[PATCH conductor] redmine #3601: whitelist all attributes as needing to be explicitly set by default

Wed, 10 Oct 2012 10:23:37 -0700 

From: Mo Morsi <[email protected]>

  Note this patch requires rails 3.2 to work (which will be in Fedora soon [1])

  This changes the application so that no mass assigments are permitted by 
default.

  I added the neccessary model changes so that things should be working again 
with the
  current mass assignments in place in the application (specs pass after this 
patch)

  Obviously this still doesn't solve the mass assignment issue, but the items 
that should
  be removed and explicitly set are marked with comments and thus we can tackle 
them one
  by one in the various areas that they need to be set explicitly in the 
application

[1] http://lists.fedoraproject.org/pipermail/ruby-sig/2012-July/001077.html
---
 src/app/models/session_entity.rb | 3 +++
 src/app/models/user.rb           | 2 ++
 src/app/models/view_state.rb     | 2 ++
 3 files changed, 7 insertions(+)

diff --git a/src/app/models/session_entity.rb b/src/app/models/session_entity.rb
index 98ac974..9a2d23a 100644
--- a/src/app/models/session_entity.rb
+++ b/src/app/models/session_entity.rb
@@ -19,6 +19,9 @@ class SessionEntity < ActiveRecord::Base
   belongs_to :entity
   belongs_to :permission_session
 
+  attr_accessible :user, :session, :entity,
+                  :user_id, :session_id, :entity_id
+
   validates_presence_of :user_id
   validates_presence_of :permission_session_id
   validates_presence_of :entity_id
diff --git a/src/app/models/user.rb b/src/app/models/user.rb
index 5db8e95..937abd1 100644
--- a/src/app/models/user.rb
+++ b/src/app/models/user.rb
@@ -77,6 +77,8 @@ class User < ActiveRecord::Base
   before_validation :strip_whitespace
   after_save :update_entity
 
+  attr_accessible :login, :password, :password_confirmation, :first_name, 
:last_name, :quota, :email, :ignore_password
+
   validate :validate_ldap_changes, :if => Proc.new {|user|
     !user.new_record? && SETTINGS_CONFIG[:auth][:strategy] == "ldap"}
   validates_presence_of :quota
diff --git a/src/app/models/view_state.rb b/src/app/models/view_state.rb
index bc1f0fe..bfa2171 100644
--- a/src/app/models/view_state.rb
+++ b/src/app/models/view_state.rb
@@ -33,6 +33,8 @@ class ViewState < ActiveRecord::Base
   self.primary_key = :uuid
   belongs_to :user
 
+  attr_accessible :name, :controller, :action, :station, :association
+
   validates_presence_of :name
   validates_uniqueness_of :name
   validates_presence_of :user_id
-- 
1.7.11.4

Reply via email to