jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #3204 from evazion/fix-3203

Browse Source 
Fix #3203: Overly restrictive permissions
This commit is contained in:
Albert Yi
2017-07-07 18:59:13 -07:00
committed by GitHub
parent df33901938 24b2f2bf52
commit 1cc9abc2db
20 changed files with 72 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/controllers/artists_controller.rb
View File

@@ -1,6 +1,6 @@
class ArtistsController < ApplicationController class ArtistsController < ApplicationController
respond_to :html, :xml, :json respond_to :html, :xml, :json
before_filter :member_only, :except => [:index, :show, :banned] before_filter :member_only, :except => [:index, :show, :show_or_new, :banned]
before_filter :builder_only, :only => [:destroy] before_filter :builder_only, :only => [:destroy]
before_filter :admin_only, :only => [:ban, :unban] before_filter :admin_only, :only => [:ban, :unban]
before_filter :load_artist, :only => [:ban, :unban, :show, :edit, :update, :destroy, :undelete] before_filter :load_artist, :only => [:ban, :unban, :show, :edit, :update, :destroy, :undelete]
@@ -93,7 +93,9 @@ class ArtistsController < ApplicationController
if @artist if @artist
redirect_to artist_path(@artist) redirect_to artist_path(@artist)
else else
redirect_to new_artist_path(:name => params[:name]) @artist = Artist.new(name: params[:name])
@post_set = PostSets::Artist.new(@artist)
respond_with(@artist)
end end
end end

2
app/controllers/bulk_update_requests_controller.rb
View File

@@ -1,6 +1,6 @@
class BulkUpdateRequestsController < ApplicationController class BulkUpdateRequestsController < ApplicationController
respond_to :html, :xml, :json, :js respond_to :html, :xml, :json, :js
before_filter :member_only before_filter :member_only, :except => [:index, :show]
before_filter :admin_only, :only => [:approve] before_filter :admin_only, :only => [:approve]
before_filter :load_bulk_update_request, :except => [:new, :create, :index] before_filter :load_bulk_update_request, :except => [:new, :create, :index]

2
app/controllers/dmails_controller.rb
View File

@@ -1,6 +1,6 @@
class DmailsController < ApplicationController class DmailsController < ApplicationController
respond_to :html, :xml, :json respond_to :html, :xml, :json
before_filter :member_only before_filter :member_only, except: [:index, :show, :destroy, :mark_all_as_read]
def new def new
if params[:respond_to_id] if params[:respond_to_id]

2
app/controllers/favorites_controller.rb
View File

@@ -1,5 +1,5 @@
class FavoritesController < ApplicationController class FavoritesController < ApplicationController
before_filter :member_only before_filter :member_only, except: [:index]
respond_to :html, :xml, :json respond_to :html, :xml, :json
skip_before_filter :api_check skip_before_filter :api_check

2
app/controllers/forum_posts_controller.rb
View File

@@ -1,6 +1,6 @@
class ForumPostsController < ApplicationController class ForumPostsController < ApplicationController
respond_to :html, :xml, :json, :js respond_to :html, :xml, :json, :js
before_filter :member_only, :except => [:index, :show] before_filter :member_only, :except => [:index, :show, :search]
before_filter :load_post, :only => [:edit, :show, :update, :destroy, :undelete] before_filter :load_post, :only => [:edit, :show, :update, :destroy, :undelete]
before_filter :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete] before_filter :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete]
skip_before_filter :api_check skip_before_filter :api_check

1
app/controllers/iqdb_queries_controller.rb
View File

@@ -1,6 +1,5 @@
# todo: move this to iqdbs # todo: move this to iqdbs
class IqdbQueriesController < ApplicationController class IqdbQueriesController < ApplicationController
before_filter :member_only
respond_to :html, :json, :xml respond_to :html, :json, :xml
def index def index

1
app/controllers/maintenance/user/api_keys_controller.rb
View File

@@ -1,7 +1,6 @@
module Maintenance module Maintenance
module User module User
class ApiKeysController < ApplicationController class ApiKeysController < ApplicationController
before_filter :member_only
before_filter :check_privilege before_filter :check_privilege
before_filter :authenticate!, :except => [:show] before_filter :authenticate!, :except => [:show]
rescue_from ::SessionLoader::AuthenticationFailure, :with => :authentication_failed rescue_from ::SessionLoader::AuthenticationFailure, :with => :authentication_failed

1
app/controllers/maintenance/user/dmail_filters_controller.rb
View File

@@ -2,7 +2,6 @@ module Maintenance
module User module User
class DmailFiltersController < ApplicationController class DmailFiltersController < ApplicationController
before_filter :ensure_ownership before_filter :ensure_ownership
before_filter :member_only
respond_to :html, :json, :xml respond_to :html, :json, :xml
def edit def edit

2
app/controllers/notes_controller.rb
View File

@@ -1,6 +1,6 @@
class NotesController < ApplicationController class NotesController < ApplicationController
respond_to :html, :xml, :json, :js respond_to :html, :xml, :json, :js
before_filter :member_only, :except => [:index, :show] before_filter :member_only, :except => [:index, :show, :search]
def search def search
end end

2
app/controllers/reports_controller.rb
View File

@@ -1,5 +1,5 @@
class ReportsController < ApplicationController class ReportsController < ApplicationController
before_filter :member_only before_filter :member_only, :except => [:upload_tags]
before_filter :gold_only, :only => [:similar_users] before_filter :gold_only, :only => [:similar_users]
before_filter :moderator_only, :only => [:post_versions, :post_versions_create] before_filter :moderator_only, :only => [:post_versions, :post_versions_create]

1
app/controllers/saved_searches_controller.rb
View File

@@ -1,5 +1,4 @@
class SavedSearchesController < ApplicationController class SavedSearchesController < ApplicationController
before_filter :member_only
before_filter :check_availability before_filter :check_availability
respond_to :html, :xml, :json, :js respond_to :html, :xml, :json, :js

2
app/controllers/uploads_controller.rb
View File

@@ -1,5 +1,5 @@
class UploadsController < ApplicationController class UploadsController < ApplicationController
before_filter :member_only before_filter :member_only, except: [:index, :show]
respond_to :html, :xml, :json, :js respond_to :html, :xml, :json, :js
def new def new

1
app/controllers/users_controller.rb
View File

@@ -1,6 +1,5 @@
class UsersController < ApplicationController class UsersController < ApplicationController
respond_to :html, :xml, :json respond_to :html, :xml, :json
before_filter :member_only, :only => [:edit, :update]
skip_before_filter :api_check skip_before_filter :api_check
def new def new

5
app/controllers/wiki_pages_controller.rb
View File

@@ -1,6 +1,6 @@
class WikiPagesController < ApplicationController class WikiPagesController < ApplicationController
respond_to :html, :xml, :json, :js respond_to :html, :xml, :json, :js
before_filter :member_only, :except => [:index, :show, :show_or_new] before_filter :member_only, :except => [:index, :search, :show, :show_or_new]
before_filter :builder_only, :only => [:destroy] before_filter :builder_only, :only => [:destroy]
before_filter :normalize_search_params, :only => [:index] before_filter :normalize_search_params, :only => [:index]
@@ -32,6 +32,9 @@ class WikiPagesController < ApplicationController
end end
end end
def search
end
def show def show
if params[:id] =~ /\A\d+\Z/ if params[:id] =~ /\A\d+\Z/
@wiki_page = WikiPage.find(params[:id]) @wiki_page = WikiPage.find(params[:id])

28
app/views/artists/_show.html.erb Normal file
View File

@@ -0,0 +1,28 @@
<div id="c-artists">
<div id="a-show">
<h1>Artist: <%= link_to @artist.pretty_name, posts_path(:tags => @artist.name), :class => "tag-type-#{@artist.category_name}" %></h1>
<% if @artist.notes.present? && @artist.visible? %>
<div class="prose">
<%= format_text(@artist.notes, :ragel => true, :disable_mentions => true) %>
</div>
<p><%= link_to "View wiki page", @artist.wiki_page %></p>
<% end %>
<%= yield %>
<div class="recent-posts">
<h1>Recent Posts</h1>
<div style="margin: 1em 0;">
<%= @post_set.presenter.post_previews_html(self) %>
</div>
</div>
<%= render "secondary_links" %>
</div>
</div>
<% content_for(:page_title) do %>
Artist - <%= @artist.name %> - <%= Danbooru.config.app_name %>
<% end %>

40
app/views/artists/show.html.erb
View File

@@ -1,35 +1,9 @@
<div id="c-artists"> <%= render layout: "show" do %>
<div id="a-show"> <% if @artist.visible? %>
<h1>Artist: <%= link_to @artist.pretty_name, posts_path(:tags => @artist.name), :class => "tag-type-#{@artist.category_name}" %></h1> <div>
<%= render "summary", artist: @artist %>
<% if @artist.notes.present? && @artist.visible? %>
<div class="prose">
<%= format_text(@artist.notes, :ragel => true, :disable_mentions => true) %>
</div>
<p><%= link_to "View wiki page", @artist.wiki_page %></p>
<% end %>
<% if @artist.visible? %>
<div>
<%= render "summary", artist: @artist %>
</div>
<% else %>
<p>The artist requested removal of this page.</p>
<% end %>
<div class="recent-posts">
<h1>Recent Posts</h1>
<div style="margin: 1em 0;">
<%= @post_set.presenter.post_previews_html(self) %>
</div>
</div> </div>
<% else %>
<%= render "secondary_links" %> <p>The artist requested removal of this page.</p>
</div> <% end %>
</div>
<% content_for(:page_title) do %>
Artist - <%= @artist.name %> - <%= Danbooru.config.app_name %>
<% end %> <% end %>

5
app/views/artists/show_or_new.html.erb Normal file
View File

@@ -0,0 +1,5 @@
<%= render layout: "show" do %>
<div>
<p>This artist entry does not exist. <%= link_to "Create new artist entry", new_artist_path(name: params[:name]) %>.</p>
</div>
<% end %>

2
test/functional/artists_controller_test.rb
View File

@@ -42,7 +42,7 @@ class ArtistsControllerTest < ActionController::TestCase
assert_redirected_to(@masao) assert_redirected_to(@masao)
get :show_or_new, { name: "nobody" }, { user_id: @user.id } get :show_or_new, { name: "nobody" }, { user_id: @user.id }
assert_redirected_to(new_artist_path(name: "nobody")) assert_response :success
end end
should "get the edit page" do should "get the edit page" do

7
test/functional/dmails_controller_test.rb
View File

@@ -62,6 +62,13 @@ class DmailsControllerTest < ActionController::TestCase
assert_response :success assert_response :success
assert_equal(0, assigns[:dmails].size) assert_equal(0, assigns[:dmails].size)
end end
should "work for banned users" do
ban = FactoryGirl.create(:ban, :user => @user, :banner => FactoryGirl.create(:admin_user))
get :index, {:search => {:owner_id => @dmail.owner_id, :folder => "sent"}}, {:user_id => @dmail.owner_id}
assert_response :success
end
end end
context "show action" do context "show action" do

9
test/functional/users_controller_test.rb
View File

@@ -124,6 +124,15 @@ class UsersControllerTest < ActionController::TestCase
assert_equal(20, @user.level) assert_equal(20, @user.level)
end end
end end
context "for a banned user" do
should "allow the user to edit their settings" do
@user = FactoryGirl.create(:banned_user)
post :update, {:id => @user.id, :user => {:favorite_tags => "xyz"}}, {:user_id => @user.id}
assert_equal("xyz", @user.reload.favorite_tags)
end
end
end end
end end
end end