Make app works with strong params

Signed-off-by: default avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent 2acde87e
......@@ -13,7 +13,7 @@ def show
end
def new
@user = User.build_user
@user = User.new
end
def edit
......@@ -37,15 +37,12 @@ def unblock
end
def create
admin = user_params.delete("admin")
opts = {
force_random_password: true,
password_expires_at: Time.now
}
@user = User.build_user(user_params.merge(opts), as: :admin)
@user.admin = (admin && admin.to_i > 0)
@user = User.new(user_params.merge(opts))
@user.created_by_id = current_user.id
@user.generate_password
@user.skip_confirmation!
......@@ -62,19 +59,15 @@ def create
end
def update
admin = user_params.delete("admin")
if user_params[:password].blank?
user_params.delete(:password)
user_params.delete(:password_confirmation)
end
if admin.present?
user.admin = !admin.to_i.zero?
if params[:user][:password].present?
user_params.merge(
password: params[:user][:password],
password_confirmation: params[:user][:password_confirmation],
)
end
respond_to do |format|
if user.update_attributes(user_params, as: :admin)
if user.update_attributes(user_params)
user.confirm!
format.html { redirect_to [:admin, user], notice: 'User was successfully updated.' }
format.json { head :ok }
......@@ -118,10 +111,10 @@ def user
def user_params
params.require(:user).permit(
:email, :password, :password_confirmation, :remember_me, :bio, :name, :username,
:email, :remember_me, :bio, :name, :username,
:skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password,
:extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key,
:projects_limit, :can_create_group,
:projects_limit, :can_create_group, :admin
)
end
end
......@@ -7,7 +7,7 @@ def index
end
def create
@email = current_user.emails.new(params[:email])
@email = current_user.emails.new(email_params)
flash[:alert] = @email.errors.full_messages.first unless @email.save
......@@ -23,4 +23,10 @@ def destroy
format.js { render nothing: true }
end
end
private
def email_params
params.require(:email).permit(:email)
end
end
......@@ -14,7 +14,7 @@ def design
end
def update
user_params.delete(:email) if @user.ldap_user?
user_params.except!(:email) if @user.ldap_user?
if @user.update_attributes(user_params)
flash[:notice] = "Profile was successfully updated"
......
......@@ -22,7 +22,7 @@ def new
end
def create
@key = DeployKey.new(params[:deploy_key])
@key = DeployKey.new(deploy_key_params)
if @key.valid? && @project.deploy_keys << @key
redirect_to project_deploy_keys_path(@project)
......@@ -58,4 +58,8 @@ def disable
def available_keys
@available_keys ||= current_user.accessible_deploy_keys
end
def deploy_key_params
params.require(:deploy_key).permit(:key, :title)
end
end
......@@ -61,13 +61,13 @@ class << self
def create_status_change_note(noteable, project, author, status, source)
body = "_Status changed to #{status}#{' by ' + source.gfm_reference if source}_"
create({
create(
noteable: noteable,
project: project,
author: author,
note: body,
system: true
}, without_protection: true)
)
end
# +noteable+ was referenced from +mentioner+, by including GFM in either +mentioner+'s description or an associated Note.
......@@ -86,7 +86,7 @@ def create_cross_reference_note(noteable, mentioner, author, project)
note_options.merge!(noteable: noteable)
end
create(note_options, without_protection: true)
create(note_options)
end
def create_milestone_change_note(noteable, project, author, milestone)
......@@ -96,13 +96,13 @@ def create_milestone_change_note(noteable, project, author, milestone)
"_Milestone changed to #{milestone.title}_"
end
create({
create(
noteable: noteable,
project: project,
author: author,
note: body,
system: true
}, without_protection: true)
)
end
def create_assignee_change_note(noteable, project, author, assignee)
......@@ -114,7 +114,7 @@ def create_assignee_change_note(noteable, project, author, assignee)
author: author,
note: body,
system: true
}, without_protection: true)
})
end
def discussions_from_notes(notes)
......
......@@ -27,14 +27,17 @@
class Project < ActiveRecord::Base
include Gitlab::ShellAdapter
include Gitlab::VisibilityLevel
include Gitlab::ConfigHelper
extend Gitlab::ConfigHelper
extend Enumerize
default_value_for :archived, false
default_value_for :issues_enabled, true
default_value_for :merge_requests_enabled, true
default_value_for :wiki_enabled, true
default_value_for :visibility_level, gitlab_config_features.visibility_level
default_value_for :issues_enabled, gitlab_config_features.issues
default_value_for :merge_requests_enabled, gitlab_config_features.merge_requests
default_value_for :wiki_enabled, gitlab_config_features.wiki
default_value_for :wall_enabled, false
default_value_for :snippets_enabled, true
default_value_for :snippets_enabled, gitlab_config_features.snippets
ActsAsTaggableOn.strict_case_match = true
......@@ -249,7 +252,7 @@ def to_param
end
def web_url
[Gitlab.config.gitlab.url, path_with_namespace].join("/")
[gitlab_config.url, path_with_namespace].join("/")
end
def web_url_without_protocol
......@@ -470,7 +473,7 @@ def ssh_url_to_repo
end
def http_url_to_repo
[Gitlab.config.gitlab.url, "/", path_with_namespace, ".git"].join('')
[gitlab_config.url, "/", path_with_namespace, ".git"].join('')
end
# Check if current branch name is marked as protected in the system
......
......@@ -50,10 +50,15 @@
require 'file_size_validator'
class User < ActiveRecord::Base
include Gitlab::ConfigHelper
extend Gitlab::ConfigHelper
default_value_for :admin, false
default_value_for :can_create_group, true
default_value_for :can_create_group, gitlab_config.default_can_create_group
default_value_for :can_create_team, false
default_value_for :hide_no_ssh_key, false
default_value_for :projects_limit, gitlab_config.default_projects_limit
default_value_for :theme_id, gitlab_config.default_theme
devise :database_authenticatable, :token_authenticatable, :lockable, :async,
:recoverable, :rememberable, :trackable, :validatable, :omniauthable, :confirmable, :registerable
......@@ -211,20 +216,8 @@ def by_username_or_id(name_or_id)
where('users.username = ? OR users.id = ?', name_or_id.to_s, name_or_id.to_i).first
end
def build_user(attrs = {}, options= {})
if options[:as] == :admin
User.new(defaults.merge(attrs.symbolize_keys), options)
else
User.new(attrs, options).with_defaults
end
end
def defaults
{
projects_limit: Gitlab.config.gitlab.default_projects_limit,
can_create_group: Gitlab.config.gitlab.default_can_create_group,
theme_id: Gitlab.config.gitlab.default_theme
}
def build_user(attrs = {})
User.new(attrs)
end
end
......@@ -302,7 +295,7 @@ def require_ssh_key?
end
def can_change_username?
Gitlab.config.gitlab.username_changing_enabled
gitlab_config.username_changing_enabled
end
def can_create_project?
......@@ -477,7 +470,7 @@ def public_profile?
def avatar_url(size = nil)
if avatar.present?
URI::join(Gitlab.config.gitlab.url, avatar.url).to_s
URI::join(gitlab_config.url, avatar.url).to_s
else
GravatarService.new.execute(email, size)
end
......
module Issues
class UpdateService < Issues::BaseService
def execute(issue)
state = params.delete('state_event') || params.delete(:state_event)
state = params[:state_event]
case state
when 'reopen'
......@@ -10,7 +10,7 @@ def execute(issue)
Issues::CloseService.new(project, current_user, {}).execute(issue)
end
if params.present? && issue.update_attributes(params)
if params.present? && issue.update_attributes(params.except(:state_event))
issue.reset_events_cache
if issue.previous_changes.include?('milestone_id')
......
......@@ -7,10 +7,10 @@ class UpdateService < MergeRequests::BaseService
def execute(merge_request)
# We dont allow change of source/target projects
# after merge request was created
params.delete(:source_project_id)
params.delete(:target_project_id)
params.except!(:source_project_id)
params.except!(:target_project_id)
state = params.delete('state_event') || params.delete(:state_event)
state = params[:state_event]
case state
when 'reopen'
......@@ -19,7 +19,7 @@ def execute(merge_request)
MergeRequests::CloseService.new(project, current_user, {}).execute(merge_request)
end
if params.present? && merge_request.update_attributes(params)
if params.present? && merge_request.update_attributes(params.except(:state_event))
merge_request.reset_events_cache
if merge_request.previous_changes.include?('milestone_id')
......
module Milestones
class UpdateService < Milestones::BaseService
def execute(milestone)
state = params.delete('state_event') || params.delete(:state_event)
state = params[:state_event]
case state
when 'activate'
......@@ -11,7 +11,7 @@ def execute(milestone)
end
if params.present?
milestone.update_attributes(params)
milestone.update_attributes(params.except(:state_event))
end
milestone
......
......@@ -5,27 +5,13 @@ def initialize(user, params)
end
def execute
# get namespace id
namespace_id = params.delete(:namespace_id)
@project = Project.new(params)
# check that user is allowed to set specified visibility_level
# Reset visibility levet if is not allowed to set it
unless Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
params.delete(:visibility_level)
@project.visibility_level = default_features.visibility_level
end
# Load default feature settings
default_features = Gitlab.config.gitlab.default_projects_features
default_opts = {
issues_enabled: default_features.issues,
wiki_enabled: default_features.wiki,
snippets_enabled: default_features.snippets,
merge_requests_enabled: default_features.merge_requests,
visibility_level: default_features.visibility_level
}.stringify_keys
@project = Project.new(default_opts.merge(params))
# Parametrize path for project
#
# Ex.
......@@ -33,13 +19,14 @@ def execute
#
@project.path = @project.name.dup.parameterize unless @project.path.present?
# get namespace id
namespace_id = params[:namespace_id]
if namespace_id
# Find matching namespace and check if it allowed
# for current user if namespace_id passed.
if allowed_namespace?(current_user, namespace_id)
@project.namespace_id = namespace_id
else
unless allowed_namespace?(current_user, namespace_id)
@project.namespace_id = nil
deny_namespace
return @project
end
......
......@@ -12,7 +12,7 @@ class TransferService < BaseService
class TransferError < StandardError; end
def execute
namespace_id = params.delete(:namespace_id)
namespace_id = params[:namespace_id]
namespace = Namespace.find_by(id: namespace_id)
if allowed_transfer?(current_user, project, namespace)
......
module Projects
class UpdateService < BaseService
def execute
params.delete(:namespace_id)
# check that user is allowed to set specified visibility_level
unless can?(current_user, :change_visibility_level, project) && Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
params.delete(:visibility_level)
params[:visibility_level] = project.visibility_level
end
new_branch = params.delete(:default_branch)
new_branch = params[:default_branch]
if project.repository.exists? && new_branch && new_branch != project.default_branch
project.change_head(new_branch)
end
if project.update_attributes(params)
if project.previous_changes.include?('namespace_id')
project.send_move_instructions
end
if project.update_attributes(params.except(:default_branch))
if project.previous_changes.include?('path')
project.rename_repo
end
......
......@@ -98,10 +98,14 @@ def required_attributes!(keys)
def attributes_for_keys(keys)
attrs = {}
keys.each do |key|
attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)
if params[key].present? or (params.has_key?(key) and params[key] == false)
attrs[key] = params[key]
end
end
attrs
ActionController::Parameters.new(attrs).permit!
end
# error helpers
......
......@@ -59,7 +59,7 @@ class Users < Grape::API
authenticated_as_admin!
required_attributes! [:email, :password, :name, :username]
attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :extern_uid, :provider, :bio, :can_create_group, :admin]
user = User.build_user(attrs, as: :admin)
user = User.build_user(attrs)
admin = attrs.delete(:admin)
user.admin = admin unless admin.nil?
if user.save
......
module Gitlab::ConfigHelper
def gitlab_config_features
Gitlab.config.gitlab.default_projects_features
end
def gitlab_config
Gitlab.config.gitlab
end
end
......@@ -27,7 +27,7 @@ def create(auth)
password_confirmation: password,
}
user = model.build_user(opts, as: :admin)
user = model.build_user(opts)
user.skip_confirmation!
# Services like twitter and github does not return email via oauth
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment