :author_id
attr_accessor :notify
attr_accessor :notify_author
......
......@@ -6,6 +6,9 @@ class Project < ActiveRecord::Base
include Authority
include Team
attr_accessible :name, :path, :description, :code, :default_branch, :issues_enabled,
:wall_enabled, :merge_requests_enabled, :wiki_enabled
#
# Relations
#
......@@ -25,11 +28,6 @@ class Project < ActiveRecord::Base
attr_accessor :error_code
#
# Protected attributes
#
attr_protected :private_flag, :owner_id
#
# Scopes
#
......
class ProtectedBranch < ActiveRecord::Base
include GitHost
attr_accessible :name
belongs_to :project
validates_presence_of :project_id
validates_presence_of :name
......
class Snippet < ActiveRecord::Base
include Linguist::BlobHelper
attr_accessible :title, :content, :file_name, :expires_at
belongs_to :project
belongs_to :author, class_name: "User"
has_many :notes, as: :noteable, dependent: :destroy
......@@ -9,7 +11,6 @@ class Snippet < ActiveRecord::Base
:email,
to: :author,
prefix: true
attr_protected :author, :author_id, :project, :project_id
validates_presence_of :project_id
validates_presence_of :author_id
......@@ -46,11 +47,11 @@ class Snippet < ActiveRecord::Base
0
end
def name
def name
file_name
end
def mode
def mode
nil
end
......
......@@ -6,11 +6,11 @@ class UsersProject < ActiveRecord::Base
DEVELOPER = 30
MASTER = 40
attr_accessible :user, :user_id, :project_access
belongs_to :user
belongs_to :project
attr_protected :project_id, :project
after_save :update_repository
after_destroy :update_repository
......
class WebHook < ActiveRecord::Base
include HTTParty
attr_accessible :url
# HTTParty timeout
default_timeout 10
......@@ -18,11 +20,11 @@ class WebHook < ActiveRecord::Base
post_url = url.gsub(parsed_url.userinfo+"@", "")
WebHook.post(post_url,
body: data.to_json,
headers: { "Content-Type" => "application/json" },
headers: { "Content-Type" => "application/json" },
basic_auth: {username: parsed_url.user, password: parsed_url.password})
end
end
end
# == Schema Information
#
......
class Wiki < ActiveRecord::Base
attr_accessible :title, :content, :slug
belongs_to :project
belongs_to :user
has_many :notes, as: :noteable, dependent: :destroy
......
......@@ -3,8 +3,6 @@ module IssueCommonality
extend ActiveSupport::Concern
included do
attr_protected :author, :author_id, :project, :project_id
belongs_to :project
belongs_to :author, class_name: "User"
belongs_to :assignee, class_name: "User"
......
......@@ -39,6 +39,12 @@ module Gitlab
# Configure sensitive parameters which will be filtered from the log file.
config.filter_parameters += [:password]
# Enforce whitelist mode for mass assignment.
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
config.active_record.whitelist_attributes = true
# Enable the asset pipeline
config.assets.enabled = true
......
......@@ -33,7 +33,7 @@ Gitlab::Application.configure do
# Raise exception on mass assignment protection for Active Record models
config.active_record.mass_assignment_sanitizer = :strict
# Log the query plan for queries taking more than this (works
# with SQLite, MySQL, and PostgreSQL)
config.active_record.auto_explain_threshold_in_seconds = 0.5
......
......@@ -34,6 +34,9 @@ Gitlab::Application.configure do
# like if you have constraints or database-specific column types
# config.active_record.schema_format = :sql
# Raise exception on mass assignment protection for Active Record models
# config.active_record.mass_assignment_sanitizer = :strict
# Print deprecation notices to the stderr
config.active_support.deprecation = :stderr
......
......@@ -30,7 +30,7 @@ module Gitlab
log.info "#{ldap_prefix}Creating user from #{provider} login"\
" {uid => #{uid}, name => #{name}, email => #{email}}"
password = Devise.friendly_token[0, 8].downcase
@user = User.new(
@user = User.new({
extern_uid: uid,
provider: provider,
name: name,
......@@ -38,7 +38,7 @@ module Gitlab
password: password,
password_confirmation: password,
projects_limit: Gitlab.config.default_projects_limit,
)
}, as: :admin)
if Gitlab.config.omniauth['block_auto_created_users'] && !ldap
@user.blocked = true
end
......
