Prevent reverting to foreign versions (fixes #2711).

2016-10-10 10:24:49 +00:00
parent 80895ef46e
commit c46b31aa9c
12 changed files with 44 additions and 8 deletions
--- a/app/controllers/artist_commentaries_controller.rb
+++ b/app/controllers/artist_commentaries_controller.rb
@@ -24,8 +24,8 @@ class ArtistCommentariesController < ApplicationController
  end

  def revert
-    @artist_commentary = ArtistCommentary.find_by_post_id(params[:id])
-    @version = ArtistCommentaryVersion.find(params[:version_id])
+    @artist_commentary = ArtistCommentary.find_by_post_id!(params[:id])
+    @version = @artist_commentary.versions.find(params[:version_id])
    @artist_commentary.revert_to!(@version)
    respond_with(@artist_commentary)
  end
--- a/app/controllers/artists_controller.rb
+++ b/app/controllers/artists_controller.rb
@@ -3,7 +3,7 @@ class ArtistsController < ApplicationController
  before_filter :member_only, :except => [:index, :show, :banned]
  before_filter :builder_only, :only => [:destroy]
  before_filter :admin_only, :only => [:ban, :unban]
-  before_filter :load_artist, :only => [:ban, :unban, :show, :edit, :update, :destroy, :undelete, :revert]
+  before_filter :load_artist, :only => [:ban, :unban, :show, :edit, :update, :destroy, :undelete]

  def new
    @artist = Artist.new_with_defaults(params)
@@ -97,7 +97,8 @@ class ArtistsController < ApplicationController
  end

  def revert
-    @version = ArtistVersion.find(params[:version_id])
+    @artist = Artist.find(params[:id])
+    @version = @artist.versions.find(params[:version_id])
    @artist.revert_to!(@version)
    respond_with(@artist)
  end
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -54,7 +54,7 @@ class NotesController < ApplicationController

  def revert
    @note = Note.find(params[:id])
-    @version = NoteVersion.find(params[:version_id])
+    @version = @note.versions.find(params[:version_id])
    @note.revert_to!(@version)
    respond_with(@note)
  end
--- a/app/controllers/pools_controller.rb
+++ b/app/controllers/pools_controller.rb
@@ -79,7 +79,7 @@ class PoolsController < ApplicationController

  def revert
    @pool = Pool.find(params[:id])
-    @version = PoolVersion.find(params[:version_id])
+    @version = @pool.versions.find(params[:version_id])
    @pool.revert_to!(@version)
    flash[:notice] = "Pool reverted"
    respond_with(@pool) do |format|
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@@ -59,7 +59,7 @@ class PostsController < ApplicationController

  def revert
    @post = Post.find(params[:id])
-    @version = PostVersion.find(params[:version_id])
+    @version = @post.versions.find(params[:version_id])

    if @post.visible?
      @post.revert_to!(@version)
--- a/app/controllers/wiki_pages_controller.rb
+++ b/app/controllers/wiki_pages_controller.rb
@@ -67,7 +67,7 @@ class WikiPagesController < ApplicationController

  def revert
    @wiki_page = WikiPage.find(params[:id])
-    @version = WikiPageVersion.find(params[:version_id])
+    @version = @wiki_page.versions.find(params[:version_id])
    @wiki_page.revert_to!(@version)
    flash[:notice] = "Page was reverted"
    respond_with(@wiki_page)
--- a/app/models/artist.rb
+++ b/app/models/artist.rb
@@ -1,4 +1,6 @@
 class Artist < ActiveRecord::Base
+  class RevertError < Exception ; end
+
  before_create :initialize_creator
  before_validation :normalize_name
  after_save :create_version
@@ -173,6 +175,10 @@ class Artist < ActiveRecord::Base
    end

    def revert_to!(version)
+      if id != version.artist_id
+        raise RevertError.new("You cannot revert to a previous version of another artist.")
+      end
+
      self.name = version.name
      self.url_string = version.url_string
      self.is_active = version.is_active
--- a/app/models/artist_commentary.rb
+++ b/app/models/artist_commentary.rb
@@ -1,4 +1,6 @@
 class ArtistCommentary < ActiveRecord::Base
+  class RevertError < Exception ; end
+
  attr_accessor :remove_commentary_tag, :remove_commentary_request_tag, :remove_commentary_check_tag
  attr_accessor :add_commentary_tag, :add_commentary_request_tag, :add_commentary_check_tag
  attr_accessible :post_id, :original_description, :original_title, :translated_description, :translated_title, :remove_commentary_tag, :remove_commentary_request_tag, :add_commentary_tag, :add_commentary_request_tag, :add_commentary_check_tag, :remove_commentary_check_tag
@@ -76,6 +78,10 @@ class ArtistCommentary < ActiveRecord::Base
  end

  def revert_to(version)
+    if post_id != version.post_id
+      raise RevertError.new("You cannot revert to a previous artist commentary of another post.")
+    end
+
    self.original_description = version.original_description
    self.original_title = version.original_title
    self.translated_description = version.translated_description
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -1,4 +1,6 @@
 class Note < ActiveRecord::Base
+  class RevertError < Exception ; end
+
  attr_accessor :updater_id, :updater_ip_addr, :html_id
  belongs_to :post
  belongs_to :creator, :class_name => "User"
@@ -204,6 +206,10 @@ class Note < ActiveRecord::Base
  end

  def revert_to(version)
+    if id != version.note_id
+      raise RevertError.new("You cannot revert to a previous version of another note.")
+    end
+
    self.x = version.x
    self.y = version.y
    self.post_id = version.post_id
--- a/app/models/pool.rb
+++ b/app/models/pool.rb
@@ -1,6 +1,8 @@
 require 'ostruct'

 class Pool < ActiveRecord::Base
+  class RevertError < Exception ; end
+
  validates_uniqueness_of :name, :case_sensitive => false
  validates_format_of :name, :with => /\A[^,]+\Z/, :message => "cannot have commas"
  validates_inclusion_of :category, :in => %w(series collection)
@@ -194,6 +196,10 @@ class Pool < ActiveRecord::Base
  end

  def revert_to!(version)
+    if id != version.pool_id
+      raise RevertError.new("You cannot revert to a previous version of another pool.")
+    end
+
    self.post_ids = version.post_ids
    self.name = version.name
    synchronize!
--- a/app/models/post.rb
+++ b/app/models/post.rb
@@ -4,6 +4,7 @@ require 'google/apis/pubsub_v1'
 class Post < ActiveRecord::Base
  class ApprovalError < Exception ; end
  class DisapprovalError < Exception ; end
+  class RevertError < Exception ; end
  class SearchError < Exception ; end

  attr_accessor :old_tag_string, :old_parent_id, :old_source, :old_rating, :has_constraints, :disable_versioning, :view_count
@@ -1390,6 +1391,10 @@ class Post < ActiveRecord::Base
    end

    def revert_to(target)
+      if id != target.post_id
+        raise RevertError.new("You cannot revert to a previous version of another post.")
+      end
+
      self.tag_string = target.tags
      self.rating = target.rating
      self.source = target.source
--- a/app/models/wiki_page.rb
+++ b/app/models/wiki_page.rb
@@ -1,4 +1,6 @@
 class WikiPage < ActiveRecord::Base
+  class RevertError < Exception ; end
+
  before_save :normalize_title
  before_save :normalize_other_names
  before_validation :initialize_creator, :on => :create
@@ -127,6 +129,10 @@ class WikiPage < ActiveRecord::Base
  end

  def revert_to(version)
+    if id != version.wiki_page_id
+      raise RevertError.new("You cannot revert to a previous version of another wiki page.")
+    end
+
    self.title = version.title
    self.body = version.body
    self.is_locked = version.is_locked