Fix mass assignment vuln to tag alias/implication status (2704).

2016-10-11 07:58:08 +00:00
parent 789dede893
commit 7e3284c87f
4 changed files with 18 additions and 4 deletions
--- a/app/controllers/tag_aliases_controller.rb
+++ b/app/controllers/tag_aliases_controller.rb
@@ -15,7 +15,7 @@ class TagAliasesController < ApplicationController
    @tag_alias = TagAlias.find(params[:id])
    if @tag_alias.is_pending? && @tag_alias.editable_by?(CurrentUser.user)
-      @tag_alias.update_attributes(params[:tag_alias])
+      @tag_alias.update_attributes(update_params)
    end
    respond_with(@tag_alias)
@@ -46,4 +46,10 @@ class TagAliasesController < ApplicationController
    @tag_alias.approve!(CurrentUser.user.id)
    respond_with(@tag_alias, :location => tag_alias_path(@tag_alias))
  end
 private
  def update_params
    params.require(:tag_alias).permit(:antecedent_name, :consequent_name, :forum_topic_id)
  end
 end
--- a/app/controllers/tag_implications_controller.rb
+++ b/app/controllers/tag_implications_controller.rb
@@ -15,7 +15,7 @@ class TagImplicationsController < ApplicationController
    @tag_implication = TagImplication.find(params[:id])
    if @tag_implication.is_pending? && @tag_implication.editable_by?(CurrentUser.user)
-      @tag_implication.update_attributes(params[:tag_implication])
+      @tag_implication.update_attributes(update_params)
    end
    respond_with(@tag_implication)
@@ -51,4 +51,10 @@ class TagImplicationsController < ApplicationController
    @tag_implication.approve!(CurrentUser.user.id)
    respond_with(@tag_implication, :location => tag_implication_path(@tag_implication))
  end
 private
  def update_params
    params.require(:tag_implication).permit(:antecedent_name, :consequent_name, :forum_topic_id)
  end
 end
--- a/app/models/tag_alias.rb
+++ b/app/models/tag_alias.rb
@@ -19,7 +19,8 @@ class TagAlias < ActiveRecord::Base
  belongs_to :creator, :class_name => "User"
  belongs_to :approver, :class_name => "User"
  belongs_to :forum_topic
-  attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :status, :skip_secondary_validations
+  attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :skip_secondary_validations
  attr_accessible :status, :as => [:admin]
  module SearchMethods
    def name_matches(name)
--- a/app/models/tag_implication.rb
+++ b/app/models/tag_implication.rb
@@ -20,7 +20,8 @@ class TagImplication < ActiveRecord::Base
  validate :consequent_is_not_aliased
  validate :antecedent_and_consequent_are_different
  validate :wiki_pages_present, :on => :create
-  attr_accessible :antecedent_name, :consequent_name, :descendant_names, :forum_topic_id, :status, :forum_topic, :skip_secondary_validations
+  attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :skip_secondary_validations
  attr_accessible :status, :as => [:admin]
  module DescendantMethods
    extend ActiveSupport::Concern