......@@ -5,6 +5,11 @@ describe Issue do
it { should belong_to(:milestone) }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:author_id) }
it { should_not allow_mass_assignment_of(:project_id) }
end
describe "Validation" do
it { should ensure_length_of(:description).is_within(0..2000) }
it { should ensure_inclusion_of(:closed).in_array([true, false]) }
......
......@@ -6,6 +6,11 @@ describe Key do
it { should belong_to(:project) }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
it { should_not allow_mass_assignment_of(:user_id) }
end
describe "Validation" do
it { should validate_presence_of(:title) }
it { should validate_presence_of(:key) }
......
......@@ -6,6 +6,11 @@ describe MergeRequest do
it { should validate_presence_of(:source_branch) }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:author_id) }
it { should_not allow_mass_assignment_of(:project_id) }
end
describe 'modules' do
it { should include_module(IssueCommonality) }
it { should include_module(Votes) }
......
......@@ -6,6 +6,10 @@ describe Milestone do
it { should have_many(:issues) }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
end
describe "Validation" do
it { should validate_presence_of(:title) }
it { should validate_presence_of(:project_id) }
......
......@@ -7,6 +7,11 @@ describe Note do
it { should belong_to(:author).class_name('User') }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:author) }
it { should_not allow_mass_assignment_of(:author_id) }
end
describe "Validation" do
it { should validate_presence_of(:note) }
it { should validate_presence_of(:project) }
......
......@@ -17,6 +17,11 @@ describe Project do
it { should have_many(:protected_branches).dependent(:destroy) }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:owner_id) }
it { should_not allow_mass_assignment_of(:private_flag) }
end
describe "Validation" do
let!(:project) { create(:project) }
......
......@@ -5,6 +5,10 @@ describe ProtectedBranch do
it { should belong_to(:project) }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
end
describe 'Validation' do
it { should validate_presence_of(:project_id) }
it { should validate_presence_of(:name) }
......
......@@ -7,6 +7,11 @@ describe Snippet do
it { should have_many(:notes).dependent(:destroy) }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:author_id) }
it { should_not allow_mass_assignment_of(:project_id) }
end
describe "Validation" do
it { should validate_presence_of(:author_id) }
it { should validate_presence_of(:project_id) }
......
......@@ -15,6 +15,11 @@ describe User do
it { should have_many(:assigned_merge_requests).dependent(:destroy) }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:projects_limit) }
it { should allow_mass_assignment_of(:projects_limit).as(:admin) }
end
describe 'validations' do
it { should validate_presence_of(:projects_limit) }
it { should validate_numericality_of(:projects_limit) }
......@@ -73,30 +78,4 @@ describe User do
user.authentication_token.should_not be_blank
end
end
describe "attributes can be changed by a regular user" do
before do
@user = Factory :user
@user.update_attributes(skype: "testskype", linkedin: "testlinkedin")
end
it { @user.skype.should == 'testskype' }
it { @user.linkedin.should == 'testlinkedin' }
end
describe "attributes that shouldn't be changed by a regular user" do
before do
@user = Factory :user
@user.update_attributes(projects_limit: 50)
end
it { @user.projects_limit.should_not == 50 }
end
describe "attributes can be changed by an admin user" do
before do
@admin_user = Factory :admin
@admin_user.update_attributes({ skype: "testskype", projects_limit: 50 }, as: :admin)
end
it { @admin_user.skype.should == 'testskype' }
it { @admin_user.projects_limit.should == 50 }
end
end
......@@ -6,6 +6,10 @@ describe UsersProject do
it { should belong_to(:user) }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
end
describe "Validation" do
let!(:users_project) { create(:users_project) }
......
......@@ -5,6 +5,10 @@ describe ProjectHook do
it { should belong_to :project }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
end
describe "Validations" do
it { should validate_presence_of(:url) }
......
......@@ -7,6 +7,11 @@ describe Wiki do
it { should have_many(:notes).dependent(:destroy) }
end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
it { should_not allow_mass_assignment_of(:user_id) }
end
describe "Validation" do
it { should validate_presence_of(:title) }
it { should ensure_length_of(:title).is_within(1..250) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment