Commit 0439387b authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge pull request #1567 from NARKOZ/mass-assignment

set activerecord whitelist_attributes to true [2]
parents dddb5b5d 83efcabc
class Event < ActiveRecord::Base class Event < ActiveRecord::Base
include PushEvent include PushEvent
attr_accessible :project, :action, :data, :author_id, :project_id,
:target_id, :target_type
default_scope where("author_id IS NOT NULL") default_scope where("author_id IS NOT NULL")
Created = 1 Created = 1
......
...@@ -2,6 +2,9 @@ class Issue < ActiveRecord::Base ...@@ -2,6 +2,9 @@ class Issue < ActiveRecord::Base
include IssueCommonality include IssueCommonality
include Votes include Votes
attr_accessible :title, :assignee_id, :closed, :position, :description,
:milestone_id, :label_list, :author_id_of_changes
acts_as_taggable_on :labels acts_as_taggable_on :labels
belongs_to :milestone belongs_to :milestone
......
...@@ -4,7 +4,7 @@ class Key < ActiveRecord::Base ...@@ -4,7 +4,7 @@ class Key < ActiveRecord::Base
belongs_to :user belongs_to :user
belongs_to :project belongs_to :project
attr_protected :user_id attr_accessible :key, :title
validates :title, validates :title,
presence: true, presence: true,
......
...@@ -4,6 +4,9 @@ class MergeRequest < ActiveRecord::Base ...@@ -4,6 +4,9 @@ class MergeRequest < ActiveRecord::Base
include IssueCommonality include IssueCommonality
include Votes include Votes
attr_accessible :title, :assignee_id, :closed, :target_branch, :source_branch,
:author_id_of_changes
BROKEN_DIFF = "--broken-diff" BROKEN_DIFF = "--broken-diff"
UNCHECKED = 1 UNCHECKED = 1
...@@ -48,7 +51,8 @@ class MergeRequest < ActiveRecord::Base ...@@ -48,7 +51,8 @@ class MergeRequest < ActiveRecord::Base
end end
def mark_as_unchecked def mark_as_unchecked
self.update_attributes(state: UNCHECKED) self.state = UNCHECKED
self.save
end end
def can_be_merged? def can_be_merged?
......
...@@ -13,6 +13,8 @@ ...@@ -13,6 +13,8 @@
# #
class Milestone < ActiveRecord::Base class Milestone < ActiveRecord::Base
attr_accessible :title, :description, :due_date, :closed
belongs_to :project belongs_to :project
has_many :issues has_many :issues
......
...@@ -2,6 +2,9 @@ require 'carrierwave/orm/activerecord' ...@@ -2,6 +2,9 @@ require 'carrierwave/orm/activerecord'
require 'file_size_validator' require 'file_size_validator'
class Note < ActiveRecord::Base class Note < ActiveRecord::Base
attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
:attachment, :line_code
belongs_to :project belongs_to :project
belongs_to :noteable, polymorphic: true belongs_to :noteable, polymorphic: true
belongs_to :author, belongs_to :author,
...@@ -16,7 +19,6 @@ class Note < ActiveRecord::Base ...@@ -16,7 +19,6 @@ class Note < ActiveRecord::Base
to: :author, to: :author,
prefix: true prefix: true
attr_protected :author, :author_id
attr_accessor :notify attr_accessor :notify
attr_accessor :notify_author attr_accessor :notify_author
......
...@@ -6,6 +6,9 @@ class Project < ActiveRecord::Base ...@@ -6,6 +6,9 @@ class Project < ActiveRecord::Base
include Authority include Authority
include Team include Team
attr_accessible :name, :path, :description, :code, :default_branch, :issues_enabled,
:wall_enabled, :merge_requests_enabled, :wiki_enabled
# #
# Relations # Relations
# #
...@@ -25,11 +28,6 @@ class Project < ActiveRecord::Base ...@@ -25,11 +28,6 @@ class Project < ActiveRecord::Base
attr_accessor :error_code attr_accessor :error_code
#
# Protected attributes
#
attr_protected :private_flag, :owner_id
# #
# Scopes # Scopes
# #
......
class ProtectedBranch < ActiveRecord::Base class ProtectedBranch < ActiveRecord::Base
include GitHost include GitHost
attr_accessible :name
belongs_to :project belongs_to :project
validates_presence_of :project_id validates_presence_of :project_id
validates_presence_of :name validates_presence_of :name
......
class Snippet < ActiveRecord::Base class Snippet < ActiveRecord::Base
include Linguist::BlobHelper include Linguist::BlobHelper
attr_accessible :title, :content, :file_name, :expires_at
belongs_to :project belongs_to :project
belongs_to :author, class_name: "User" belongs_to :author, class_name: "User"
has_many :notes, as: :noteable, dependent: :destroy has_many :notes, as: :noteable, dependent: :destroy
...@@ -9,7 +11,6 @@ class Snippet < ActiveRecord::Base ...@@ -9,7 +11,6 @@ class Snippet < ActiveRecord::Base
:email, :email,
to: :author, to: :author,
prefix: true prefix: true
attr_protected :author, :author_id, :project, :project_id
validates_presence_of :project_id validates_presence_of :project_id
validates_presence_of :author_id validates_presence_of :author_id
......
...@@ -6,11 +6,11 @@ class UsersProject < ActiveRecord::Base ...@@ -6,11 +6,11 @@ class UsersProject < ActiveRecord::Base
DEVELOPER = 30 DEVELOPER = 30
MASTER = 40 MASTER = 40
attr_accessible :user, :user_id, :project_access
belongs_to :user belongs_to :user
belongs_to :project belongs_to :project
attr_protected :project_id, :project
after_save :update_repository after_save :update_repository
after_destroy :update_repository after_destroy :update_repository
......
class WebHook < ActiveRecord::Base class WebHook < ActiveRecord::Base
include HTTParty include HTTParty
attr_accessible :url
# HTTParty timeout # HTTParty timeout
default_timeout 10 default_timeout 10
......
class Wiki < ActiveRecord::Base class Wiki < ActiveRecord::Base
attr_accessible :title, :content, :slug
belongs_to :project belongs_to :project
belongs_to :user belongs_to :user
has_many :notes, as: :noteable, dependent: :destroy has_many :notes, as: :noteable, dependent: :destroy
......
...@@ -3,8 +3,6 @@ module IssueCommonality ...@@ -3,8 +3,6 @@ module IssueCommonality
extend ActiveSupport::Concern extend ActiveSupport::Concern
included do included do
attr_protected :author, :author_id, :project, :project_id
belongs_to :project belongs_to :project
belongs_to :author, class_name: "User" belongs_to :author, class_name: "User"
belongs_to :assignee, class_name: "User" belongs_to :assignee, class_name: "User"
......
...@@ -39,6 +39,12 @@ module Gitlab ...@@ -39,6 +39,12 @@ module Gitlab
# Configure sensitive parameters which will be filtered from the log file. # Configure sensitive parameters which will be filtered from the log file.
config.filter_parameters += [:password] config.filter_parameters += [:password]
# Enforce whitelist mode for mass assignment.
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
config.active_record.whitelist_attributes = true
# Enable the asset pipeline # Enable the asset pipeline
config.assets.enabled = true config.assets.enabled = true
......
...@@ -34,6 +34,9 @@ Gitlab::Application.configure do ...@@ -34,6 +34,9 @@ Gitlab::Application.configure do
# like if you have constraints or database-specific column types # like if you have constraints or database-specific column types
# config.active_record.schema_format = :sql # config.active_record.schema_format = :sql
# Raise exception on mass assignment protection for Active Record models
# config.active_record.mass_assignment_sanitizer = :strict
# Print deprecation notices to the stderr # Print deprecation notices to the stderr
config.active_support.deprecation = :stderr config.active_support.deprecation = :stderr
......
...@@ -30,7 +30,7 @@ module Gitlab ...@@ -30,7 +30,7 @@ module Gitlab
log.info "#{ldap_prefix}Creating user from #{provider} login"\ log.info "#{ldap_prefix}Creating user from #{provider} login"\
" {uid => #{uid}, name => #{name}, email => #{email}}" " {uid => #{uid}, name => #{name}, email => #{email}}"
password = Devise.friendly_token[0, 8].downcase password = Devise.friendly_token[0, 8].downcase
@user = User.new( @user = User.new({
extern_uid: uid, extern_uid: uid,
provider: provider, provider: provider,
name: name, name: name,
...@@ -38,7 +38,7 @@ module Gitlab ...@@ -38,7 +38,7 @@ module Gitlab
password: password, password: password,
password_confirmation: password, password_confirmation: password,
projects_limit: Gitlab.config.default_projects_limit, projects_limit: Gitlab.config.default_projects_limit,
) }, as: :admin)
if Gitlab.config.omniauth['block_auto_created_users'] && !ldap if Gitlab.config.omniauth['block_auto_created_users'] && !ldap
@user.blocked = true @user.blocked = true
end end
......
...@@ -5,6 +5,11 @@ describe Issue do ...@@ -5,6 +5,11 @@ describe Issue do
it { should belong_to(:milestone) } it { should belong_to(:milestone) }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:author_id) }
it { should_not allow_mass_assignment_of(:project_id) }
end
describe "Validation" do describe "Validation" do
it { should ensure_length_of(:description).is_within(0..2000) } it { should ensure_length_of(:description).is_within(0..2000) }
it { should ensure_inclusion_of(:closed).in_array([true, false]) } it { should ensure_inclusion_of(:closed).in_array([true, false]) }
......
...@@ -6,6 +6,11 @@ describe Key do ...@@ -6,6 +6,11 @@ describe Key do
it { should belong_to(:project) } it { should belong_to(:project) }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
it { should_not allow_mass_assignment_of(:user_id) }
end
describe "Validation" do describe "Validation" do
it { should validate_presence_of(:title) } it { should validate_presence_of(:title) }
it { should validate_presence_of(:key) } it { should validate_presence_of(:key) }
......
...@@ -6,6 +6,11 @@ describe MergeRequest do ...@@ -6,6 +6,11 @@ describe MergeRequest do
it { should validate_presence_of(:source_branch) } it { should validate_presence_of(:source_branch) }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:author_id) }
it { should_not allow_mass_assignment_of(:project_id) }
end
describe 'modules' do describe 'modules' do
it { should include_module(IssueCommonality) } it { should include_module(IssueCommonality) }
it { should include_module(Votes) } it { should include_module(Votes) }
......
...@@ -6,6 +6,10 @@ describe Milestone do ...@@ -6,6 +6,10 @@ describe Milestone do
it { should have_many(:issues) } it { should have_many(:issues) }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
end
describe "Validation" do describe "Validation" do
it { should validate_presence_of(:title) } it { should validate_presence_of(:title) }
it { should validate_presence_of(:project_id) } it { should validate_presence_of(:project_id) }
......
...@@ -7,6 +7,11 @@ describe Note do ...@@ -7,6 +7,11 @@ describe Note do
it { should belong_to(:author).class_name('User') } it { should belong_to(:author).class_name('User') }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:author) }
it { should_not allow_mass_assignment_of(:author_id) }
end
describe "Validation" do describe "Validation" do
it { should validate_presence_of(:note) } it { should validate_presence_of(:note) }
it { should validate_presence_of(:project) } it { should validate_presence_of(:project) }
......
...@@ -17,6 +17,11 @@ describe Project do ...@@ -17,6 +17,11 @@ describe Project do
it { should have_many(:protected_branches).dependent(:destroy) } it { should have_many(:protected_branches).dependent(:destroy) }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:owner_id) }
it { should_not allow_mass_assignment_of(:private_flag) }
end
describe "Validation" do describe "Validation" do
let!(:project) { create(:project) } let!(:project) { create(:project) }
......
