jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Raise error on unpermitted params.

Browse Source 
Fail loudly if we forget to whitelist a param instead of silently
ignoring it.

misc models: convert to strong params.

artist commentaries: convert to strong params.

* Disallow changing or setting post_id to a nonexistent post.

artists: convert to strong params.

* Disallow setting `is_banned` in create/update actions. Changing it
  this way instead of with the ban/unban actions would leave the artist in
  a partially banned state.

bans: convert to strong params.

* Disallow changing the user_id after the ban has been created.

comments: convert to strong params.

favorite groups: convert to strong params.

news updates: convert to strong params.

post appeals: convert to strong params.

post flags: convert to strong params.

* Disallow users from setting the `is_deleted` / `is_resolved` flags.

ip bans: convert to strong params.

user feedbacks: convert to strong params.

* Disallow users from setting `disable_dmail_notification` when creating feedbacks.
* Disallow changing the user_id after the feedback has been created.

notes: convert to strong params.

wiki pages: convert to strong params.

* Also fix non-Builders being able to delete wiki pages.

saved searches: convert to strong params.

pools: convert to strong params.

* Disallow setting `post_count` or `is_deleted` in create/update actions.

janitor trials: convert to strong params.

post disapprovals: convert to strong params.

* Factor out quick-mod bar to shared partial.
* Fix quick-mod bar to use `Post#is_approvable?` to determine visibility
  of Approve button.

dmail filters: convert to strong params.

password resets: convert to strong params.

user name change requests: convert to strong params.

posts: convert to strong params.

users: convert to strong params.

* Disallow setting password_hash, last_logged_in_at, last_forum_read_at,
  has_mail, and dmail_filter_attributes[user_id].

* Remove initialize_default_image_size (dead code).

uploads: convert to strong params.

* Remove `initialize_status` because status already defaults to pending
  in the database.

tag aliases/implications: convert to strong params.

tags: convert to strong params.

forum posts: convert to strong params.

* Disallow changing the topic_id after creating the post.
* Disallow setting is_deleted (destroy/undelete actions should be used instead).
* Remove is_sticky / is_locked (nonexistent attributes).

forum topics: convert to strong params.

* merges https://github.com/evazion/danbooru/tree/wip-rails-5.1
* lock pg gem to 0.21 (1.0.0 is incompatible with rails 5.1.4)
* switch to factorybot and change all references

Co-authored-by: r888888888 <r888888888@gmail.com>
Co-authored-by: evazion <noizave@gmail.com>

add diffs
This commit is contained in:
r888888888
2018-04-02 10:51:26 -07:00
committed by Albert Yi
parent 01eda51020
commit abce4d2551
362 changed files with 4796 additions and 4799 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/admin/alias_and_implication_imports_controller.rb
View File

@@ -1,6 +1,6 @@
module Admin
class AliasAndImplicationImportsController < ApplicationController
before_filter :admin_only
before_action :admin_only
def new
end

2
app/controllers/admin/users_controller.rb
View File

@@ -1,6 +1,6 @@
module Admin
class UsersController < ApplicationController
before_filter :moderator_only
before_action :moderator_only
def edit
@user = User.find(params[:id])

34
app/controllers/application_controller.rb
View File

@@ -1,25 +1,26 @@
class ApplicationController < ActionController::Base
protect_from_forgery
helper :pagination
before_filter :reset_current_user
before_filter :set_current_user
after_filter :reset_current_user
before_filter :set_title
before_filter :normalize_search
before_filter :set_started_at_session
before_filter :api_check
before_filter :set_safe_mode
# before_filter :secure_cookies_check
before_action :reset_current_user
before_action :set_current_user
after_action :reset_current_user
before_action :set_title
before_action :normalize_search
before_action :set_started_at_session
before_action :api_check
before_action :set_safe_mode
# before_action :secure_cookies_check
layout "default"
force_ssl :if => :ssl_login?
helper_method :show_moderation_notice?
before_filter :enable_cors
before_action :enable_cors
rescue_from Exception, :with => :rescue_exception
rescue_from User::PrivilegeError, :with => :access_denied
rescue_from SessionLoader::AuthenticationFailure, :with => :authentication_failed
rescue_from Danbooru::Paginator::PaginationError, :with => :render_pagination_limit
rescue_from PG::ConnectionBad, with: :bad_db_connection
rescue_from ActionController::UnpermittedParameters, :with => :access_denied
# This is raised on requests to `/blah.js`. Rails has already rendered StaticController#not_found
# here, so calling `rescue_exception` would cause a double render error.
@@ -93,6 +94,13 @@ class ApplicationController < ActionController::Base
def rescue_exception(exception)
@exception = exception
if Rails.env.test? && ENV["DEBUG"]
puts "---"
STDERR.puts("#{exception.class} exception thrown: #{exception.message}")
exception.backtrace.each {|x| STDERR.puts(x)}
puts "---"
end
if exception.is_a?(::ActiveRecord::StatementInvalid) && exception.to_s =~ /statement timeout/
if Rails.env.production?
NewRelic::Agent.notice_error(exception, :uri => request.original_url, :referer => request.referer, :request_params => params, :custom_params => {:user_id => CurrentUser.user.id, :user_ip_addr => CurrentUser.ip_addr})
@@ -159,7 +167,7 @@ class ApplicationController < ActionController::Base
render :json => {:success => false, :reason => "access denied"}.to_json, :status => 403
end
fmt.js do
render :nothing => true, :status => 403
render js: "", :status => 403
end
end
end
@@ -212,6 +220,10 @@ class ApplicationController < ActionController::Base
end
end
def search_params
params.fetch(:search, {}).permit!
end
def set_safe_mode
CurrentUser.set_safe_mode(request)
end

25
app/controllers/artist_commentaries_controller.rb
View File

@@ -1,9 +1,9 @@
class ArtistCommentariesController < ApplicationController
respond_to :html, :xml, :json, :js
before_filter :member_only, :except => [:index, :show]
before_action :member_only, :except => [:index, :show]
def index
@commentaries = ArtistCommentary.search(params[:search]).paginate(params[:page], :limit => params[:limit])
@commentaries = ArtistCommentary.search(search_params).paginate(params[:page], :limit => params[:limit])
respond_with(@commentaries) do |format|
format.xml do
render :xml => @commentaries.to_xml(:root => "artist-commentaries")
@@ -24,14 +24,8 @@ class ArtistCommentariesController < ApplicationController
end
def create_or_update
@artist_commentary = ArtistCommentary.find_by_post_id(params[:artist_commentary][:post_id])
if @artist_commentary
@artist_commentary.update_attributes(params[:artist_commentary])
else
@artist_commentary = ArtistCommentary.create(params[:artist_commentary])
end
@artist_commentary = ArtistCommentary.find_or_initialize_by(post_id: params.dig(:artist_commentary, :post_id))
@artist_commentary.update(commentary_params)
respond_with(@artist_commentary)
end
@@ -39,6 +33,15 @@ class ArtistCommentariesController < ApplicationController
@artist_commentary = ArtistCommentary.find_by_post_id!(params[:id])
@version = @artist_commentary.versions.find(params[:version_id])
@artist_commentary.revert_to!(@version)
respond_with(@artist_commentary)
end
private
def commentary_params
params.fetch(:artist_commentary, {}).except(:post_id).permit(%i[
original_description original_title translated_description translated_title
remove_commentary_tag remove_commentary_request_tag remove_commentary_check_tag
add_commentary_tag add_commentary_request_tag add_commentary_check_tag
])
end
end

2
app/controllers/artist_commentary_versions_controller.rb
View File

@@ -2,7 +2,7 @@ class ArtistCommentaryVersionsController < ApplicationController
respond_to :html, :xml, :json
def index
@commentary_versions = ArtistCommentaryVersion.search(params[:search]).paginate(params[:page], :limit => params[:limit])
@commentary_versions = ArtistCommentaryVersion.search(search_params).paginate(params[:page], :limit => params[:limit])
respond_with(@commentary_versions) do |format|
format.xml do
render :xml => @commentary_versions.to_xml(:root => "artist-commentary-versions")

5
app/controllers/artist_versions_controller.rb
View File

@@ -1,13 +1,14 @@
class ArtistVersionsController < ApplicationController
before_filter :member_only
before_action :member_only
respond_to :html, :xml, :json
def index
@artist_versions = ArtistVersion.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
@artist_versions = ArtistVersion.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@artist_versions) do |format|
format.xml do
render :xml => @artist_versions.to_xml(:root => "artist-versions")
end
end
end
end

28
app/controllers/artists_controller.rb
View File

@@ -1,12 +1,12 @@
class ArtistsController < ApplicationController
respond_to :html, :xml, :json
before_filter :member_only, :except => [:index, :show, :show_or_new, :banned]
before_filter :builder_only, :only => [:destroy]
before_filter :admin_only, :only => [:ban, :unban]
before_filter :load_artist, :only => [:ban, :unban, :show, :edit, :update, :destroy, :undelete]
before_action :member_only, :except => [:index, :show, :show_or_new, :banned]
before_action :builder_only, :only => [:destroy]
before_action :admin_only, :only => [:ban, :unban]
before_action :load_artist, :only => [:ban, :unban, :show, :edit, :update, :destroy, :undelete]
def new
@artist = Artist.new_with_defaults(params)
@artist = Artist.new_with_defaults(artist_params)
respond_with(@artist)
end
@@ -37,7 +37,6 @@ class ArtistsController < ApplicationController
end
def index
search_params = params[:search].present? ? params[:search] : params
@artists = Artist.includes(:urls).search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@artists) do |format|
format.xml do
@@ -56,12 +55,12 @@ class ArtistsController < ApplicationController
end
def create
@artist = Artist.create(params[:artist], :as => CurrentUser.role)
@artist = Artist.create(artist_params)
respond_with(@artist)
end
def update
@artist.update(params[:artist], :as => CurrentUser.role)
@artist.update(artist_params)
flash[:notice] = @artist.valid? ? "Artist updated" : @artist.errors.full_messages.join("; ")
respond_with(@artist)
end
@@ -118,4 +117,17 @@ private
def load_artist
@artist = Artist.find(params[:id])
end
def search_params
sp = params.fetch(:search, {})
sp[:name] = params[:name] if params[:name]
sp.permit!
end
def artist_params
permitted_params = %i[name other_names other_names_comma group_name url_string notes]
permitted_params << :is_active if CurrentUser.is_builder?
params.fetch(:artist, {}).permit(permitted_params)
end
end

18
app/controllers/bans_controller.rb
View File

@@ -1,6 +1,7 @@
class BansController < ApplicationController
before_filter :moderator_only, :except => [:show, :index]
before_action :moderator_only, :except => [:show, :index]
respond_to :html, :xml, :json
helper_method :search_params
def new
@ban = Ban.new(params[:ban])
@@ -11,7 +12,7 @@ class BansController < ApplicationController
end
def index
@bans = Ban.search(params[:search]).paginate(params[:page], :limit => params[:limit])
@bans = Ban.search(search_params).paginate(params[:page], :limit => params[:limit])
respond_with(@bans) do |fmt|
fmt.html { @bans = @bans.includes(:user, :banner) }
end
@@ -23,7 +24,7 @@ class BansController < ApplicationController
end
def create
@ban = Ban.create(params[:ban])
@ban = Ban.create(ban_params(:create))
if @ban.errors.any?
render :action => "new"
@@ -34,7 +35,7 @@ class BansController < ApplicationController
def update
@ban = Ban.find(params[:id])
if @ban.update_attributes(params[:ban])
if @ban.update(ban_params(:update))
redirect_to ban_path(@ban), :notice => "Ban updated"
else
render :action => "edit"
@@ -46,4 +47,13 @@ class BansController < ApplicationController
@ban.destroy
redirect_to bans_path, :notice => "Ban destroyed"
end
private
def ban_params(context)
permitted_params = %i[reason duration expires_at]
permitted_params += %i[user_id user_name] if context == :create
params.require(:ban).permit(permitted_params)
end
end

8
app/controllers/bulk_update_requests_controller.rb
View File

@@ -1,8 +1,8 @@
class BulkUpdateRequestsController < ApplicationController
respond_to :html, :xml, :json, :js
before_filter :member_only, :except => [:index, :show]
before_filter :admin_only, :only => [:approve]
before_filter :load_bulk_update_request, :except => [:new, :create, :index]
before_action :member_only, :except => [:index, :show]
before_action :admin_only, :only => [:approve]
before_action :load_bulk_update_request, :except => [:new, :create, :index]
def new
@bulk_update_request = BulkUpdateRequest.new
@@ -47,7 +47,7 @@ class BulkUpdateRequestsController < ApplicationController
end
def index
@bulk_update_requests = BulkUpdateRequest.search(params[:search]).paginate(params[:page], :limit => params[:limit])
@bulk_update_requests = BulkUpdateRequest.search(search_params).paginate(params[:page], :limit => params[:limit])
respond_with(@bulk_update_requests)
end

4
app/controllers/comment_votes_controller.rb
View File

@@ -1,7 +1,7 @@
class CommentVotesController < ApplicationController
respond_to :js, :json, :xml
before_filter :member_only
skip_before_filter :api_check
before_action :member_only
skip_before_action :api_check
def create
@comment = Comment.find(params[:comment_id])

29
app/controllers/comments_controller.rb
View File

@@ -1,12 +1,12 @@
class CommentsController < ApplicationController
respond_to :html, :xml, :json
before_filter :member_only, :except => [:index, :search, :show]
skip_before_filter :api_check
before_action :member_only, :except => [:index, :search, :show]
skip_before_action :api_check
def index
if params[:group_by] == "comment" || request.format == Mime::ATOM
if params[:group_by] == "comment" || request.format == Mime::Type.lookup("application/atom+xml")
index_by_comment
elsif request.format == Mime::JS
elsif request.format == Mime::Type.lookup("text/javascript")
index_for_post
else
index_by_post
@@ -23,15 +23,17 @@ class CommentsController < ApplicationController
def update
@comment = Comment.find(params[:id])
check_privilege(@comment)
@comment.update(update_params, :as => CurrentUser.role)
@comment.update(comment_params(:update))
respond_with(@comment, :location => post_path(@comment.post_id))
end
def create
@comment = Comment.create(create_params, :as => CurrentUser.role)
@comment = Comment.create(comment_params(:create))
respond_with(@comment) do |format|
format.html do
if @comment.errors.any?
if @comment.post.nil?
redirect_to comments_path, notice: @comment.errors.full_messages.join("; ")
elsif @comment.errors.any?
redirect_to post_path(@comment.post), :notice => @comment.errors.full_messages.join("; ")
else
redirect_to post_path(@comment.post), :notice => "Comment posted"
@@ -88,7 +90,7 @@ private
end
def index_by_comment
@comments = Comment.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
@comments = Comment.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@comments) do |format|
format.atom do
@comments = @comments.includes(:post, :creator).load
@@ -105,11 +107,12 @@ private
end
end
def create_params
params.require(:comment).permit(:post_id, :body, :do_not_bump_post, :is_sticky)
end
def comment_params(context)
permitted_params = %i[body]
permitted_params += %i[post_id do_not_bump_post] if context == :create
permitted_params += %i[is_deleted] if context == :update
permitted_params += %i[is_sticky] if CurrentUser.is_moderator?
def update_params
params.require(:comment).permit(:body, :is_deleted, :is_sticky)
params.require(:comment).permit(permitted_params)
end
end

4
app/controllers/delayed_jobs_controller.rb
View File

@@ -1,6 +1,6 @@
class DelayedJobsController < ApplicationController
respond_to :html, :xml, :json, :js
before_filter :admin_only, except: [:index]
before_action :admin_only, except: [:index]
def index
@delayed_jobs = Delayed::Job.order("run_at asc").paginate(params[:page], :limit => params[:limit])
@@ -18,7 +18,7 @@ class DelayedJobsController < ApplicationController
def retry
@job = Delayed::Job.find(params[:id])
if !@job.locked_at?
@job.update({failed_at: nil, attempts: 0}, without_protection: true)
@job.update(failed_at: nil, attempts: 0)
end
respond_with(@job)
end

6
app/controllers/dmails_controller.rb
View File

@@ -1,7 +1,7 @@
class DmailsController < ApplicationController
respond_to :html, :xml, :json
before_filter :member_only, except: [:index, :show, :destroy, :mark_all_as_read]
before_filter :gold_only, only: [:ham, :spam]
before_action :member_only, except: [:index, :show, :destroy, :mark_all_as_read]
before_action :gold_only, only: [:ham, :spam]
def new
if params[:respond_to_id]
@@ -19,7 +19,7 @@ class DmailsController < ApplicationController
if params[:folder] && params[:set_default_folder]
cookies.permanent[:dmail_folder] = params[:folder]
end
@query = Dmail.active.visible.search(params[:search])
@query = Dmail.active.visible.search(search_params)
@dmails = @query.paginate(params[:page], :limit => params[:limit])
respond_with(@dmails) do |format|
format.xml do

2
app/controllers/explore/posts_controller.rb
View File

@@ -1,7 +1,7 @@
module Explore
class PostsController < ApplicationController
respond_to :html, :xml, :json
before_filter :set_date, only: [:searches, :viewed]
before_action :set_date, only: [:searches, :viewed]
def popular
@post_set = PostSets::Popular.new(params[:date], params[:scale])

2
app/controllers/favorite_group_orders_controller.rb
View File

@@ -1,6 +1,6 @@
class FavoriteGroupOrdersController < ApplicationController
respond_to :html, :xml, :json, :js
before_filter :member_only
before_action :member_only
def edit
@favorite_group = FavoriteGroup.find(params[:favorite_group_id])

15
app/controllers/favorite_groups_controller.rb
View File

@@ -1,9 +1,9 @@
class FavoriteGroupsController < ApplicationController
before_filter :member_only, :except => [:index, :show]
before_action :member_only, :except => [:index, :show]
respond_to :html, :xml, :json, :js
def index
@favorite_groups = FavoriteGroup.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
@favorite_groups = FavoriteGroup.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@favorite_groups) do |format|
format.xml do
render :xml => @favorite_groups.to_xml(:root => "favorite-groups")
@@ -24,7 +24,7 @@ class FavoriteGroupsController < ApplicationController
end
def create
@favorite_group = FavoriteGroup.create(params[:favorite_group])
@favorite_group = FavoriteGroup.create(favgroup_params)
respond_with(@favorite_group) do |format|
format.html do
if @favorite_group.errors.any?
@@ -45,7 +45,7 @@ class FavoriteGroupsController < ApplicationController
def update
@favorite_group = FavoriteGroup.find(params[:id])
check_write_privilege(@favorite_group)
@favorite_group.update_attributes(params[:favorite_group])
@favorite_group.update(favgroup_params)
unless @favorite_group.errors.any?
flash[:notice] = "Favorite group updated"
end
@@ -67,7 +67,8 @@ class FavoriteGroupsController < ApplicationController
@favorite_group.add!(@post.id)
end
private
private
def check_write_privilege(favgroup)
raise User::PrivilegeError unless favgroup.editable_by?(CurrentUser.user)
end
@@ -75,4 +76,8 @@ private
def check_read_privilege(favgroup)
raise User::PrivilegeError unless favgroup.viewable_by?(CurrentUser.user)
end
def favgroup_params
params.fetch(:favorite_group, {}).permit(%i[name post_ids is_public])
end
end

4
app/controllers/favorites_controller.rb
View File

@@ -1,7 +1,7 @@
class FavoritesController < ApplicationController
before_filter :member_only, except: [:index]
before_action :member_only, except: [:index]
respond_to :html, :xml, :json
skip_before_filter :api_check
skip_before_action :api_check
def index
if params[:tags]

25
app/controllers/forum_posts_controller.rb
View File

@@ -1,9 +1,9 @@
class ForumPostsController < ApplicationController
respond_to :html, :xml, :json, :js
before_filter :member_only, :except => [:index, :show, :search]
before_filter :load_post, :only => [:edit, :show, :update, :destroy, :undelete]
before_filter :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete]
skip_before_filter :api_check
before_action :member_only, :except => [:index, :show, :search]
before_action :load_post, :only => [:edit, :show, :update, :destroy, :undelete]
before_action :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete]
skip_before_action :api_check
def new
if params[:topic_id]
@@ -24,7 +24,7 @@ class ForumPostsController < ApplicationController
end
def index
@query = ForumPost.search(params[:search])
@query = ForumPost.search(search_params)
@forum_posts = @query.includes(:topic).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@forum_posts) do |format|
format.xml do
@@ -45,14 +45,14 @@ class ForumPostsController < ApplicationController
end
def create
@forum_post = ForumPost.create(params[:forum_post])
@forum_post = ForumPost.create(forum_post_params(:create))
page = @forum_post.topic.last_page if @forum_post.topic.last_page > 1
respond_with(@forum_post, :location => forum_topic_path(@forum_post.topic, :page => page))
end
def update
check_privilege(@forum_post)
@forum_post.update_attributes(params[:forum_post])
@forum_post.update(forum_post_params(:update))
page = @forum_post.forum_topic_page if @forum_post.forum_topic_page > 1
respond_with(@forum_post, :location => forum_topic_path(@forum_post.topic, :page => page, :anchor => "forum_post_#{@forum_post.id}"))
end
@@ -84,11 +84,11 @@ private
end
fmt.json do
render :nothing => true, :status => 403
render json: nil, :status => 403
end
fmt.xml do
render :nothing => true, :status => 403
render xml: nil, :status => 403
end
end
@@ -101,4 +101,11 @@ private
raise User::PrivilegeError
end
end
def forum_post_params(context)
permitted_params = [:body]
permitted_params += [:topic_id] if context == :create
params.require(:forum_post).permit(permitted_params)
end
end

33
app/controllers/forum_topics_controller.rb
View File

@@ -1,11 +1,11 @@
class ForumTopicsController < ApplicationController
respond_to :html, :xml, :json
before_filter :member_only, :except => [:index, :show]
before_filter :moderator_only, :only => [:new_merge, :create_merge]
before_filter :normalize_search, :only => :index
before_filter :load_topic, :only => [:edit, :show, :update, :destroy, :undelete, :new_merge, :create_merge, :subscribe, :unsubscribe]
before_filter :check_min_level, :only => [:show, :edit, :update, :new_merge, :create_merge, :destroy, :undelete, :subscribe, :unsubscribe]
skip_before_filter :api_check
before_action :member_only, :except => [:index, :show]
before_action :moderator_only, :only => [:new_merge, :create_merge]
before_action :normalize_search, :only => :index
before_action :load_topic, :only => [:edit, :show, :update, :destroy, :undelete, :new_merge, :create_merge, :subscribe, :unsubscribe]
before_action :check_min_level, :only => [:show, :edit, :update, :new_merge, :create_merge, :destroy, :undelete, :subscribe, :unsubscribe]
skip_before_action :api_check
def new
@forum_topic = ForumTopic.new
@@ -20,9 +20,9 @@ class ForumTopicsController < ApplicationController
def index
params[:search] ||= {}
params[:search][:order] ||= "sticky" if request.format == Mime::HTML
params[:search][:order] ||= "sticky" if request.format == Mime::Type.lookup("text/html")
@query = ForumTopic.active.search(params[:search])
@query = ForumTopic.active.search(search_params)
@forum_topics = @query.paginate(params[:page], :limit => per_page, :search_count => params[:search])
respond_with(@forum_topics) do |format|
@@ -42,7 +42,7 @@ class ForumTopicsController < ApplicationController
end
def show
if request.format == Mime::HTML
if request.format == Mime::Type.lookup("text/html")
@forum_topic.mark_as_read!(CurrentUser.user)
end
@forum_posts = ForumPost.search(:topic_id => @forum_topic.id).reorder("forum_posts.id").paginate(params[:page])
@@ -54,13 +54,13 @@ class ForumTopicsController < ApplicationController
end
def create
@forum_topic = ForumTopic.create(params[:forum_topic], :as => CurrentUser.role)
@forum_topic = ForumTopic.create(forum_topic_params(:create))
respond_with(@forum_topic)
end
def update
check_privilege(@forum_topic)
@forum_topic.update_attributes(params[:forum_topic], :as => CurrentUser.role)
@forum_topic.update(forum_topic_params(:update))
respond_with(@forum_topic)
end
@@ -147,15 +147,22 @@ private
end
fmt.json do
render :nothing => true, :status => 403
render json: nil, :status => 403
end
fmt.xml do
render :nothing => true, :status => 403
render xml: nil, :status => 403
end
end
return false
end
end
def forum_topic_params(context)
permitted_params = [:title, :category_id, { original_post_attributes: %i[id body] }]
permitted_params += %i[is_sticky is_locked min_level] if CurrentUser.is_moderator?
params.require(:forum_topic).permit(permitted_params)
end
end

18
app/controllers/ip_bans_controller.rb
View File

@@ -1,18 +1,18 @@
class IpBansController < ApplicationController
respond_to :html, :xml, :json
before_filter :moderator_only
respond_to :html, :xml, :json, :js
before_action :moderator_only
def new
@ip_ban = IpBan.new
end
def create
@ip_ban = IpBan.create(params[:ip_ban])
@ip_ban = IpBan.create(ip_ban_params)
respond_with(@ip_ban, :location => ip_bans_path)
end
def index
@search = IpBan.search(params[:search])
@search = IpBan.search(search_params)
@ip_bans = @search.paginate(params[:page], :limit => params[:limit])
respond_with(@ip_bans)
end
@@ -22,4 +22,14 @@ class IpBansController < ApplicationController
@ip_ban.destroy
respond_with(@ip_ban)
end
private
def ip_ban_params
params.fetch(:ip_ban, {}).permit(%i[ip_addr reason])
end
def search_params
params.fetch(:search, {}).permit(%i[ip_addr order])
end
end

2
app/controllers/iqdb_queries_controller.rb
View File

@@ -15,7 +15,7 @@ class IqdbQueriesController < ApplicationController
fmt.js { render :layout => false, :action => "create_by_post" }
end
else
render :nothing => true, :status => 422
render plain: "", :status => 422
end
end

12
app/controllers/janitor_trials_controller.rb
View File

@@ -1,6 +1,6 @@
class JanitorTrialsController < ApplicationController
respond_to :html, :xml, :json
before_filter :moderator_only, :only => [:create, :promote, :demote]
before_action :moderator_only, :only => [:create, :promote, :demote]
def new
@janitor_trial = JanitorTrial.new
@@ -13,12 +13,12 @@ class JanitorTrialsController < ApplicationController
end
def index
@janitor_trials = JanitorTrial.search(params[:search]).paginate(params[:page], :limit => params[:limit])
@janitor_trials = JanitorTrial.search(search_params).paginate(params[:page], :limit => params[:limit])
respond_with(@janitor_trials)
end
def create
@janitor_trial = JanitorTrial.create(params[:janitor_trial])
@janitor_trial = JanitorTrial.create(janitor_trial_params)
respond_with(@janitor_trial, :location => janitor_trials_path)
end
@@ -41,4 +41,10 @@ class JanitorTrialsController < ApplicationController
def test
@tester = JanitorTrialTester.new(params[:janitor_trial][:user_name])
end
private
def janitor_trial_params
params.require(:janitor_trial).permit(%i[user_id user_name])
end
end

4
app/controllers/legacy_controller.rb
View File

@@ -1,5 +1,5 @@
class LegacyController < ApplicationController
before_filter :member_only, :only => [:create_post]
before_action :member_only, :only => [:create_post]
respond_to :json, :xml
def posts
@@ -40,7 +40,7 @@ class LegacyController < ApplicationController
end
def artists
@artists = Artist.limit(100).search(params[:search]).paginate(params[:page])
@artists = Artist.limit(100).search(search_params).paginate(params[:page])
end
def unavailable

4
app/controllers/maintenance/user/api_keys_controller.rb
View File

@@ -1,8 +1,8 @@
module Maintenance
module User
class ApiKeysController < ApplicationController
before_filter :check_privilege
before_filter :authenticate!, :except => [:show]
before_action :check_privilege
before_action :authenticate!, :except => [:show]
rescue_from ::SessionLoader::AuthenticationFailure, :with => :authentication_failed
respond_to :html, :json, :xml

10
app/controllers/maintenance/user/dmail_filters_controller.rb
View File

@@ -1,7 +1,7 @@
module Maintenance
module User
class DmailFiltersController < ApplicationController
before_filter :ensure_ownership
before_action :ensure_ownership
respond_to :html, :json, :xml
def edit
@@ -10,12 +10,12 @@ module Maintenance
def update
@dmail_filter = CurrentUser.dmail_filter || DmailFilter.new
@dmail_filter.update(params.require(:dmail_filter).permit(:words), :as => CurrentUser.role)
@dmail_filter.update(dmail_filter_params)
flash[:notice] = "Filter updated"
respond_with(@dmail)
end
private
private
def ensure_ownership
@dmail = Dmail.find(params[:dmail_id])
@@ -24,6 +24,10 @@ module Maintenance
raise User::PrivilegeError.new
end
end
def dmail_filter_params
params.require(:dmail_filter).permit(:words)
end
end
end
end

4
app/controllers/maintenance/user/email_notifications_controller.rb
View File

@@ -3,7 +3,7 @@ module Maintenance
class EmailNotificationsController < ApplicationController
class VerificationError < Exception ; end
before_filter :validate_sig, :only => [:destroy]
before_action :validate_sig, :only => [:destroy]
rescue_from VerificationError, :with => :render_403
def show
@@ -18,7 +18,7 @@ module Maintenance
private
def render_403
render :nothing => true, :status => 403
render plain: "", :status => 403
end
def validate_sig

6
app/controllers/maintenance/user/password_resets_controller.rb
View File

@@ -6,7 +6,7 @@ module Maintenance
end
def create
@nonce = UserPasswordResetNonce.create(params[:nonce])
@nonce = UserPasswordResetNonce.create(nonce_params)
if @nonce.errors.any?
redirect_to new_maintenance_user_password_reset_path, :notice => @nonce.errors.full_messages.join("; ")
else
@@ -29,6 +29,10 @@ module Maintenance
redirect_to new_maintenance_user_password_reset_path, :notice => "Invalid key"
end
end
def nonce_params
params.fetch(:nonce, {}).permit([:email])
end
end
end
end

2
app/controllers/mod_actions_controller.rb
View File

@@ -2,7 +2,7 @@ class ModActionsController < ApplicationController
respond_to :html, :xml, :json
def index
@mod_actions = ModAction.search(params[:search]).paginate(params[:page], :limit => params[:limit])
@mod_actions = ModAction.search(search_params).paginate(params[:page], :limit => params[:limit])
respond_with(@mod_actions)
end
end

4
app/controllers/moderator/bulk_reverts_controller.rb
View File

@@ -1,7 +1,7 @@
module Moderator
class BulkRevertsController < ApplicationController
before_filter :moderator_only
before_filter :init_constraints
before_action :moderator_only
before_action :init_constraints
helper PostVersionsHelper
rescue_from BulkRevert::ConstraintTooGeneralError, :with => :tag_constraint_too_general

2
app/controllers/moderator/dashboards_controller.rb
View File

@@ -1,6 +1,6 @@
module Moderator
class DashboardsController < ApplicationController
before_filter :member_only
before_action :member_only
helper :post_flags, :post_appeals
def show

2
app/controllers/moderator/invitations_controller.rb
View File

@@ -1,6 +1,6 @@
module Moderator
class InvitationsController < ApplicationController
before_filter :moderator_only
before_action :moderator_only
def new
end

2
app/controllers/moderator/ip_addrs_controller.rb
View File

@@ -1,6 +1,6 @@
module Moderator
class IpAddrsController < ApplicationController
before_filter :moderator_only
before_action :moderator_only
def index
@search = IpAddrSearch.new(params[:search])

4
app/controllers/moderator/post/approvals_controller.rb
View File

@@ -1,8 +1,8 @@
module Moderator
module Post
class ApprovalsController < ApplicationController
before_filter :approver_only
skip_before_filter :api_check
before_action :approver_only
skip_before_action :api_check
respond_to :json, :xml, :js
def create

15
app/controllers/moderator/post/disapprovals_controller.rb
View File

@@ -1,13 +1,20 @@
module Moderator
module Post
class DisapprovalsController < ApplicationController
before_filter :approver_only
skip_before_filter :api_check
before_action :approver_only
skip_before_action :api_check
respond_to :js, :json, :xml
def create
cookies.permanent[:moderated] = Time.now.to_i
@post = ::Post.find(params[:post_id])
@post_disapproval = PostDisapproval.create(:post => @post, :user => CurrentUser.user, :reason => params[:reason] || "disinterest", :message => params[:message])
@post_disapproval = PostDisapproval.create(post_disapproval_params)
respond_with(@post_disapproval)
end
private
def post_disapproval_params
params.require(:post_disapproval).permit(%i[post_id reason message])
end
end
end

6
app/controllers/moderator/post/posts_controller.rb
View File

@@ -1,9 +1,9 @@
module Moderator
module Post
class PostsController < ApplicationController
before_filter :approver_only, :only => [:delete, :undelete, :move_favorites, :ban, :unban, :confirm_delete, :confirm_move_favorites, :confirm_ban]
before_filter :admin_only, :only => [:expunge]
skip_before_filter :api_check
before_action :approver_only, :only => [:delete, :undelete, :move_favorites, :ban, :unban, :confirm_delete, :confirm_move_favorites, :confirm_ban]
before_action :admin_only, :only => [:expunge]
skip_before_action :api_check
respond_to :html, :json, :xml

4
app/controllers/moderator/post/queues_controller.rb
View File

@@ -4,8 +4,8 @@ module Moderator
RANDOM_COUNT = 12
respond_to :html, :json
before_filter :approver_only
skip_before_filter :api_check
before_action :approver_only
skip_before_action :api_check
def show
cookies.permanent[:moderated] = Time.now.to_i

2
app/controllers/moderator/tags_controller.rb
View File

@@ -1,6 +1,6 @@
module Moderator
class TagsController < ApplicationController
before_filter :moderator_only
before_action :moderator_only
rescue_from TagBatchChange::Error, :with => :error
def edit

12
app/controllers/news_updates_controller.rb
View File

@@ -1,5 +1,5 @@
class NewsUpdatesController < ApplicationController
before_filter :admin_only
before_action :admin_only
respond_to :html
def index
@@ -14,7 +14,7 @@ class NewsUpdatesController < ApplicationController
def update
@news_update = NewsUpdate.find(params[:id])
@news_update.update_attributes(params[:news_update])
@news_update.update(news_update_params)
respond_with(@news_update, :location => news_updates_path)
end
@@ -24,7 +24,7 @@ class NewsUpdatesController < ApplicationController
end
def create
@news_update = NewsUpdate.create(params[:news_update])
@news_update = NewsUpdate.create(news_update_params)
respond_with(@news_update, :location => news_updates_path)
end
@@ -35,4 +35,10 @@ class NewsUpdatesController < ApplicationController
format.js
end
end
private
def news_update_params
params.require(:news_update).permit([:message])
end
end

2
app/controllers/note_versions_controller.rb
View File

@@ -2,7 +2,7 @@ class NoteVersionsController < ApplicationController
respond_to :html, :xml, :json
def index
@note_versions = NoteVersion.search(params[:search]).paginate(params[:page], :limit => params[:limit])
@note_versions = NoteVersion.search(search_params).paginate(params[:page], :limit => params[:limit])
respond_with(@note_versions) do |format|
format.html { @note_versions = @note_versions.includes(:updater) }
format.xml do

20
app/controllers/notes_controller.rb
View File

@@ -1,12 +1,12 @@
class NotesController < ApplicationController
respond_to :html, :xml, :json, :js
before_filter :member_only, :except => [:index, :show, :search]
before_action :member_only, :except => [:index, :show, :search]
def search
end
def index
@notes = Note.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
@notes = Note.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@notes) do |format|
format.html { @notes = @notes.includes(:creator) }
format.xml do
@@ -23,7 +23,7 @@ class NotesController < ApplicationController
end
def create
@note = Note.create(create_params)
@note = Note.create(note_params(:create))
respond_with(@note) do |fmt|
fmt.json do
if @note.errors.any?
@@ -37,7 +37,7 @@ class NotesController < ApplicationController
def update
@note = Note.find(params[:id])
@note.update_attributes(update_params)
@note.update(note_params(:update))
respond_with(@note) do |format|
format.json do
if @note.errors.any?
@@ -62,12 +62,12 @@ class NotesController < ApplicationController
respond_with(@note)
end
private
def update_params
params.require(:note).permit(:x, :y, :width, :height, :body)
end
private
def create_params
params.require(:note).permit(:x, :y, :width, :height, :body, :post_id, :html_id)
def note_params(context)
permitted_params = %i[x y width height body]
permitted_params += %i[post_id html_id] if context == :create
params.require(:note).permit(permitted_params)
end
end

2
app/controllers/pool_elements_controller.rb
View File

@@ -1,6 +1,6 @@
class PoolElementsController < ApplicationController
respond_to :html, :xml, :json, :js
before_filter :member_only
before_action :member_only
def create
@pool = Pool.find_by_name(params[:pool_name]) || Pool.find_by_id(params[:pool_id])

2
app/controllers/pool_orders_controller.rb
View File

@@ -1,6 +1,6 @@
class PoolOrdersController < ApplicationController
respond_to :html, :xml, :json, :js
before_filter :member_only
before_action :member_only
def edit
@pool = Pool.find(params[:pool_id])

4
app/controllers/pool_versions_controller.rb
View File

@@ -1,13 +1,13 @@
class PoolVersionsController < ApplicationController
respond_to :html, :xml, :json
before_filter :check_availabililty
before_action :check_availabililty
def index
if params[:search] && params[:search][:pool_id].present?
@pool = Pool.find(params[:search][:pool_id])
end
@pool_versions = PoolArchive.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
@pool_versions = PoolArchive.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@pool_versions) do |format|
format.xml do
render :xml => @pool_versions.to_xml(:root => "pool-versions")

19
app/controllers/pools_controller.rb
View File

@@ -1,7 +1,7 @@
class PoolsController < ApplicationController
respond_to :html, :xml, :json, :js
before_filter :member_only, :except => [:index, :show, :gallery]
before_filter :builder_only, :only => [:destroy]
before_action :member_only, :except => [:index, :show, :gallery]
before_action :builder_only, :only => [:destroy]
def new
@pool = Pool.new
@@ -17,7 +17,7 @@ class PoolsController < ApplicationController
end
def index
@pools = Pool.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
@pools = Pool.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@pools) do |format|
format.xml do
render :xml => @pools.to_xml(:root => "pools")
@@ -27,7 +27,7 @@ class PoolsController < ApplicationController
def gallery
limit = params[:limit] || CurrentUser.user.per_page
@pools = Pool.series.search(params[:search]).reorder("updated_at desc").paginate(params[:page], :limit => limit, :search_count => params[:search])
@pools = Pool.series.search(search_params).reorder("updated_at desc").paginate(params[:page], :limit => limit, :search_count => params[:search])
@post_set = PostSets::PoolGallery.new(@pools)
end
@@ -38,7 +38,7 @@ class PoolsController < ApplicationController
end
def create
@pool = Pool.create(params[:pool])
@pool = Pool.create(pool_params)
flash[:notice] = @pool.valid? ? "Pool created" : @pool.errors.full_messages.join("; ")
respond_with(@pool)
end
@@ -46,7 +46,7 @@ class PoolsController < ApplicationController
def update
# need to do this in order for synchronize! to work correctly
@pool = Pool.find(params[:id])
@pool.attributes = params[:pool]
@pool.attributes = pool_params
@pool.synchronize
@pool.save
unless @pool.errors.any?
@@ -86,4 +86,11 @@ class PoolsController < ApplicationController
format.js
end
end
private
def pool_params
permitted_params = %i[name description category is_active post_ids]
params.require(:pool).permit(permitted_params)
end
end

12
app/controllers/post_appeals_controller.rb
View File

@@ -1,5 +1,5 @@
class PostAppealsController < ApplicationController
before_filter :member_only, :except => [:index, :show]
before_action :member_only, :except => [:index, :show]
respond_to :html, :xml, :json, :js
def new
@@ -8,7 +8,7 @@ class PostAppealsController < ApplicationController
end
def index
@post_appeals = PostAppeal.includes(:creator).search(params[:search]).includes(post: [:appeals, :uploader, :approver])
@post_appeals = PostAppeal.includes(:creator).search(search_params).includes(post: [:appeals, :uploader, :approver])
@post_appeals = @post_appeals.paginate(params[:page], limit: params[:limit])
respond_with(@post_appeals) do |format|
format.xml do
@@ -18,7 +18,7 @@ class PostAppealsController < ApplicationController
end
def create
@post_appeal = PostAppeal.create(params[:post_appeal])
@post_appeal = PostAppeal.create(post_appeal_params)
respond_with(@post_appeal)
end
@@ -26,4 +26,10 @@ class PostAppealsController < ApplicationController
@post_appeal = PostAppeal.find(params[:id])
respond_with(@post_appeal)
end
private
def post_appeal_params
params.fetch(:post_appeal, {}).permit(%i[post_id reason])
end
end

12
app/controllers/post_flags_controller.rb
View File

@@ -1,5 +1,5 @@
class PostFlagsController < ApplicationController
before_filter :member_only, :except => [:index, :show]
before_action :member_only, :except => [:index, :show]
respond_to :html, :xml, :json, :js
def new
@@ -8,7 +8,7 @@ class PostFlagsController < ApplicationController
end
def index
@post_flags = PostFlag.search(params[:search]).includes(:creator, post: [:flags, :uploader, :approver])
@post_flags = PostFlag.search(search_params).includes(:creator, post: [:flags, :uploader, :approver])
@post_flags = @post_flags.paginate(params[:page], limit: params[:limit])
respond_with(@post_flags) do |format|
format.xml do
@@ -18,7 +18,7 @@ class PostFlagsController < ApplicationController
end
def create
@post_flag = PostFlag.create(params[:post_flag].merge(:is_resolved => false))
@post_flag = PostFlag.create(post_flag_params)
respond_with(@post_flag)
end
@@ -26,4 +26,10 @@ class PostFlagsController < ApplicationController
@post_flag = PostFlag.find(params[:id])
respond_with(@post_flag)
end
private
def post_flag_params
params.require(:post_flag).permit(%i[post_id reason])
end
end

4
app/controllers/post_replacements_controller.rb
View File

@@ -1,6 +1,6 @@
class PostReplacementsController < ApplicationController
respond_to :html, :xml, :json
before_filter :moderator_only, except: [:index]
before_action :moderator_only, except: [:index]
def new
@post = Post.find(params[:post_id])
@@ -23,7 +23,7 @@ class PostReplacementsController < ApplicationController
def index
params[:search][:post_id] = params.delete(:post_id) if params.has_key?(:post_id)
@post_replacements = PostReplacement.search(params[:search]).paginate(params[:page], limit: params[:limit])
@post_replacements = PostReplacement.search(search_params).paginate(params[:page], limit: params[:limit])
respond_with(@post_replacements)
end

6
app/controllers/post_versions_controller.rb
View File

@@ -1,10 +1,10 @@
class PostVersionsController < ApplicationController
before_filter :member_only
before_filter :check_availabililty
before_action :member_only
before_action :check_availabililty
respond_to :html, :xml, :json
def index
@post_versions = PostArchive.includes(:updater, post: [:versions]).search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
@post_versions = PostArchive.includes(:updater, post: [:versions]).search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@post_versions) do |format|
format.xml do
render :xml => @post_versions.to_xml(:root => "post-versions")

4
app/controllers/post_votes_controller.rb
View File

@@ -1,6 +1,6 @@
class PostVotesController < ApplicationController
before_filter :voter_only
skip_before_filter :api_check
before_action :voter_only
skip_before_action :api_check
def create
@post = Post.find(params[:post_id])

23
app/controllers/posts_controller.rb
View File

@@ -1,6 +1,6 @@
class PostsController < ApplicationController
before_filter :member_only, :except => [:show, :show_seq, :index, :home, :random]
before_filter :builder_only, :only => [:copy_notes]
before_action :member_only, :except => [:show, :show_seq, :index, :home, :random]
before_action :builder_only, :only => [:copy_notes]
respond_to :html, :xml, :json
def index
@@ -46,10 +46,7 @@ class PostsController < ApplicationController
def update
@post = Post.find(params[:id])
if @post.visible?
@post.update_attributes(params[:post], :as => CurrentUser.role)
end
@post.update(post_params) if @post.visible?
save_recent_tags
respond_with_post_after_update(@post)
end
@@ -131,4 +128,18 @@ private
end
end
end
def post_params
permitted_params = %i[
tag_string old_tag_string
parent_id old_parent_id
source old_source
rating old_rating
has_embedded_notes
]
permitted_params += %i[is_rating_locked is_note_locked] if CurrentUser.is_builder?
permitted_params += %i[is_status_locked] if CurrentUser.is_admin?
params.require(:post).permit(permitted_params)
end
end

2
app/controllers/related_tags_controller.rb
View File

@@ -1,7 +1,7 @@
class RelatedTagsController < ApplicationController
respond_to :json
respond_to :html, :only=>[:show]
before_filter :require_reportbooru_key, only: [:update]
before_action :require_reportbooru_key, only: [:update]
def show
@query = RelatedTagQuery.new(params[:query].to_s.downcase, params[:category])

6
app/controllers/reports_controller.rb
View File

@@ -1,7 +1,7 @@
class ReportsController < ApplicationController
before_filter :member_only, :except => [:upload_tags]
before_filter :gold_only, :only => [:similar_users]
before_filter :moderator_only, :only => [:post_versions, :post_versions_create, :down_voting_post_report, :down_voting_post_report_create]
before_action :member_only, :except => [:upload_tags]
before_action :gold_only, :only => [:similar_users]
before_action :moderator_only, :only => [:post_versions, :post_versions_create, :down_voting_post_report, :down_voting_post_report_create]
def uploads
@report = Reports::Uploads.new(params[:min_date], params[:max_date], params[:queries])

17
app/controllers/saved_searches_controller.rb
View File

@@ -1,5 +1,5 @@
class SavedSearchesController < ApplicationController
before_filter :check_availability
before_action :check_availability
respond_to :html, :xml, :json, :js
def index
@@ -22,11 +22,7 @@ class SavedSearchesController < ApplicationController
end
def create
@saved_search = saved_searches.create!(:query => params[:saved_search_tags], :label_string => params[:saved_search_labels])
if params[:saved_search_disable_labels]
CurrentUser.disable_categorized_saved_searches = true
CurrentUser.save
end
@saved_search = saved_searches.create(saved_search_params)
respond_with(@saved_search)
end
@@ -42,11 +38,12 @@ class SavedSearchesController < ApplicationController
def update
@saved_search = saved_searches.find(params[:id])
@saved_search.update_attributes(params[:saved_search])
@saved_search.update(saved_search_params)
respond_with(@saved_search, :location => saved_searches_path)
end
private
private
def saved_searches
CurrentUser.user.saved_searches
end
@@ -56,4 +53,8 @@ private
raise NotImplementedError.new("Listbooru service is not configured. Saved searches are not available.")
end
end
def saved_search_params
params.require(:saved_search).permit(%i[query label_string disable_labels])
end
end

2
app/controllers/tag_alias_corrections_controller.rb
View File

@@ -1,5 +1,5 @@
class TagAliasCorrectionsController < ApplicationController
before_filter :builder_only
before_action :builder_only
def create
@correction = TagAliasCorrection.new(params[:tag_alias_id])

10
app/controllers/tag_alias_requests_controller.rb
View File

@@ -1,11 +1,11 @@
class TagAliasRequestsController < ApplicationController
before_filter :member_only
before_action :member_only
def new
end
def create
@tag_alias_request = TagAliasRequest.new(params[:tag_alias_request])
@tag_alias_request = TagAliasRequest.new(tar_params)
@tag_alias_request.create
if @tag_alias_request.invalid?
@@ -14,4 +14,10 @@ class TagAliasRequestsController < ApplicationController
redirect_to forum_topic_path(@tag_alias_request.forum_topic)
end
end
private
def tar_params
params.require(:tag_alias_request).permit(:antecedent_name, :consequent_name, :reason, :skip_secondary_validations)
end
end

10
app/controllers/tag_aliases_controller.rb
View File

@@ -1,5 +1,5 @@
class TagAliasesController < ApplicationController
before_filter :admin_only, :only => [:approve, :new, :create]
before_action :admin_only, :only => [:approve, :new, :create]
respond_to :html, :xml, :json, :js
def show
@@ -15,14 +15,14 @@ class TagAliasesController < ApplicationController
@tag_alias = TagAlias.find(params[:id])
if @tag_alias.is_pending? && @tag_alias.editable_by?(CurrentUser.user)
@tag_alias.update_attributes(update_params)
@tag_alias.update(tag_alias_params)
end
respond_with(@tag_alias)
end
def index
@tag_aliases = TagAlias.search(params[:search]).paginate(params[:page], :limit => params[:limit])
@tag_aliases = TagAlias.search(search_params).paginate(params[:page], :limit => params[:limit])
respond_with(@tag_aliases) do |format|
format.xml do
render :xml => @tag_aliases.to_xml(:root => "tag-aliases")
@@ -48,7 +48,7 @@ class TagAliasesController < ApplicationController
private
def update_params
params.require(:tag_alias).permit(:antecedent_name, :consequent_name, :forum_topic_id)
def tag_alias_params
params.require(:tag_alias).permit(%i[antecedent_name consequent_name forum_topic_id skip_secondary_validations])
end
end

2
app/controllers/tag_corrections_controller.rb
View File

@@ -1,5 +1,5 @@
class TagCorrectionsController < ApplicationController
before_filter :builder_only
before_action :builder_only
def new
@correction = TagCorrection.new(params[:tag_id])

10
app/controllers/tag_implication_requests_controller.rb
View File

@@ -1,11 +1,11 @@
class TagImplicationRequestsController < ApplicationController
before_filter :member_only
before_action :member_only
def new
end
def create
@tag_implication_request = TagImplicationRequest.new(params[:tag_implication_request])
@tag_implication_request = TagImplicationRequest.new(tir_params)
@tag_implication_request.create
if @tag_implication_request.invalid?
@@ -14,4 +14,10 @@ class TagImplicationRequestsController < ApplicationController
redirect_to forum_topic_path(@tag_implication_request.forum_topic)
end
end
private
def tir_params
params.require(:tag_implication_request).permit(:antecedent_name, :consequent_name, :reason, :skip_secondary_validations)
end
end

10
app/controllers/tag_implications_controller.rb
View File

@@ -1,5 +1,5 @@
class TagImplicationsController < ApplicationController
before_filter :admin_only, :only => [:new, :create, :approve]
before_action :admin_only, :only => [:new, :create, :approve]
respond_to :html, :xml, :json, :js
def show
@@ -15,14 +15,14 @@ class TagImplicationsController < ApplicationController
@tag_implication = TagImplication.find(params[:id])
if @tag_implication.is_pending? && @tag_implication.editable_by?(CurrentUser.user)
@tag_implication.update_attributes(update_params)
@tag_implication.update(tag_implication_params)
end
respond_with(@tag_implication)
end
def index
@tag_implications = TagImplication.search(params[:search]).paginate(params[:page], :limit => params[:limit])
@tag_implications = TagImplication.search(search_params).paginate(params[:page], :limit => params[:limit])
respond_with(@tag_implications) do |format|
format.xml do
render :xml => @tag_implications.to_xml(:root => "tag-implications")
@@ -53,7 +53,7 @@ class TagImplicationsController < ApplicationController
private
def update_params
params.require(:tag_implication).permit(:antecedent_name, :consequent_name, :forum_topic_id)
def tag_implication_params
params.require(:tag_implication).permit(%i[antecedent_name consequent_name forum_topic_id skip_secondary_validations])
end
end

13
app/controllers/tags_controller.rb
View File

@@ -1,5 +1,5 @@
class TagsController < ApplicationController
before_filter :member_only, :only => [:edit, :update]
before_action :member_only, :only => [:edit, :update]
respond_to :html, :xml, :json
def edit
@@ -9,7 +9,7 @@ class TagsController < ApplicationController
end
def index
@tags = Tag.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
@tags = Tag.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@tags) do |format|
format.xml do
render :xml => @tags.to_xml(:root => "tags")
@@ -35,7 +35,7 @@ class TagsController < ApplicationController
def update
@tag = Tag.find(params[:id])
check_privilege(@tag)
@tag.update_attributes(params[:tag], :as => CurrentUser.role)
@tag.update(tag_params)
respond_with(@tag)
end
@@ -43,4 +43,11 @@ private
def check_privilege(tag)
raise User::PrivilegeError unless tag.editable_by?(CurrentUser.user)
end
def tag_params
permitted_params = [:category]
permitted_params << :is_locked if CurrentUser.is_moderator?
params.require(:tag).permit(permitted_params)
end
end

19
app/controllers/uploads_controller.rb
View File

@@ -1,5 +1,5 @@
class UploadsController < ApplicationController
before_filter :member_only, except: [:index, :show]
before_action :member_only, except: [:index, :show]
respond_to :html, :xml, :json, :js
def new
@@ -31,7 +31,7 @@ class UploadsController < ApplicationController
end
def index
@search = Upload.search(params[:search])
@search = Upload.search(search_params)
@uploads = @search.paginate(params[:page], :limit => params[:limit])
respond_with(@uploads) do |format|
format.xml do
@@ -52,7 +52,7 @@ class UploadsController < ApplicationController
end
def create
@upload = Upload.create(params[:upload].merge(:server => Socket.gethostname))
@upload = Upload.create(upload_params)
if @upload.errors.empty?
post = @upload.process!
@@ -72,7 +72,8 @@ class UploadsController < ApplicationController
respond_with(@upload)
end
protected
private
def find_post_by_url(normalized_url)
if normalized_url.nil?
Post.where("SourcePattern(lower(posts.source)) = ?", params[:url]).first
@@ -89,4 +90,14 @@ protected
cookies[:recent_tags_with_categories] = Tag.categories_for(tags).to_a.flatten.join(" ")
end
end
def upload_params
permitted_params = %i[
file source tag_string rating status parent_id artist_commentary_title
artist_commentary_desc include_artist_commentary referer_url
md5_confirmation as_pending
]
params.require(:upload).permit(permitted_params)
end
end

20
app/controllers/user_feedbacks_controller.rb
View File

@@ -1,9 +1,9 @@
class UserFeedbacksController < ApplicationController
before_filter :gold_only, :only => [:new, :edit, :create, :update, :destroy]
before_action :gold_only, :only => [:new, :edit, :create, :update, :destroy]
respond_to :html, :xml, :json
def new
@user_feedback = UserFeedback.new(params[:user_feedback])
@user_feedback = UserFeedback.new(user_feedback_params(:create))
respond_with(@user_feedback)
end
@@ -19,7 +19,7 @@ class UserFeedbacksController < ApplicationController
end
def index
@search = UserFeedback.visible.search(params[:search])
@search = UserFeedback.visible.search(search_params)
@user_feedbacks = @search.paginate(params[:page], :limit => params[:limit])
respond_with(@user_feedbacks) do |format|
format.xml do
@@ -29,14 +29,14 @@ class UserFeedbacksController < ApplicationController
end
def create
@user_feedback = UserFeedback.create(params[:user_feedback])
@user_feedback = UserFeedback.create(user_feedback_params(:create))
respond_with(@user_feedback)
end
def update
@user_feedback = UserFeedback.visible.find(params[:id])
check_privilege(@user_feedback)
@user_feedback.update_attributes(params[:user_feedback])
@user_feedback.update(user_feedback_params(:update))
respond_with(@user_feedback)
end
@@ -47,8 +47,16 @@ class UserFeedbacksController < ApplicationController
respond_with(@user_feedback)
end
private
private
def check_privilege(user_feedback)
raise User::PrivilegeError unless user_feedback.editable_by?(CurrentUser.user)
end
def user_feedback_params(context)
permitted_params = %i[body category]
permitted_params += %i[user_id user_name] if context == :create
params.require(:user_feedback).permit(permitted_params)
end
end

23
app/controllers/user_name_change_requests_controller.rb
View File

@@ -1,20 +1,16 @@
class UserNameChangeRequestsController < ApplicationController
before_filter :member_only, :only => [:index, :show]
before_filter :gold_only, :only => [:new, :create]
before_filter :admin_only, :only => [:approve, :reject]
before_action :member_only, :only => [:index, :show]
before_action :gold_only, :only => [:new, :create]
before_action :admin_only, :only => [:approve, :reject]
respond_to :html, :json, :xml
def new
@change_request = UserNameChangeRequest.new(change_request_params)
respond_with(@change_request)
end
def create
@change_request = UserNameChangeRequest.create(
:user_id => CurrentUser.user.id,
:original_name => CurrentUser.user.name,
:status => "pending",
:change_reason => params[:reason],
:desired_name => params[:desired_name]
)
@change_request = UserNameChangeRequest.create(change_request_params)
if @change_request.errors.any?
render :action => "new"
@@ -47,9 +43,14 @@ class UserNameChangeRequestsController < ApplicationController
redirect_to user_name_change_request_path(@change_request), :notice => "Name change request rejected"
end
private
private
def check_privileges!(change_request)
return if CurrentUser.is_admin?
raise User::PrivilegeError if change_request.user_id != CurrentUser.user.id
end
def change_request_params
params.fetch(:user_name_change_request, {}).permit(%i[desired_name change_reason])
end
end

2
app/controllers/user_reverts_controller.rb
View File

@@ -1,5 +1,5 @@
class UserRevertsController < ApplicationController
before_filter :moderator_only
before_action :moderator_only
def new
@user = User.find(params[:user_id])

2
app/controllers/user_upgrades_controller.rb
View File

@@ -1,5 +1,5 @@
class UserUpgradesController < ApplicationController
before_filter :member_only, :only => [:new, :show]
before_action :member_only, :only => [:new, :show]
helper_method :user
force_ssl :if => :ssl_enabled?
skip_before_action :verify_authenticity_token, only: [:create]

35
app/controllers/users_controller.rb
View File

@@ -1,6 +1,6 @@
class UsersController < ApplicationController
respond_to :html, :xml, :json
skip_before_filter :api_check
skip_before_action :api_check
def new
@user = User.new
@@ -22,7 +22,7 @@ class UsersController < ApplicationController
redirect_to user_path(@user)
end
else
@users = User.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
@users = User.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@users) do |format|
format.xml do
render :xml => @users.to_xml(:root => "users")
@@ -41,8 +41,7 @@ class UsersController < ApplicationController
end
def create
@user = User.new(params[:user], :as => CurrentUser.role)
@user.last_ip_addr = request.remote_ip
@user = User.new(user_params(:create))
if !Danbooru.config.enable_recaptcha? || verify_recaptcha(model: @user)
@user.save
if @user.errors.empty?
@@ -61,7 +60,7 @@ class UsersController < ApplicationController
def update
@user = User.find(params[:id])
check_privilege(@user)
@user.update_attributes(params[:user].except(:name), :as => CurrentUser.role)
@user.update(user_params(:update))
cookies.delete(:favorite_tags)
cookies.delete(:favorite_tags_with_categories)
if @user.errors.any?
@@ -75,12 +74,34 @@ class UsersController < ApplicationController
def cache
@user = User.find(params[:id])
@user.update_cache
render :nothing => true
render plain: ""
end
private
private
def check_privilege(user)
raise User::PrivilegeError unless (user.id == CurrentUser.id || CurrentUser.is_admin?)
end
def user_params(context)
permitted_params = %i[
password old_password password_confirmation email
comment_threshold default_image_size favorite_tags blacklisted_tags
time_zone per_page custom_style
receive_email_notifications always_resize_images enable_post_navigation
new_post_navigation_layout enable_privacy_mode
enable_sequential_post_navigation hide_deleted_posts style_usernames
enable_auto_complete show_deleted_children
disable_categorized_saved_searches disable_tagged_filenames
enable_recent_searches disable_cropped_thumbnails disable_mobile_gestures
enable_safe_mode disable_responsive_mode
]
permitted_params += [dmail_filter_attributes: %i[id words]]
permitted_params << :name if context == :create
permitted_params << :level if CurrentUser.is_admin?
params.require(:user).permit(permitted_params)
end
end

2
app/controllers/wiki_page_versions_controller.rb
View File

@@ -2,7 +2,7 @@ class WikiPageVersionsController < ApplicationController
respond_to :html, :xml, :json
def index
@wiki_page_versions = WikiPageVersion.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
@wiki_page_versions = WikiPageVersion.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@wiki_page_versions) do |format|
format.xml do
render :xml => @wiki_page_versions.to_xml(:root => "wiki-page-versions")

24
app/controllers/wiki_pages_controller.rb
View File

@@ -1,11 +1,11 @@
class WikiPagesController < ApplicationController
respond_to :html, :xml, :json, :js
before_filter :member_only, :except => [:index, :search, :show, :show_or_new]
before_filter :builder_only, :only => [:destroy]
before_filter :normalize_search_params, :only => [:index]
before_action :member_only, :except => [:index, :search, :show, :show_or_new]
before_action :builder_only, :only => [:destroy]
before_action :normalize_search_params, :only => [:index]
def new
@wiki_page = WikiPage.new(params[:wiki_page])
@wiki_page = WikiPage.new(wiki_page_params)
respond_with(@wiki_page)
end
@@ -15,7 +15,7 @@ class WikiPagesController < ApplicationController
end
def index
@wiki_pages = WikiPage.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
@wiki_pages = WikiPage.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
respond_with(@wiki_pages) do |format|
format.html do
if params[:page].nil? || params[:page].to_i == 1
@@ -50,13 +50,13 @@ class WikiPagesController < ApplicationController
end
def create
@wiki_page = WikiPage.create(params[:wiki_page])
@wiki_page = WikiPage.create(wiki_page_params)
respond_with(@wiki_page)
end
def update
@wiki_page = WikiPage.find(params[:id])
@wiki_page.update_attributes(params[:wiki_page])
@wiki_page.update(wiki_page_params)
respond_with(@wiki_page)
end
@@ -85,11 +85,19 @@ class WikiPagesController < ApplicationController
end
end
private
private
def normalize_search_params
if params[:title]
params[:search] ||= {}
params[:search][:title] = params.delete(:title)
end
end
def wiki_page_params
permitted_params = %i[title body other_names skip_secondary_validations]
permitted_params += %i[is_locked is_deleted] if CurrentUser.is_builder?
params.require(:wiki_page).permit(permitted_params)
end
end