Merge pull request #2759 from evazion/fix-dmail-filters

Don't filter dmails from moderators; fix dmail filter exploit.

app/controllers/maintenance/user/dmail_filters_controller.rb

@@ -3,6 +3,7 @@ module Maintenance
     class DmailFiltersController < ApplicationController
       before_filter :ensure_ownership
       before_filter :member_only
+      respond_to :html, :json, :xml
 
       def edit
         @dmail_filter = CurrentUser.dmail_filter || DmailFilter.new
@@ -10,9 +11,9 @@ module Maintenance
 
       def update
         @dmail_filter = CurrentUser.dmail_filter || DmailFilter.new
-        @dmail_filter.update_attributes(params[:dmail_filter])
+        @dmail_filter.update(params.require(:dmail_filter).permit(:words), :as => CurrentUser.role)
         flash[:notice] = "Filter updated"
-        redirect_to(dmail_path(@dmail.id))
+        respond_with(@dmail)
       end
 
     private

app/models/dmail_filter.rb

@@ -1,6 +1,6 @@
 class DmailFilter < ActiveRecord::Base
   belongs_to :user
-  attr_accessible :user_id, :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin]
+  attr_accessible :words, :as => [:moderator, :janitor, :gold, :member, :anonymous, :default, :builder, :admin]
   validates_presence_of :user
   before_validation :initialize_user
 
@@ -11,7 +11,7 @@ class DmailFilter < ActiveRecord::Base
   end
 
   def filtered?(dmail)
-    dmail.from.level <= User::Levels::MODERATOR && has_filter? && (dmail.body =~ regexp || dmail.title =~ regexp || dmail.from.name =~ regexp)
+    dmail.from.level < User::Levels::MODERATOR && has_filter? && (dmail.body =~ regexp || dmail.title =~ regexp || dmail.from.name =~ regexp)
   end
 
   def has_filter?