...@@ -5,6 +5,10 @@ describe ProtectedBranch do ...@@ -5,6 +5,10 @@ describe ProtectedBranch do
it { should belong_to(:project) } it { should belong_to(:project) }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
end
describe 'Validation' do describe 'Validation' do
it { should validate_presence_of(:project_id) } it { should validate_presence_of(:project_id) }
it { should validate_presence_of(:name) } it { should validate_presence_of(:name) }
......
...@@ -7,6 +7,11 @@ describe Snippet do ...@@ -7,6 +7,11 @@ describe Snippet do
it { should have_many(:notes).dependent(:destroy) } it { should have_many(:notes).dependent(:destroy) }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:author_id) }
it { should_not allow_mass_assignment_of(:project_id) }
end
describe "Validation" do describe "Validation" do
it { should validate_presence_of(:author_id) } it { should validate_presence_of(:author_id) }
it { should validate_presence_of(:project_id) } it { should validate_presence_of(:project_id) }
......
...@@ -15,6 +15,11 @@ describe User do ...@@ -15,6 +15,11 @@ describe User do
it { should have_many(:assigned_merge_requests).dependent(:destroy) } it { should have_many(:assigned_merge_requests).dependent(:destroy) }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:projects_limit) }
it { should allow_mass_assignment_of(:projects_limit).as(:admin) }
end
describe 'validations' do describe 'validations' do
it { should validate_presence_of(:projects_limit) } it { should validate_presence_of(:projects_limit) }
it { should validate_numericality_of(:projects_limit) } it { should validate_numericality_of(:projects_limit) }
...@@ -73,30 +78,4 @@ describe User do ...@@ -73,30 +78,4 @@ describe User do
user.authentication_token.should_not be_blank user.authentication_token.should_not be_blank
end end
end end
describe "attributes can be changed by a regular user" do
before do
@user = Factory :user
@user.update_attributes(skype: "testskype", linkedin: "testlinkedin")
end
it { @user.skype.should == 'testskype' }
it { @user.linkedin.should == 'testlinkedin' }
end
describe "attributes that shouldn't be changed by a regular user" do
before do
@user = Factory :user
@user.update_attributes(projects_limit: 50)
end
it { @user.projects_limit.should_not == 50 }
end
describe "attributes can be changed by an admin user" do
before do
@admin_user = Factory :admin
@admin_user.update_attributes({ skype: "testskype", projects_limit: 50 }, as: :admin)
end
it { @admin_user.skype.should == 'testskype' }
it { @admin_user.projects_limit.should == 50 }
end
end end
...@@ -6,6 +6,10 @@ describe UsersProject do ...@@ -6,6 +6,10 @@ describe UsersProject do
it { should belong_to(:user) } it { should belong_to(:user) }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
end
describe "Validation" do describe "Validation" do
let!(:users_project) { create(:users_project) } let!(:users_project) { create(:users_project) }
......
...@@ -5,6 +5,10 @@ describe ProjectHook do ...@@ -5,6 +5,10 @@ describe ProjectHook do
it { should belong_to :project } it { should belong_to :project }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
end
describe "Validations" do describe "Validations" do
it { should validate_presence_of(:url) } it { should validate_presence_of(:url) }
......
...@@ -7,6 +7,11 @@ describe Wiki do ...@@ -7,6 +7,11 @@ describe Wiki do
it { should have_many(:notes).dependent(:destroy) } it { should have_many(:notes).dependent(:destroy) }
end end
describe "Mass assignment" do
it { should_not allow_mass_assignment_of(:project_id) }
it { should_not allow_mass_assignment_of(:user_id) }
end
describe "Validation" do describe "Validation" do
it { should validate_presence_of(:title) } it { should validate_presence_of(:title) }
it { should ensure_length_of(:title).is_within(1..250) } it { should ensure_length_of(:title).is_within(1..250) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment