Commit 8fee5a05 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Make app works with strong params

Signed-off-by: default avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent 2acde87e
...@@ -13,7 +13,7 @@ class Admin::UsersController < Admin::ApplicationController ...@@ -13,7 +13,7 @@ class Admin::UsersController < Admin::ApplicationController
end end
def new def new
@user = User.build_user @user = User.new
end end
def edit def edit
...@@ -37,15 +37,12 @@ class Admin::UsersController < Admin::ApplicationController ...@@ -37,15 +37,12 @@ class Admin::UsersController < Admin::ApplicationController
end end
def create def create
admin = user_params.delete("admin")
opts = { opts = {
force_random_password: true, force_random_password: true,
password_expires_at: Time.now password_expires_at: Time.now
} }
@user = User.build_user(user_params.merge(opts), as: :admin) @user = User.new(user_params.merge(opts))
@user.admin = (admin && admin.to_i > 0)
@user.created_by_id = current_user.id @user.created_by_id = current_user.id
@user.generate_password @user.generate_password
@user.skip_confirmation! @user.skip_confirmation!
...@@ -62,19 +59,15 @@ class Admin::UsersController < Admin::ApplicationController ...@@ -62,19 +59,15 @@ class Admin::UsersController < Admin::ApplicationController
end end
def update def update
admin = user_params.delete("admin") if params[:user][:password].present?
user_params.merge(
if user_params[:password].blank? password: params[:user][:password],
user_params.delete(:password) password_confirmation: params[:user][:password_confirmation],
user_params.delete(:password_confirmation) )
end
if admin.present?
user.admin = !admin.to_i.zero?
end end
respond_to do |format| respond_to do |format|
if user.update_attributes(user_params, as: :admin) if user.update_attributes(user_params)
user.confirm! user.confirm!
format.html { redirect_to [:admin, user], notice: 'User was successfully updated.' } format.html { redirect_to [:admin, user], notice: 'User was successfully updated.' }
format.json { head :ok } format.json { head :ok }
...@@ -118,10 +111,10 @@ class Admin::UsersController < Admin::ApplicationController ...@@ -118,10 +111,10 @@ class Admin::UsersController < Admin::ApplicationController
def user_params def user_params
params.require(:user).permit( params.require(:user).permit(
:email, :password, :password_confirmation, :remember_me, :bio, :name, :username, :email, :remember_me, :bio, :name, :username,
:skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password, :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password,
:extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key, :extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key,
:projects_limit, :can_create_group, :projects_limit, :can_create_group, :admin
) )
end end
end end
...@@ -7,7 +7,7 @@ class Profiles::EmailsController < ApplicationController ...@@ -7,7 +7,7 @@ class Profiles::EmailsController < ApplicationController
end end
def create def create
@email = current_user.emails.new(params[:email]) @email = current_user.emails.new(email_params)
flash[:alert] = @email.errors.full_messages.first unless @email.save flash[:alert] = @email.errors.full_messages.first unless @email.save
...@@ -23,4 +23,10 @@ class Profiles::EmailsController < ApplicationController ...@@ -23,4 +23,10 @@ class Profiles::EmailsController < ApplicationController
format.js { render nothing: true } format.js { render nothing: true }
end end
end end
private
def email_params
params.require(:email).permit(:email)
end
end end
...@@ -14,7 +14,7 @@ class ProfilesController < ApplicationController ...@@ -14,7 +14,7 @@ class ProfilesController < ApplicationController
end end
def update def update
user_params.delete(:email) if @user.ldap_user? user_params.except!(:email) if @user.ldap_user?
if @user.update_attributes(user_params) if @user.update_attributes(user_params)
flash[:notice] = "Profile was successfully updated" flash[:notice] = "Profile was successfully updated"
......
...@@ -22,7 +22,7 @@ class Projects::DeployKeysController < Projects::ApplicationController ...@@ -22,7 +22,7 @@ class Projects::DeployKeysController < Projects::ApplicationController
end end
def create def create
@key = DeployKey.new(params[:deploy_key]) @key = DeployKey.new(deploy_key_params)
if @key.valid? && @project.deploy_keys << @key if @key.valid? && @project.deploy_keys << @key
redirect_to project_deploy_keys_path(@project) redirect_to project_deploy_keys_path(@project)
...@@ -58,4 +58,8 @@ class Projects::DeployKeysController < Projects::ApplicationController ...@@ -58,4 +58,8 @@ class Projects::DeployKeysController < Projects::ApplicationController
def available_keys def available_keys
@available_keys ||= current_user.accessible_deploy_keys @available_keys ||= current_user.accessible_deploy_keys
end end
def deploy_key_params
params.require(:deploy_key).permit(:key, :title)
end
end end
...@@ -61,13 +61,13 @@ class Note < ActiveRecord::Base ...@@ -61,13 +61,13 @@ class Note < ActiveRecord::Base
def create_status_change_note(noteable, project, author, status, source) def create_status_change_note(noteable, project, author, status, source)
body = "_Status changed to #{status}#{' by ' + source.gfm_reference if source}_" body = "_Status changed to #{status}#{' by ' + source.gfm_reference if source}_"
create({ create(
noteable: noteable, noteable: noteable,
project: project, project: project,
author: author, author: author,
note: body, note: body,
system: true system: true
}, without_protection: true) )
end end
# +noteable+ was referenced from +mentioner+, by including GFM in either +mentioner+'s description or an associated Note. # +noteable+ was referenced from +mentioner+, by including GFM in either +mentioner+'s description or an associated Note.
