From 8df1496d281e4139ecd20171ea2940450027c7dd Mon Sep 17 00:00:00 2001 From: evazion Date: Wed, 19 Oct 2016 22:39:57 -0500 Subject: [PATCH] Fix vuln allowing users to move notes between posts. Prevents this from working: PUT /notes/1.json?note[post_id]=23 PUT /notes/1.json?note[post_id]=42 --- app/controllers/notes_controller.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb index f73c451b1..e14060826 100644 --- a/app/controllers/notes_controller.rb +++ b/app/controllers/notes_controller.rb @@ -20,7 +20,7 @@ class NotesController < ApplicationController end def create - @note = Note.create(params[:note]) + @note = Note.create(create_params) respond_with(@note) do |fmt| fmt.json do if @note.errors.any? @@ -34,7 +34,7 @@ class NotesController < ApplicationController def update @note = Note.find(params[:id]) - @note.update_attributes(params[:note]) + @note.update_attributes(update_params) respond_with(@note) do |format| format.json do if @note.errors.any? @@ -60,6 +60,14 @@ class NotesController < ApplicationController end private + def update_params + params.require(:note).permit(:x, :y, :width, :height, :body) + end + + def create_params + params.require(:note).permit(:x, :y, :width, :height, :body, :post_id) + end + def pass_html_id if params[:note] && params[:note][:html_id] response.headers["X-Html-Id"] = params[:note][:html_id]