Fix hidden attribute leaks in legacy post controller (#3237).

2017-07-24 20:33:06 -05:00
parent f2bf756422
commit 67528ce5ab
4 changed files with 15 additions and 10 deletions
--- a/app/controllers/legacy_controller.rb
+++ b/app/controllers/legacy_controller.rb
@@ -1,9 +1,21 @@
 class LegacyController < ApplicationController
  before_filter :member_only, :only => [:create_post]
+  respond_to :json, :xml

  def posts
    @post_set = PostSets::Post.new(tag_query, params[:page], params[:limit], format: "json")
-    @posts = @post_set.posts
+    @posts = @post_set.posts.map(&:legacy_attributes)
+
+    respond_with(@posts) do |format|
+      format.xml do
+        xml = Builder::XmlMarkup.new(indent: 2)
+        xml.instruct!
+        xml.posts do
+          @posts.each { |attrs| xml.post(attrs) }
+        end
+        render xml: xml.target!
+      end
+    end
  end

  def create_post