...@@ -86,7 +86,7 @@ class Note < ActiveRecord::Base ...@@ -86,7 +86,7 @@ class Note < ActiveRecord::Base
note_options.merge!(noteable: noteable) note_options.merge!(noteable: noteable)
end end
create(note_options, without_protection: true) create(note_options)
end end
def create_milestone_change_note(noteable, project, author, milestone) def create_milestone_change_note(noteable, project, author, milestone)
...@@ -96,13 +96,13 @@ class Note < ActiveRecord::Base ...@@ -96,13 +96,13 @@ class Note < ActiveRecord::Base
"_Milestone changed to #{milestone.title}_" "_Milestone changed to #{milestone.title}_"
end end
create({ create(
noteable: noteable, noteable: noteable,
project: project, project: project,
author: author, author: author,
note: body, note: body,
system: true system: true
}, without_protection: true) )
end end
def create_assignee_change_note(noteable, project, author, assignee) def create_assignee_change_note(noteable, project, author, assignee)
...@@ -114,7 +114,7 @@ class Note < ActiveRecord::Base ...@@ -114,7 +114,7 @@ class Note < ActiveRecord::Base
author: author, author: author,
note: body, note: body,
system: true system: true
}, without_protection: true) })
end end
def discussions_from_notes(notes) def discussions_from_notes(notes)
......
...@@ -27,14 +27,17 @@ ...@@ -27,14 +27,17 @@
class Project < ActiveRecord::Base class Project < ActiveRecord::Base
include Gitlab::ShellAdapter include Gitlab::ShellAdapter
include Gitlab::VisibilityLevel include Gitlab::VisibilityLevel
include Gitlab::ConfigHelper
extend Gitlab::ConfigHelper
extend Enumerize extend Enumerize
default_value_for :archived, false default_value_for :archived, false
default_value_for :issues_enabled, true default_value_for :visibility_level, gitlab_config_features.visibility_level
default_value_for :merge_requests_enabled, true default_value_for :issues_enabled, gitlab_config_features.issues
default_value_for :wiki_enabled, true default_value_for :merge_requests_enabled, gitlab_config_features.merge_requests
default_value_for :wiki_enabled, gitlab_config_features.wiki
default_value_for :wall_enabled, false default_value_for :wall_enabled, false
default_value_for :snippets_enabled, true default_value_for :snippets_enabled, gitlab_config_features.snippets
ActsAsTaggableOn.strict_case_match = true ActsAsTaggableOn.strict_case_match = true
...@@ -249,7 +252,7 @@ class Project < ActiveRecord::Base ...@@ -249,7 +252,7 @@ class Project < ActiveRecord::Base
end end
def web_url def web_url
[Gitlab.config.gitlab.url, path_with_namespace].join("/") [gitlab_config.url, path_with_namespace].join("/")
end end
def web_url_without_protocol def web_url_without_protocol
...@@ -470,7 +473,7 @@ class Project < ActiveRecord::Base ...@@ -470,7 +473,7 @@ class Project < ActiveRecord::Base
end end
def http_url_to_repo def http_url_to_repo
[Gitlab.config.gitlab.url, "/", path_with_namespace, ".git"].join('') [gitlab_config.url, "/", path_with_namespace, ".git"].join('')
end end
# Check if current branch name is marked as protected in the system # Check if current branch name is marked as protected in the system
......
...@@ -50,10 +50,15 @@ require 'carrierwave/orm/activerecord' ...@@ -50,10 +50,15 @@ require 'carrierwave/orm/activerecord'
require 'file_size_validator' require 'file_size_validator'
class User < ActiveRecord::Base class User < ActiveRecord::Base
include Gitlab::ConfigHelper
extend Gitlab::ConfigHelper
default_value_for :admin, false default_value_for :admin, false
default_value_for :can_create_group, true default_value_for :can_create_group, gitlab_config.default_can_create_group
default_value_for :can_create_team, false default_value_for :can_create_team, false
default_value_for :hide_no_ssh_key, false default_value_for :hide_no_ssh_key, false
default_value_for :projects_limit, gitlab_config.default_projects_limit
default_value_for :theme_id, gitlab_config.default_theme
devise :database_authenticatable, :token_authenticatable, :lockable, :async, devise :database_authenticatable, :token_authenticatable, :lockable, :async,
:recoverable, :rememberable, :trackable, :validatable, :omniauthable, :confirmable, :registerable :recoverable, :rememberable, :trackable, :validatable, :omniauthable, :confirmable, :registerable
...@@ -211,20 +216,8 @@ class User < ActiveRecord::Base ...@@ -211,20 +216,8 @@ class User < ActiveRecord::Base
where('users.username = ? OR users.id = ?', name_or_id.to_s, name_or_id.to_i).first where('users.username = ? OR users.id = ?', name_or_id.to_s, name_or_id.to_i).first
end end
def build_user(attrs = {}, options= {}) def build_user(attrs = {})
if options[:as] == :admin User.new(attrs)
User.new(defaults.merge(attrs.symbolize_keys), options)
else
User.new(attrs, options).with_defaults
end
end
def defaults
{
projects_limit: Gitlab.config.gitlab.default_projects_limit,
can_create_group: Gitlab.config.gitlab.default_can_create_group,
theme_id: Gitlab.config.gitlab.default_theme
}
end end
end end
...@@ -302,7 +295,7 @@ class User < ActiveRecord::Base ...@@ -302,7 +295,7 @@ class User < ActiveRecord::Base
end end
def can_change_username? def can_change_username?
Gitlab.config.gitlab.username_changing_enabled gitlab_config.username_changing_enabled
end end
def can_create_project? def can_create_project?
...@@ -477,7 +470,7 @@ class User < ActiveRecord::Base ...@@ -477,7 +470,7 @@ class User < ActiveRecord::Base
def avatar_url(size = nil) def avatar_url(size = nil)
if avatar.present? if avatar.present?
URI::join(Gitlab.config.gitlab.url, avatar.url).to_s URI::join(gitlab_config.url, avatar.url).to_s
else else
GravatarService.new.execute(email, size) GravatarService.new.execute(email, size)
end end
......
module Issues module Issues
class UpdateService < Issues::BaseService class UpdateService < Issues::BaseService
def execute(issue) def execute(issue)
state = params.delete('state_event') || params.delete(:state_event) state = params[:state_event]
case state case state
when 'reopen' when 'reopen'
...@@ -10,7 +10,7 @@ module Issues ...@@ -10,7 +10,7 @@ module Issues
Issues::CloseService.new(project, current_user, {}).execute(issue) Issues::CloseService.new(project, current_user, {}).execute(issue)
end end
if params.present? && issue.update_attributes(params) if params.present? && issue.update_attributes(params.except(:state_event))
issue.reset_events_cache issue.reset_events_cache
if issue.previous_changes.include?('milestone_id') if issue.previous_changes.include?('milestone_id')
......
...@@ -7,10 +7,10 @@ module MergeRequests ...@@ -7,10 +7,10 @@ module MergeRequests
def execute(merge_request) def execute(merge_request)
# We dont allow change of source/target projects # We dont allow change of source/target projects
# after merge request was created # after merge request was created
params.delete(:source_project_id) params.except!(:source_project_id)
params.delete(:target_project_id) params.except!(:target_project_id)
state = params.delete('state_event') || params.delete(:state_event) state = params[:state_event]
case state case state
when 'reopen' when 'reopen'
...@@ -19,7 +19,7 @@ module MergeRequests ...@@ -19,7 +19,7 @@ module MergeRequests
MergeRequests::CloseService.new(project, current_user, {}).execute(merge_request) MergeRequests::CloseService.new(project, current_user, {}).execute(merge_request)
end end
if params.present? && merge_request.update_attributes(params) if params.present? && merge_request.update_attributes(params.except(:state_event))
merge_request.reset_events_cache merge_request.reset_events_cache
if merge_request.previous_changes.include?('milestone_id') if merge_request.previous_changes.include?('milestone_id')
......
module Milestones module Milestones
class UpdateService < Milestones::BaseService class UpdateService < Milestones::BaseService
def execute(milestone) def execute(milestone)
state = params.delete('state_event') || params.delete(:state_event) state = params[:state_event]
case state case state
when 'activate' when 'activate'
...@@ -11,7 +11,7 @@ module Milestones ...@@ -11,7 +11,7 @@ module Milestones
end end
if params.present? if params.present?
milestone.update_attributes(params) milestone.update_attributes(params.except(:state_event))
end end
milestone milestone
......
...@@ -5,27 +5,13 @@ module Projects ...@@ -5,27 +5,13 @@ module Projects
end end
def execute def execute
# get namespace id @project = Project.new(params)
namespace_id = params.delete(:namespace_id)
# check that user is allowed to set specified visibility_level # Reset visibility levet if is not allowed to set it
unless Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level]) unless Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
params.delete(:visibility_level) @project.visibility_level = default_features.visibility_level
end end
# Load default feature settings
default_features = Gitlab.config.gitlab.default_projects_features
default_opts = {
issues_enabled: default_features.issues,
wiki_enabled: default_features.wiki,
snippets_enabled: default_features.snippets,
merge_requests_enabled: default_features.merge_requests,
visibility_level: default_features.visibility_level
}.stringify_keys
@project = Project.new(default_opts.merge(params))
# Parametrize path for project # Parametrize path for project
# #
# Ex. # Ex.
...@@ -33,13 +19,14 @@ module Projects ...@@ -33,13 +19,14 @@ module Projects
# #
@project.path = @project.name.dup.parameterize unless @project.path.present? @project.path = @project.name.dup.parameterize unless @project.path.present?
# get namespace id
namespace_id = params[:namespace_id]
if namespace_id if namespace_id
# Find matching namespace and check if it allowed # Find matching namespace and check if it allowed
# for current user if namespace_id passed. # for current user if namespace_id passed.
if allowed_namespace?(current_user, namespace_id) unless allowed_namespace?(current_user, namespace_id)
@project.namespace_id = namespace_id @project.namespace_id = nil
else
deny_namespace deny_namespace
return @project return @project
end end
......
...@@ -12,7 +12,7 @@ module Projects ...@@ -12,7 +12,7 @@ module Projects
class TransferError < StandardError; end class TransferError < StandardError; end
def execute def execute
namespace_id = params.delete(:namespace_id) namespace_id = params[:namespace_id]
namespace = Namespace.find_by(id: namespace_id) namespace = Namespace.find_by(id: namespace_id)
if allowed_transfer?(current_user, project, namespace) if allowed_transfer?(current_user, project, namespace)
......
module Projects module Projects
class UpdateService < BaseService class UpdateService < BaseService
def execute def execute
params.delete(:namespace_id)
# check that user is allowed to set specified visibility_level # check that user is allowed to set specified visibility_level
unless can?(current_user, :change_visibility_level, project) && Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level]) unless can?(current_user, :change_visibility_level, project) && Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
params.delete(:visibility_level) params[:visibility_level] = project.visibility_level
end end
new_branch = params.delete(:default_branch) new_branch = params[:default_branch]
if project.repository.exists? && new_branch && new_branch != project.default_branch if project.repository.exists? && new_branch && new_branch != project.default_branch
project.change_head(new_branch) project.change_head(new_branch)
end end
if project.update_attributes(params) if project.update_attributes(params.except(:default_branch))
if project.previous_changes.include?('namespace_id')
project.send_move_instructions
end
if project.previous_changes.include?('path') if project.previous_changes.include?('path')
project.rename_repo project.rename_repo
end end
......
...@@ -98,10 +98,14 @@ module API ...@@ -98,10 +98,14 @@ module API
def attributes_for_keys(keys) def attributes_for_keys(keys)
attrs = {} attrs = {}
keys.each do |key| keys.each do |key|
attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false) if params[key].present? or (params.has_key?(key) and params[key] == false)
attrs[key] = params[key]
end
end end
attrs
ActionController::Parameters.new(attrs).permit!
end end
# error helpers # error helpers
......
...@@ -59,7 +59,7 @@ module API ...@@ -59,7 +59,7 @@ module API
authenticated_as_admin! authenticated_as_admin!
required_attributes! [:email, :password, :name, :username] required_attributes! [:email, :password, :name, :username]
attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :extern_uid, :provider, :bio, :can_create_group, :admin] attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :extern_uid, :provider, :bio, :can_create_group, :admin]
user = User.build_user(attrs, as: :admin) user = User.build_user(attrs)
admin = attrs.delete(:admin) admin = attrs.delete(:admin)
user.admin = admin unless admin.nil? user.admin = admin unless admin.nil?
if user.save if user.save
......
module Gitlab::ConfigHelper
def gitlab_config_features
Gitlab.config.gitlab.default_projects_features
end
def gitlab_config
Gitlab.config.gitlab
end
end
...@@ -27,7 +27,7 @@ module Gitlab ...@@ -27,7 +27,7 @@ module Gitlab
password_confirmation: password, password_confirmation: password,
} }
user = model.build_user(opts, as: :admin) user = model.build_user(opts)
user.skip_confirmation! user.skip_confirmation!
# Services like twitter and github does not return email via oauth # Services like twitter and github does not return email via oauth
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment