Require any attribute that is going to be mass assigned to be
whitelisted, and whitelist those attributes which need it
19 files changed:
@trace.errors.add(:gpx_file, "can't be blank")
end
else
@trace.errors.add(:gpx_file, "can't be blank")
end
else
- @trace = Trace.new(:visibility => default_visibility)
+ @trace = Trace.new({:visibility => default_visibility}, :without_protection => true)
end
@title = t 'trace.create.upload_trace'
end
@title = t 'trace.create.upload_trace'
:inserted => true,
:user => @user,
:timestamp => Time.now.getutc
:inserted => true,
:user => @user,
:timestamp => Time.now.getutc
+ }, :without_protection => true)
Trace.transaction do
begin
Trace.transaction do
begin
around_filter :setup_nonce
def grant
around_filter :setup_nonce
def grant
- @this_user.roles.create(:role => @role, :granter_id => @user.id)
+ @this_user.roles.create({
+ :role => @role, :granter_id => @user.id
+ }, :without_protection => true)
redirect_to :controller => 'user', :action => 'view', :display_name => @this_user.display_name
end
redirect_to :controller => 'user', :action => 'view', :display_name => @this_user.display_name
end
validates_format_of :support_url, :with => /\Ahttp(s?):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i, :allow_blank=>true
validates_format_of :callback_url, :with => /\A[a-z][a-z0-9.+-]*:\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i, :allow_blank=>true
validates_format_of :support_url, :with => /\Ahttp(s?):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i, :allow_blank=>true
validates_format_of :callback_url, :with => /\A[a-z][a-z0-9.+-]*:\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i, :allow_blank=>true
+ attr_accessible :name, :url, :support_url, :callback_url,
+ :allow_read_prefs, :allow_write_prefs,
+ :allow_write_diary, :allow_write_api,
+ :allow_read_gpx, :allow_write_gpx
+
before_validation :generate_keys, :on => :create
attr_accessor :token_callback_url
before_validation :generate_keys, :on => :create
attr_accessor :token_callback_url
permissions.each do |p|
params[p] = true
end
permissions.each do |p|
params[p] = true
end
- RequestToken.create(params)
+ RequestToken.create(params, :without_protection => true)
end
def access_token_for_user(user)
end
def access_token_for_user(user)
- token = access_tokens.create(params)
+ token = access_tokens.create(params, :without_protection => true)
validates_presence_of :body
validates_associated :diary_entry
validates_presence_of :body
validates_associated :diary_entry
+ attr_accessible :body
+
def digest
md5 = Digest::MD5.new
md5 << diary_entry_id.to_s
def digest
md5 = Digest::MD5.new
md5 << diary_entry_id.to_s
validates_numericality_of :longitude, :allow_nil => true,
:greater_than_or_equal_to => -180, :less_than_or_equal_to => 180
validates_associated :language
validates_numericality_of :longitude, :allow_nil => true,
:greater_than_or_equal_to => -180, :less_than_or_equal_to => 180
validates_associated :language
+
+ attr_accessible :title, :body, :language_code, :latitude, :longitude
validates_inclusion_of :message_read, :in => [ true, false ]
validates_as_utf8 :title
validates_inclusion_of :message_read, :in => [ true, false ]
validates_as_utf8 :title
+ attr_accessible :title, :body
+
def digest
md5 = Digest::MD5.new
md5 << from_user_id.to_s
def digest
md5 = Digest::MD5.new
md5 << from_user_id.to_s
class OauthNonce < ActiveRecord::Base
validates_presence_of :nonce, :timestamp
validates_uniqueness_of :nonce, :scope => :timestamp
class OauthNonce < ActiveRecord::Base
validates_presence_of :nonce, :timestamp
validates_uniqueness_of :nonce, :scope => :timestamp
+
+ attr_accessible :nonce, :timestamp
+
# Remembers a nonce and it's associated timestamp. It returns false if it has already been used
def self.remember(nonce, timestamp)
oauth_nonce = OauthNonce.create(:nonce => nonce, :timestamp => timestamp)
# Remembers a nonce and it's associated timestamp. It returns false if it has already been used
def self.remember(nonce, timestamp)
oauth_nonce = OauthNonce.create(:nonce => nonce, :timestamp => timestamp)
params[p] = read_attribute(p)
}
params[p] = read_attribute(p)
}
- access_token = AccessToken.create(params)
+ access_token = AccessToken.create(params, :without_protection => true)
invalidate!
access_token
end
invalidate!
access_token
end
validates_format_of :tag, :with => /^[^\/;.,?]*$/
validates_length_of :tag, :within => 1..255
validates_format_of :tag, :with => /^[^\/;.,?]*$/
validates_length_of :tag, :within => 1..255
belongs_to :trace, :foreign_key => 'gpx_id'
end
belongs_to :trace, :foreign_key => 'gpx_id'
end
validates_numericality_of :home_zoom, :only_integer => true, :allow_nil => true
validates_inclusion_of :preferred_editor, :in => Editors::ALL_EDITORS, :allow_nil => true
validates_numericality_of :home_zoom, :only_integer => true, :allow_nil => true
validates_inclusion_of :preferred_editor, :in => Editors::ALL_EDITORS, :allow_nil => true
+ attr_accessible :display_name, :email, :email_confirmation, :openid_url,
+ :pass_crypt, :pass_crypt_confirmation, :consider_pd
+
after_initialize :set_creation_time
before_save :encrypt_password
after_initialize :set_creation_time
before_save :encrypt_password
# revokes the block, allowing the user to use the API again. the argument
# is the user object who is revoking the ban.
def revoke!(revoker)
# revokes the block, allowing the user to use the API again. the argument
# is the user object who is revoking the ban.
def revoke!(revoker)
- update_attributes({ :ends_at => Time.now.getutc(),
- :revoker_id => revoker.id,
- :needs_view => false })
+ update_attributes({
+ :ends_at => Time.now.getutc(),
+ :revoker_id => revoker.id,
+ :needs_view => false
+ }, :without_protection => true)
class UserToken < ActiveRecord::Base
belongs_to :user
class UserToken < ActiveRecord::Base
belongs_to :user
+ attr_accessible :referer
+
after_initialize :set_defaults
private
after_initialize :set_defaults
private
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
- # config.active_record.whitelist_attributes = true
+ config.active_record.whitelist_attributes = true
# Enable the asset pipeline
config.assets.enabled = true
# Enable the asset pipeline
config.assets.enabled = true
-message = Message.new(:sender => from, :recipient => to,
- :sent_on => mail.date.new_offset(0),
- :title => mail.subject.sub(/\[OpenStreetMap\] */, ""),
- :body => body.decoded)
+message = Message.new({
+ :sender => from,
+ :recipient => to,
+ :sent_on => mail.date.new_offset(0),
+ :title => mail.subject.sub(/\[OpenStreetMap\] */, ""),
+ :body => body.decoded
+}, :without_protection => true)
message.save!
Notifier.message_notification(message).deliver
message.save!
Notifier.message_notification(message).deliver
assert_response :success
# now block the user
assert_response :success
# now block the user
- UserBlock.create(:user_id => blocked_user.id,
- :creator_id => users(:moderator_user).id,
- :reason => "testing",
- :ends_at => Time.now.getutc + 5.minutes)
+ UserBlock.create({
+ :user_id => blocked_user.id,
+ :creator_id => users(:moderator_user).id,
+ :reason => "testing",
+ :ends_at => Time.now.getutc + 5.minutes
+ }, :without_protection => true)
get "/api/#{API_VERSION}/user/details", nil, auth_header(blocked_user.display_name, "test")
assert_response :forbidden
end
get "/api/#{API_VERSION}/user/details", nil, auth_header(blocked_user.display_name, "test")
assert_response :forbidden
end
blocked_user = users(:public_user)
moderator = users(:moderator_user)
blocked_user = users(:public_user)
moderator = users(:moderator_user)
- block = UserBlock.create(:user_id => blocked_user.id,
- :creator_id => moderator.id,
- :reason => "testing",
- :ends_at => Time.now.getutc + 5.minutes)
+ block = UserBlock.create({
+ :user_id => blocked_user.id,
+ :creator_id => moderator.id,
+ :reason => "testing",
+ :ends_at => Time.now.getutc + 5.minutes
+ }, :without_protection => true)
get "/api/#{API_VERSION}/user/details", nil, auth_header(blocked_user.display_name, "test")
assert_response :forbidden
get "/api/#{API_VERSION}/user/details", nil, auth_header(blocked_user.display_name, "test")
assert_response :forbidden
end
def diary_entry_valid(attrs, result = true)
end
def diary_entry_valid(attrs, result = true)
- entry = DiaryEntry.new(diary_entries(:normal_user_entry_1).attributes)
- entry.attributes = attrs
+ entry = DiaryEntry.new(diary_entries(:normal_user_entry_1).attributes, :without_protection => true)
+ entry.assign_attributes(attrs, :without_protection => true)
assert_equal result, entry.valid?, "Expected #{attrs.inspect} to be #{result}"
end
end
assert_equal result, entry.valid?, "Expected #{attrs.inspect} to be #{result}"
end
end
# Check that you can create a node and store it
def test_create
# Check that you can create a node and store it
def test_create
- node_template = Node.new(:latitude => 12.3456,
- :longitude => 65.4321,
- :changeset_id => changesets(:normal_user_first_change).id,
- :visible => 1,
- :version => 1)
+ node_template = Node.new({
+ :latitude => 12.3456,
+ :longitude => 65.4321,
+ :changeset_id => changesets(:normal_user_first_change).id,
+ :visible => 1,
+ :version => 1
+ }, :without_protection => true)
assert node_template.create_with_history(users(:normal_user))
node = Node.find(node_template.id)
assert node_template.create_with_history(users(:normal_user))
node = Node.find(node_template.id)
##
# check that an authorized token is authorised and can be invalidated
def test_token_authorisation
##
# check that an authorized token is authorised and can be invalidated
def test_token_authorisation
- tok = RequestToken.create :client_application => client_applications(:oauth_web_app)
+ tok = RequestToken.create({
+ :client_application => client_applications(:oauth_web_app)
+ }, :without_protection => true)
assert_equal false, tok.authorized?, "Token should be created unauthorised."
tok.authorize!(users(:public_user))
assert_equal true, tok.authorized?, "Token should now be authorised."
assert_equal false, tok.authorized?, "Token should be created unauthorised."
tok.authorize!(users(:public_user))
assert_equal true, tok.authorized?, "Token should now be authorised."
end
def test_unique_email
end
def test_unique_email
- new_user = User.new(:email => users(:normal_user).email,
+ new_user = User.new({
+ :email => users(:normal_user).email,
:status => "active",
:pass_crypt => Digest::MD5.hexdigest('test'),
:display_name => "new user",
:data_public => 1,
:status => "active",
:pass_crypt => Digest::MD5.hexdigest('test'),
:display_name => "new user",
:data_public => 1,
- :description => "desc")
+ :description => "desc"
+ }, :without_protection => true)
assert !new_user.save
assert new_user.errors[:email].include?("has already been taken")
end
def test_unique_display_name
assert !new_user.save
assert new_user.errors[:email].include?("has already been taken")
end
def test_unique_display_name
- new_user = User.new(:email => "tester@openstreetmap.org",
+ new_user = User.new({
+ :email => "tester@openstreetmap.org",
:status => "pending",
:pass_crypt => Digest::MD5.hexdigest('test'),
:display_name => users(:normal_user).display_name,
:data_public => 1,
:status => "pending",
:pass_crypt => Digest::MD5.hexdigest('test'),
:display_name => users(:normal_user).display_name,
:data_public => 1,
- :description => "desc")
+ :description => "desc"
+ }, :without_protection => true)
assert !new_user.save
assert new_user.errors[:display_name].include?("has already been taken")
end
assert !new_user.save
assert new_user.errors[:display_name].include?("has already been taken")
end