jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

forum post votes: fix exploits with voting on mod-only forum posts.

Browse Source 
* Don't allow unprivileged users to vote on mod-only forum posts.
* Don't allow unprivileged users to see votes on mod-only forum posts.
This commit is contained in:
evazion
2020-02-16 04:51:23 -06:00
parent bf4dbf1449
commit 835cc23f66
2 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/forum_post_votes_controller.rb
View File

@@ -3,14 +3,14 @@ class ForumPostVotesController < ApplicationController
before_action :member_only, only: [:create, :destroy]
def index
@forum_post_votes = ForumPostVote.paginated_search(params, count_pages: true)
@forum_post_votes = ForumPostVote.visible.paginated_search(params, count_pages: true)
@forum_post_votes = @forum_post_votes.includes(:creator, forum_post: [:creator, :topic]) if request.format.html?
respond_with(@forum_post_votes)
end
def create
@forum_post = ForumPost.find(params[:forum_post_id])
@forum_post = ForumPost.permitted.find(params[:forum_post_id])
@forum_post_vote = @forum_post.votes.create(forum_post_vote_params.merge(creator: CurrentUser.user))
respond_with(@forum_post_vote)
end

2
app/models/forum_post_vote.rb
View File

@@ -3,10 +3,12 @@ class ForumPostVote < ApplicationRecord
belongs_to :forum_post
validates :creator_id, uniqueness: {scope: :forum_post_id}
validates :score, inclusion: {in: [-1, 0, 1]}
scope :up, -> {where(score: 1)}
scope :down, -> {where(score: -1)}
scope :by, ->(user_id) {where(creator_id: user_id)}
scope :excluding_user, ->(user_id) {where("creator_id <> ?", user_id)}
scope :visible, -> { where(forum_post: ForumPost.permitted) }
def self.forum_post_matches(params)
return all if params.blank?