Description:
NEED TESTING
move to stronger parameter for xxx.new(params[
Commit status:
[Not Reviewed]
References:
Diff options:
Comments:
0 Commit comments
0 Inline Comments
Unresolved TODOs:
There are no unresolved TODOs
Author
-
r637:d56b2e7de528 - - 4 files changed: 9 inserted, 5 deleted
| @@ -24,49 +24,49 | |||
|
|
24 | 24 | format.html # show.html.erb |
|
|
25 | 25 | format.xml { render :xml => @announcement } |
|
|
26 | 26 | end |
|
|
27 | 27 | end |
|
|
28 | 28 | |
|
|
29 | 29 | # GET /announcements/new |
|
|
30 | 30 | # GET /announcements/new.xml |
|
|
31 | 31 | def new |
|
|
32 | 32 | @announcement = Announcement.new |
|
|
33 | 33 | |
|
|
34 | 34 | respond_to do |format| |
|
|
35 | 35 | format.html # new.html.erb |
|
|
36 | 36 | format.xml { render :xml => @announcement } |
|
|
37 | 37 | end |
|
|
38 | 38 | end |
|
|
39 | 39 | |
|
|
40 | 40 | # GET /announcements/1/edit |
|
|
41 | 41 | def edit |
|
|
42 | 42 | @announcement = Announcement.find(params[:id]) |
|
|
43 | 43 | end |
|
|
44 | 44 | |
|
|
45 | 45 | # POST /announcements |
|
|
46 | 46 | # POST /announcements.xml |
|
|
47 | 47 | def create |
|
|
48 |
- @announcement = Announcement.new( |
|
|
|
48 | + @announcement = Announcement.new(announcement_params) | |
|
|
49 | 49 | |
|
|
50 | 50 | respond_to do |format| |
|
|
51 | 51 | if @announcement.save |
|
|
52 | 52 | flash[:notice] = 'Announcement was successfully created.' |
|
|
53 | 53 | format.html { redirect_to(@announcement) } |
|
|
54 | 54 | format.xml { render :xml => @announcement, :status => :created, :location => @announcement } |
|
|
55 | 55 | else |
|
|
56 | 56 | format.html { render :action => "new" } |
|
|
57 | 57 | format.xml { render :xml => @announcement.errors, :status => :unprocessable_entity } |
|
|
58 | 58 | end |
|
|
59 | 59 | end |
|
|
60 | 60 | end |
|
|
61 | 61 | |
|
|
62 | 62 | # PUT /announcements/1 |
|
|
63 | 63 | # PUT /announcements/1.xml |
|
|
64 | 64 | def update |
|
|
65 | 65 | @announcement = Announcement.find(params[:id]) |
|
|
66 | 66 | |
|
|
67 | 67 | respond_to do |format| |
|
|
68 | 68 | if @announcement.update_attributes(announcement_params) |
|
|
69 | 69 | flash[:notice] = 'Announcement was successfully updated.' |
|
|
70 | 70 | format.html { redirect_to(@announcement) } |
|
|
71 | 71 | format.js {} |
|
|
72 | 72 | format.xml { head :ok } |
| @@ -7,68 +7,68 | |||
|
|
7 | 7 | in_place_edit_for :problem, :full_name |
|
|
8 | 8 | in_place_edit_for :problem, :full_score |
|
|
9 | 9 | |
|
|
10 | 10 | def index |
|
|
11 | 11 | @problems = Problem.order(date_added: :desc) |
|
|
12 | 12 | end |
|
|
13 | 13 | |
|
|
14 | 14 | # GETs should be safe (see http://www.w3.org/2001/tag/doc/whenToUseGet.html) |
|
|
15 | 15 | verify :method => :post, :only => [ :create, :quick_create, |
|
|
16 | 16 | :do_manage, |
|
|
17 | 17 | :do_import, |
|
|
18 | 18 | ], |
|
|
19 | 19 | :redirect_to => { :action => :index } |
|
|
20 | 20 | |
|
|
21 | 21 | def show |
|
|
22 | 22 | @problem = Problem.find(params[:id]) |
|
|
23 | 23 | end |
|
|
24 | 24 | |
|
|
25 | 25 | def new |
|
|
26 | 26 | @problem = Problem.new |
|
|
27 | 27 | @description = nil |
|
|
28 | 28 | end |
|
|
29 | 29 | |
|
|
30 | 30 | def create |
|
|
31 |
- @problem = Problem.new( |
|
|
|
31 | + @problem = Problem.new(problem_params) | |
|
|
32 | 32 | @description = Description.new(params[:description]) |
|
|
33 | 33 | if @description.body!='' |
|
|
34 | 34 | if !@description.save |
|
|
35 | 35 | render :action => new and return |
|
|
36 | 36 | end |
|
|
37 | 37 | else |
|
|
38 | 38 | @description = nil |
|
|
39 | 39 | end |
|
|
40 | 40 | @problem.description = @description |
|
|
41 | 41 | if @problem.save |
|
|
42 | 42 | flash[:notice] = 'Problem was successfully created.' |
|
|
43 | 43 | redirect_to action: :index |
|
|
44 | 44 | else |
|
|
45 | 45 | render :action => 'new' |
|
|
46 | 46 | end |
|
|
47 | 47 | end |
|
|
48 | 48 | |
|
|
49 | 49 | def quick_create |
|
|
50 |
- @problem = Problem.new( |
|
|
|
50 | + @problem = Problem.new(problem_params) | |
|
|
51 | 51 | @problem.full_name = @problem.name if @problem.full_name == '' |
|
|
52 | 52 | @problem.full_score = 100 |
|
|
53 | 53 | @problem.available = false |
|
|
54 | 54 | @problem.test_allowed = true |
|
|
55 | 55 | @problem.output_only = false |
|
|
56 | 56 | @problem.date_added = Time.new |
|
|
57 | 57 | if @problem.save |
|
|
58 | 58 | flash[:notice] = 'Problem was successfully created.' |
|
|
59 | 59 | redirect_to action: :index |
|
|
60 | 60 | else |
|
|
61 | 61 | flash[:notice] = 'Error saving problem' |
|
|
62 | 62 | redirect_to action: :index |
|
|
63 | 63 | end |
|
|
64 | 64 | end |
|
|
65 | 65 | |
|
|
66 | 66 | def edit |
|
|
67 | 67 | @problem = Problem.find(params[:id]) |
|
|
68 | 68 | @description = @problem.description |
|
|
69 | 69 | end |
|
|
70 | 70 | |
|
|
71 | 71 | def update |
|
|
72 | 72 | @problem = Problem.find(params[:id]) |
|
|
73 | 73 | @description = @problem.description |
|
|
74 | 74 | if @description.nil? and params[:description][:body]!='' |
| @@ -26,49 +26,49 | |||
|
|
26 | 26 | end |
|
|
27 | 27 | @hidden_columns = ['hashed_password', 'salt', 'created_at', 'updated_at'] |
|
|
28 | 28 | @contests = Contest.enabled |
|
|
29 | 29 | end |
|
|
30 | 30 | |
|
|
31 | 31 | def active |
|
|
32 | 32 | sessions = ActiveRecord::SessionStore::Session.where("updated_at >= ?", 60.minutes.ago) |
|
|
33 | 33 | @users = [] |
|
|
34 | 34 | sessions.each do |session| |
|
|
35 | 35 | if session.data[:user_id] |
|
|
36 | 36 | @users << User.find(session.data[:user_id]) |
|
|
37 | 37 | end |
|
|
38 | 38 | end |
|
|
39 | 39 | end |
|
|
40 | 40 | |
|
|
41 | 41 | def show |
|
|
42 | 42 | @user = User.find(params[:id]) |
|
|
43 | 43 | end |
|
|
44 | 44 | |
|
|
45 | 45 | def new |
|
|
46 | 46 | @user = User.new |
|
|
47 | 47 | end |
|
|
48 | 48 | |
|
|
49 | 49 | def create |
|
|
50 |
- @user = User.new(params |
|
|
|
50 | + @user = User.new(user_params) | |
|
|
51 | 51 | @user.activated = true |
|
|
52 | 52 | if @user.save |
|
|
53 | 53 | flash[:notice] = 'User was successfully created.' |
|
|
54 | 54 | redirect_to :action => 'index' |
|
|
55 | 55 | else |
|
|
56 | 56 | render :action => 'new' |
|
|
57 | 57 | end |
|
|
58 | 58 | end |
|
|
59 | 59 | |
|
|
60 | 60 | def clear_last_ip |
|
|
61 | 61 | @user = User.find(params[:id]) |
|
|
62 | 62 | @user.last_ip = nil |
|
|
63 | 63 | @user.save |
|
|
64 | 64 | redirect_to action: 'index', page: params[:page] |
|
|
65 | 65 | end |
|
|
66 | 66 | |
|
|
67 | 67 | def create_from_list |
|
|
68 | 68 | lines = params[:user_list] |
|
|
69 | 69 | |
|
|
70 | 70 | note = [] |
|
|
71 | 71 | |
|
|
72 | 72 | lines.split("\n").each do |line| |
|
|
73 | 73 | items = line.chomp.split(',') |
|
|
74 | 74 | if items.length>=2 |
| @@ -31,49 +31,49 | |||
|
|
31 | 31 | end |
|
|
32 | 32 | |
|
|
33 | 33 | def chg_passwd |
|
|
34 | 34 | user = User.find(session[:user_id]) |
|
|
35 | 35 | user.password = params[:passwd] |
|
|
36 | 36 | user.password_confirmation = params[:passwd_verify] |
|
|
37 | 37 | if user.save |
|
|
38 | 38 | flash[:notice] = 'password changed' |
|
|
39 | 39 | else |
|
|
40 | 40 | flash[:notice] = 'Error: password changing failed' |
|
|
41 | 41 | end |
|
|
42 | 42 | redirect_to :action => 'index' |
|
|
43 | 43 | end |
|
|
44 | 44 | |
|
|
45 | 45 | def new |
|
|
46 | 46 | @user = User.new |
|
|
47 | 47 | render :action => 'new', :layout => 'empty' |
|
|
48 | 48 | end |
|
|
49 | 49 | |
|
|
50 | 50 | def register |
|
|
51 | 51 | if(params[:cancel]) |
|
|
52 | 52 | redirect_to :controller => 'main', :action => 'login' |
|
|
53 | 53 | return |
|
|
54 | 54 | end |
|
|
55 |
- @user = User.new(params |
|
|
|
55 | + @user = User.new(user_params) | |
|
|
56 | 56 | @user.password_confirmation = @user.password = User.random_password |
|
|
57 | 57 | @user.activated = false |
|
|
58 | 58 | if (@user.valid?) and (@user.save) |
|
|
59 | 59 | if send_confirmation_email(@user) |
|
|
60 | 60 | render :action => 'new_splash', :layout => 'empty' |
|
|
61 | 61 | else |
|
|
62 | 62 | @admin_email = GraderConfiguration['system.admin_email'] |
|
|
63 | 63 | render :action => 'email_error', :layout => 'empty' |
|
|
64 | 64 | end |
|
|
65 | 65 | else |
|
|
66 | 66 | @user.errors.add(:base,"Email cannot be blank") if @user.email=='' |
|
|
67 | 67 | render :action => 'new', :layout => 'empty' |
|
|
68 | 68 | end |
|
|
69 | 69 | end |
|
|
70 | 70 | |
|
|
71 | 71 | def confirm |
|
|
72 | 72 | login = params[:login] |
|
|
73 | 73 | key = params[:activation] |
|
|
74 | 74 | @user = User.find_by_login(login) |
|
|
75 | 75 | if (@user) and (@user.verify_activation_key(key)) |
|
|
76 | 76 | if @user.valid? # check uniquenss of email |
|
|
77 | 77 | @user.activated = true |
|
|
78 | 78 | @user.save |
|
|
79 | 79 | @result = :successful |
| @@ -189,26 +189,30 | |||
|
|
189 | 189 | :login => user.login, |
|
|
190 | 190 | :password => user.password, |
|
|
191 | 191 | :admin_email => GraderConfiguration['system.admin_email'] |
|
|
192 | 192 | }) |
|
|
193 | 193 | |
|
|
194 | 194 | logger.info mail_body |
|
|
195 | 195 | |
|
|
196 | 196 | send_mail(user.email, mail_subject, mail_body) |
|
|
197 | 197 | end |
|
|
198 | 198 | |
|
|
199 | 199 | # allow viewing of regular user profile only when options allow so |
|
|
200 | 200 | # only admins can view admins profile |
|
|
201 | 201 | def profile_authorization |
|
|
202 | 202 | #if view admins' profile, allow only admin |
|
|
203 | 203 | return false unless(params[:id]) |
|
|
204 | 204 | user = User.find(params[:id]) |
|
|
205 | 205 | return false unless user |
|
|
206 | 206 | return admin_authorization if user.admin? |
|
|
207 | 207 | return true if GraderConfiguration["right.user_view_submission"] |
|
|
208 | 208 | |
|
|
209 | 209 | #finally, we allow only admin |
|
|
210 | 210 | admin_authorization |
|
|
211 | 211 | end |
|
|
212 | 212 | |
|
|
213 | + private | |
|
|
214 | + def user_params | |
|
|
215 | + params.require(:user).permit(:login, :full_name, :email) | |
|
|
216 | + end | |
|
|
213 | 217 | |
|
|
214 | 218 | end |
You need to be logged in to leave comments.
Login now