@title = t 'diary_entry.new.title'
if params[:diary_entry]
- @diary_entry = DiaryEntry.new(params[:diary_entry])
+ @diary_entry = DiaryEntry.new(entry_params)
@diary_entry.user = @user
if @diary_entry.save
if @user != @diary_entry.user
redirect_to :controller => 'diary_entry', :action => 'view', :id => params[:id]
- elsif params[:diary_entry] and @diary_entry.update_attributes(params[:diary_entry])
+ elsif params[:diary_entry] and @diary_entry.update_attributes(entry_params)
redirect_to :controller => 'diary_entry', :action => 'view', :id => params[:id]
end
def comment
@entry = DiaryEntry.find(params[:id])
- @diary_comment = @entry.comments.build(params[:diary_comment])
+ @diary_comment = @entry.comments.build(comment_params)
@diary_comment.user = @user
if @diary_comment.save
if @diary_comment.user != @entry.user
def hide
entry = DiaryEntry.find(params[:id])
- entry.update_attributes({:visible => false}, :without_protection => true)
+ entry.update_attributes(:visible => false)
redirect_to :action => "list", :display_name => entry.user.display_name
end
def hidecomment
comment = DiaryComment.find(params[:comment])
- comment.update_attributes({:visible => false}, :without_protection => true)
+ comment.update_attributes(:visible => false)
redirect_to :action => "view", :display_name => comment.diary_entry.user.display_name, :id => comment.diary_entry.id
end
@page = (params[:page] || 1).to_i
end
private
+ ##
+ # return permitted diary entry parameters
+ def entry_params
+ params.require(:diary_entry).permit(:title, :body, :language_code, :latitude, :longitude)
+ end
+
+ ##
+ # return permitted diary comment parameters
+ def comment_params
+ params.require(:diary_comment).permit(:body)
+ end
+
##
# require that the user is a administrator, or fill out a helpful error message
# and return them to the user page.
if @user.sent_messages.where("sent_on >= ?", Time.now.getutc - 1.hour).count >= MAX_MESSAGES_PER_HOUR
flash[:error] = t 'message.new.limit_exceeded'
else
- @message = Message.new(params[:message])
+ @message = Message.new(message_params)
@message.to_user_id = @this_user.id
@message.from_user_id = @user.id
@message.sent_on = Time.now.getutc
@title = t'message.no_such_message.title'
render :action => 'no_such_message', :status => :not_found
end
+private
+ ##
+ # return permitted message parameters
+ def message_params
+ params.require(:message).permit(:title, :body)
+ end
end
attributes[:author_ip] = request.remote_ip
end
- comment = note.comments.create(attributes, :without_protection => true)
+ comment = note.comments.create(attributes)
note.comments.map { |c| c.author }.uniq.each do |user|
if notify and user and user != @user
end
def create
- @client_application = @user.client_applications.build(params[:client_application])
+ @client_application = @user.client_applications.build(application_params)
if @client_application.save
flash[:notice] = t'oauth_clients.create.flash'
redirect_to :action => "show", :id => @client_application.id
def update
@client_application = @user.client_applications.find(params[:id])
- if @client_application.update_attributes(params[:client_application])
+ if @client_application.update_attributes(application_params)
flash[:notice] = t'oauth_clients.update.flash'
redirect_to :action => "show", :id => @client_application.id
else
flash[:notice] = t'oauth_clients.destroy.flash'
redirect_to :action => "index"
end
+private
+ def application_params
+ params.require(:client_application).permit(:name, :url, :callback_url, :support_url, ClientApplication.all_permissions)
+ end
end
@trace.errors.add(:gpx_file, "can't be blank")
end
else
- @trace = Trace.new({:visibility => default_visibility}, :without_protection => true)
+ @trace = Trace.new(:visibility => default_visibility)
end
@title = t 'trace.create.upload_trace'
# Create the trace object, falsely marked as already
# inserted to stop the import daemon trying to load it
- @trace = Trace.new({
+ @trace = Trace.new(
:name => name,
:tagstring => tags,
:description => description,
:inserted => true,
:user => @user,
:timestamp => Time.now.getutc
- }, :without_protection => true)
+ )
Trace.transaction do
begin
def create
if @valid_params
- @user_block = UserBlock.new({
+ @user_block = UserBlock.new(
:user_id => @this_user.id,
:creator_id => @user.id,
:reason => params[:user_block][:reason],
:ends_at => Time.now.getutc() + @block_period.hours,
:needs_view => params[:user_block][:needs_view]
- }, :without_protection => true)
+ )
if @user_block.save
flash[:notice] = t('user_block.create.flash', :name => @this_user.display_name)
if @user_block.creator_id != @user.id
flash[:error] = t('user_block.update.only_creator_can_edit')
redirect_to :action => "edit"
- elsif @user_block.update_attributes({
+ elsif @user_block.update_attributes(
:ends_at => Time.now.getutc() + @block_period.hours,
:reason => params[:user_block][:reason],
:needs_view => params[:user_block][:needs_view]
- }, :without_protection => true)
+ )
flash[:notice] = t('user_block.update.success')
redirect_to(@user_block)
else
else
session[:referer] = params[:referer]
- @user = User.new(params[:user])
+ @user = User.new(user_params)
@user.status = "pending"
if @user.openid_url.present? && @user.pass_crypt.empty?
# it's .now so that this doesn't propagate to other pages.
flash.now[:skip_terms] = true
end
+
+ ##
+ # return permitted user parameters
+ def user_params
+ params.require(:user).permit(:email, :email_confirmation, :display_name, :openid_url, :pass_crypt, :pass_crypt_confirmation)
+ end
end
before_filter :in_role, :only => [:revoke]
def grant
- @this_user.roles.create({
- :role => @role, :granter_id => @user.id
- }, :without_protection => true)
+ @this_user.roles.create(:role => @role, :granter_id => @user.id)
redirect_to :controller => 'user', :action => 'view', :display_name => @this_user.display_name
end
validates_format_of :support_url, :with => /\Ahttp(s?):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i, :allow_blank=>true
validates_format_of :callback_url, :with => /\A[a-z][a-z0-9.+-]*:\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i, :allow_blank=>true
- attr_accessible :name, :url, :support_url, :callback_url,
- :allow_read_prefs, :allow_write_prefs,
- :allow_write_diary, :allow_write_api,
- :allow_read_gpx, :allow_write_gpx,
- :allow_write_notes
-
before_validation :generate_keys, :on => :create
attr_accessor :token_callback_url
permissions.each do |p|
params[p] = true
end
- RequestToken.create(params, :without_protection => true)
+ RequestToken.create(params)
end
def access_token_for_user(user)
params[p] = true
end
- token = access_tokens.create(params, :without_protection => true)
+ token = access_tokens.create(params)
end
token
validates_presence_of :body
validates_associated :diary_entry
- attr_accessible :body
-
after_initialize :set_defaults
after_save :spam_check
:greater_than_or_equal_to => -180, :less_than_or_equal_to => 180
validates_associated :language
- attr_accessible :title, :body, :language_code, :latitude, :longitude
-
after_initialize :set_defaults
after_save :spam_check
validates_inclusion_of :message_read, :in => [ true, false ]
validates_as_utf8 :title
- attr_accessible :title, :body
-
after_initialize :set_defaults
def self.from_mail(mail, from, to)
body = mail.decoded
end
- message = Message.new({
+ message = Message.new(
:sender => from,
:recipient => to,
:sent_on => mail.date.new_offset(0),
:title => mail.subject.sub(/\[OpenStreetMap\] */, ""),
:body => body,
:body_format => "text"
- }, :without_protection => true)
+ )
end
def body
validates_inclusion_of :status, :in => ["open", "closed", "hidden"]
validate :validate_position
- attr_accessible :lat, :lon
-
after_initialize :set_defaults
# Sanity check the latitude and longitude and add an error if it's broken
validates_presence_of :nonce, :timestamp
validates_uniqueness_of :nonce, :scope => :timestamp
- attr_accessible :nonce, :timestamp
-
# Remembers a nonce and it's associated timestamp. It returns false if it has already been used
def self.remember(nonce, timestamp)
oauth_nonce = OauthNonce.create(:nonce => nonce, :timestamp => timestamp)
end
def invalidate!
- update_attributes({
- :invalidated_at => Time.now
- }, :without_protection => true)
+ update_attributes(:invalidated_at => Time.now)
end
def authorized?
params[p] = read_attribute(p)
}
- access_token = AccessToken.create(params, :without_protection => true)
+ access_token = AccessToken.create(params)
invalidate!
access_token
end
validates_format_of :tag, :with => /\A[^\/;.,?]*\z/
validates_length_of :tag, :within => 1..255
- attr_accessible :tag
-
belongs_to :trace, :foreign_key => 'gpx_id'
end
validates_numericality_of :home_zoom, :only_integer => true, :allow_nil => true
validates_inclusion_of :preferred_editor, :in => Editors::ALL_EDITORS, :allow_nil => true
- attr_accessible :display_name, :email, :email_confirmation, :openid_url,
- :pass_crypt, :pass_crypt_confirmation, :consider_pd,
- :image_use_gravatar
-
after_initialize :set_defaults
before_save :encrypt_password
after_save :spam_check
end
def encrypt_password
+logger.info "XXX"
if pass_crypt_confirmation
+logger.info "YYY"
self.pass_crypt, self.pass_salt = PasswordHash.create(pass_crypt)
self.pass_crypt_confirmation = nil
end
# revokes the block, allowing the user to use the API again. the argument
# is the user object who is revoking the ban.
def revoke!(revoker)
- update_attributes({
+ update_attributes(
:ends_at => Time.now.getutc(),
:revoker_id => revoker.id,
:needs_view => false
- }, :without_protection => true)
+ )
end
private
validates_length_of :k, :within => 1..255
validates_length_of :v, :within => 1..255
- attr_accessible :k, :v
-
# Turn this Node in to an XML Node without the <osm> wrapper.
def to_xml_node
el1 = XML::Node.new 'preference'
class UserToken < ActiveRecord::Base
belongs_to :user
- attr_accessible :referer
-
after_initialize :set_defaults
def expired?
assert_response :success
# now block the user
- UserBlock.create({
+ UserBlock.create(
:user_id => blocked_user.id,
:creator_id => users(:moderator_user).id,
:reason => "testing",
:ends_at => Time.now.getutc + 5.minutes
- }, :without_protection => true)
+ )
get "/api/#{API_VERSION}/user/details", nil, auth_header(blocked_user.display_name, "test")
assert_response :forbidden
end
blocked_user = users(:public_user)
moderator = users(:moderator_user)
- block = UserBlock.create({
+ block = UserBlock.create(
:user_id => blocked_user.id,
:creator_id => moderator.id,
:reason => "testing",
:ends_at => Time.now.getutc + 5.minutes
- }, :without_protection => true)
+ )
get "/api/#{API_VERSION}/user/details", nil, auth_header(blocked_user.display_name, "test")
assert_response :forbidden
private
def diary_entry_valid(attrs, result = true)
- entry = DiaryEntry.new(diary_entries(:normal_user_entry_1).attributes, :without_protection => true)
- entry.assign_attributes(attrs, :without_protection => true)
+ entry = DiaryEntry.new(diary_entries(:normal_user_entry_1).attributes)
+ entry.assign_attributes(attrs)
assert_equal result, entry.valid?, "Expected #{attrs.inspect} to be #{result}"
end
end
# Check that you can create a node and store it
def test_create
- node_template = Node.new({
+ node_template = Node.new(
:latitude => 12.3456,
:longitude => 65.4321,
:changeset_id => changesets(:normal_user_first_change).id,
:visible => 1,
:version => 1
- }, :without_protection => true)
+ )
assert node_template.create_with_history(users(:normal_user))
node = Node.find(node_template.id)
##
# check that an authorized token is authorised and can be invalidated
def test_token_authorisation
- tok = RequestToken.create({
- :client_application => client_applications(:oauth_web_app)
- }, :without_protection => true)
+ tok = RequestToken.create(:client_application => client_applications(:oauth_web_app))
assert_equal false, tok.authorized?, "Token should be created unauthorised."
tok.authorize!(users(:public_user))
assert_equal true, tok.authorized?, "Token should now be authorised."
end
def trace_valid(attrs, result = true)
- entry = Trace.new(gpx_files(:public_trace_file).attributes, :without_protection => true)
- entry.assign_attributes(attrs, :without_protection => true)
+ entry = Trace.new(gpx_files(:public_trace_file).attributes)
+ entry.assign_attributes(attrs)
assert_equal result, entry.valid?, "Expected #{attrs.inspect} to be #{result}"
end
end
private
def tracetag_valid(attrs, result = true)
- entry = Tracetag.new(gpx_file_tags(:first_trace_1).attributes, :without_protection => true)
- entry.assign_attributes(attrs, :without_protection => true)
+ entry = Tracetag.new(gpx_file_tags(:first_trace_1).attributes)
+ entry.assign_attributes(attrs)
assert_equal result, entry.valid?, "Expected #{attrs.inspect} to be #{result}"
end
end
end
def test_unique_email
- new_user = User.new({
+ new_user = User.new(
:email => users(:normal_user).email,
:status => "active",
:pass_crypt => Digest::MD5.hexdigest('test'),
:display_name => "new user",
:data_public => 1,
:description => "desc"
- }, :without_protection => true)
+ )
assert !new_user.save
assert new_user.errors[:email].include?("has already been taken")
end
def test_unique_display_name
- new_user = User.new({
+ new_user = User.new(
:email => "tester@openstreetmap.org",
:status => "pending",
:pass_crypt => Digest::MD5.hexdigest('test'),
:display_name => users(:normal_user).display_name,
:data_public => 1,
:description => "desc"
- }, :without_protection => true)
+ )
assert !new_user.save
assert new_user.errors[:display_name].include?("has already been taken")
end
projects / rails.git / commitdiff