Fix mass assignment vuln to tag alias/implication status (2704).

2016-10-11 07:58:08 +00:00
parent 789dede893
commit 7e3284c87f
4 changed files with 18 additions and 4 deletions
--- a/app/models/tag_alias.rb
+++ b/app/models/tag_alias.rb
@@ -19,7 +19,8 @@ class TagAlias < ActiveRecord::Base
  belongs_to :creator, :class_name => "User"
  belongs_to :approver, :class_name => "User"
  belongs_to :forum_topic
-  attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :status, :skip_secondary_validations
+  attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :skip_secondary_validations
+  attr_accessible :status, :as => [:admin]

  module SearchMethods
    def name_matches(name)
--- a/app/models/tag_implication.rb
+++ b/app/models/tag_implication.rb
@@ -20,7 +20,8 @@ class TagImplication < ActiveRecord::Base
  validate :consequent_is_not_aliased
  validate :antecedent_and_consequent_are_different
  validate :wiki_pages_present, :on => :create
-  attr_accessible :antecedent_name, :consequent_name, :descendant_names, :forum_topic_id, :status, :forum_topic, :skip_secondary_validations
+  attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :skip_secondary_validations
+  attr_accessible :status, :as => [:admin]

  module DescendantMethods
    extend ActiveSupport::Concern