cafe-grader-web Commit - r637:d56b2e7de528

cafe-grader-web

Commit `r637:d56b2e7de528` public

parent | child

Description:

NEED TESTING move to stronger parameter for xxx.new(params[

Commit status:

[Not Reviewed]

References:

java

Diff options:

| | | |

Comments:

0 Commit comments 0 Inline Comments

Unresolved TODOs:

There are no unresolved TODOs

Add another comment

r637:d56b2e7de528 - Wed, 25 Jan 2017 10:06:16 - 4 files changed: 9 inserted, 5 deleted

app/controllers/announcements_controller.rb ¶ +1 -1

               class AnnouncementsController < ApplicationController
                 before_filter :admin_authorization
                 in_place_edit_for :announcement, :published
                 # GET /announcements
                 # GET /announcements.xml
                 def index
                   @announcements = Announcement.order(created_at: :desc)
                   respond_to do |format|
                     format.html # index.html.erb
                     format.xml  { render :xml => @announcements }
                   end
                 end
                 # GET /announcements/1
                 # GET /announcements/1.xml
                 def show
                   @announcement = Announcement.find(params[:id])
                   respond_to do |format|
                     format.html # show.html.erb
                     format.xml  { render :xml => @announcement }
                   end
                 end
                 # GET /announcements/new
                 # GET /announcements/new.xml
                 def new
                   @announcement = Announcement.new
                   respond_to do |format|
                     format.html # new.html.erb
                     format.xml  { render :xml => @announcement }
                   end
                 end
                 # GET /announcements/1/edit
                 def edit
                   @announcement = Announcement.find(params[:id])
                 end
                 # POST /announcements
                 # POST /announcements.xml
                 def create
-            -     @announcement = Announcement.new(params[:announcement])
+            +     @announcement = Announcement.new(announcement_params)
                   respond_to do |format|
                     if @announcement.save
                       flash[:notice] = 'Announcement was successfully created.'
                       format.html { redirect_to(@announcement) }
                       format.xml  { render :xml => @announcement, :status => :created, :location => @announcement }
                     else
                       format.html { render :action => "new" }
                       format.xml  { render :xml => @announcement.errors, :status => :unprocessable_entity }
                     end
                   end
                 end
                 # PUT /announcements/1
                 # PUT /announcements/1.xml
                 def update
                   @announcement = Announcement.find(params[:id])
                   respond_to do |format|
                     if @announcement.update_attributes(announcement_params)
                       flash[:notice] = 'Announcement was successfully updated.'
                       format.html { redirect_to(@announcement) }
                       format.js   {}
                       format.xml  { head :ok }
                     else
                       format.html { render :action => "edit" }
                       format.js   {}
                       format.xml  { render :xml => @announcement.errors, :status => :unprocessable_entity }
                     end
                   end
                 end
                 def toggle
                   @announcement = Announcement.find(params[:id])
                   @announcement.update_attributes( published:  !@announcement.published? )
                   respond_to do |format|
                     format.js { render partial: 'toggle_button',
                                 locals: {button_id: "#announcement_toggle_#{@announcement.id}",button_on: @announcement.published? } }
                   end
                 end
                 def toggle_front
                   @announcement = Announcement.find(params[:id])
                   @announcement.update_attributes( frontpage:  !@announcement.frontpage? )
                   respond_to do |format|
                     format.js { render partial: 'toggle_button',
                                 locals: {button_id: "#announcement_toggle_front_#{@announcement.id}",button_on: @announcement.frontpage? } }
                   end

app/controllers/problems_controller.rb ¶ +2 -2

               class ProblemsController < ApplicationController
                 before_action :authenticate, :authorization
                 before_action :testcase_authorization, only: [:show_testcase]
                 in_place_edit_for :problem, :name
                 in_place_edit_for :problem, :full_name
                 in_place_edit_for :problem, :full_score
                 def index
                   @problems = Problem.order(date_added: :desc)
                 end
                 # GETs should be safe (see http://www.w3.org/2001/tag/doc/whenToUseGet.html)
                 verify :method => :post, :only => [ :create, :quick_create,
                                                     :do_manage,
                                                     :do_import,
                                                   ],
                        :redirect_to => { :action => :index }
                 def show
                   @problem = Problem.find(params[:id])
                 end
                 def new
                   @problem = Problem.new
                   @description = nil
                 end
                 def create
-            -     @problem = Problem.new(params[:problem])
+            +     @problem = Problem.new(problem_params)
                   @description = Description.new(params[:description])
                   if @description.body!=''
                     if !@description.save
                       render :action => new and return
                     end
                   else
                     @description = nil
                   end
                   @problem.description = @description
                   if @problem.save
                     flash[:notice] = 'Problem was successfully created.'
                     redirect_to action: :index
                   else
                     render :action => 'new'
                   end
                 end
                 def quick_create
-            -     @problem = Problem.new(params[:problem])
+            +     @problem = Problem.new(problem_params)
                   @problem.full_name = @problem.name if @problem.full_name == ''
                   @problem.full_score = 100
                   @problem.available = false
                   @problem.test_allowed = true
                   @problem.output_only = false
                   @problem.date_added = Time.new
                   if @problem.save
                     flash[:notice] = 'Problem was successfully created.'
                     redirect_to action: :index
                   else
                     flash[:notice] = 'Error saving problem'
                   redirect_to action: :index
                   end
                 end
                 def edit
                   @problem = Problem.find(params[:id])
                   @description = @problem.description
                 end
                 def update
                   @problem = Problem.find(params[:id])
                   @description = @problem.description
                   if @description.nil? and params[:description][:body]!=''
                     @description = Description.new(params[:description])
                     if !@description.save
                       flash[:notice] = 'Error saving description'
                       render :action => 'edit' and return
                     end
                     @problem.description = @description
                   elsif @description
                     if !@description.update_attributes(params[:description])
                       flash[:notice] = 'Error saving description'
                       render :action => 'edit' and return
                     end
                   end
                   if params[:file] and params[:file].content_type != 'application/pdf'
                       flash[:notice] = 'Error: Uploaded file is not PDF'
                       render :action => 'edit' and return
                   end
                   if @problem.update_attributes(problem_params)
                     flash[:notice] = 'Problem was successfully updated.'
                     unless params[:file] == nil or params[:file] == ''
                       flash[:notice] = 'Problem was successfully updated and a new PDF file is uploaded.'
                       out_dirname = "#{Problem.download_file_basedir}/#{@problem.id}"
                       if not FileTest.exists? out_dirname
                         Dir.mkdir out_dirname
                       end

app/controllers/user_admin_controller.rb ¶ +1 -1

               class UserAdminController < ApplicationController
                 include MailHelperMethods
                 before_filter :admin_authorization
                 # GETs should be safe (see http://www.w3.org/2001/tag/doc/whenToUseGet.html)
                 verify :method => :post, :only => [
                                                     :create, :create_from_list,
                                                     :update,
                                                     :manage_contest,
                                                     :bulk_mail
                                                   ],
                        :redirect_to => { :action => :list }
                 def index
                   @user_count = User.count
                   if params[:page] == 'all'
                     @users = User.all
                     @paginated = false
                   else
                     @users = User.paginate :page => params[:page]
                     @paginated = true
                   end
                   @hidden_columns = ['hashed_password', 'salt', 'created_at', 'updated_at']
                   @contests = Contest.enabled
                 end
                 def active
                   sessions = ActiveRecord::SessionStore::Session.where("updated_at >= ?", 60.minutes.ago)
                   @users = []
                   sessions.each do |session|
                     if session.data[:user_id]
                       @users << User.find(session.data[:user_id])
                     end
                   end
                 end
                 def show
                   @user = User.find(params[:id])
                 end
                 def new
                   @user = User.new
                 end
                 def create
-            -     @user = User.new(params[:user])
+            +     @user = User.new(user_params)
                   @user.activated = true
                   if @user.save
                     flash[:notice] = 'User was successfully created.'
                     redirect_to :action => 'index'
                   else
                     render :action => 'new'
                   end
                 end
                 def clear_last_ip
                   @user = User.find(params[:id])
                   @user.last_ip = nil
                   @user.save
                   redirect_to action: 'index', page: params[:page]
                 end
                 def create_from_list
                   lines = params[:user_list]
                   note = []
                   lines.split("\n").each do |line|
                     items = line.chomp.split(',')
                     if items.length>=2
                       login = items[0]
                       full_name = items[1]
                       remark =''
                       user_alias = ''
                       added_random_password = false
                       if items.length >= 3 and items[2].chomp(" ").length > 0;
                         password = items[2].chomp(" ")
                       else
                         password = random_password
                         add_random_password=true;
                       end
                       if items.length>= 4 and items[3].chomp(" ").length > 0;
                         user_alias = items[3].chomp(" ")
                       else
                         user_alias = login
                       end
                       if items.length>=5
                         remark = items[4].strip;
                       end
                       user = User.find_by_login(login)

app/controllers/users_controller.rb ¶ +5 -1

                 before_filter :authenticate, :except => [:new,
                                                          :register,
                                                          :confirm,
                                                          :forget,
                                                          :retrieve_password]
                 before_filter :verify_online_registration, :only => [:new,
                                                                      :register,
                                                                      :forget,
                                                                      :retrieve_password]
                 before_filter :authenticate, :profile_authorization, only: [:profile]
                 verify :method => :post, :only => [:chg_passwd],
                        :redirect_to => { :action => :index }
                 #in_place_edit_for :user, :alias_for_editing
                 #in_place_edit_for :user, :email_for_editing
                 def index
                   if !GraderConfiguration['system.user_setting_enabled']
                     redirect_to :controller => 'main', :action => 'list'
                   else
                     @user = User.find(session[:user_id])
                   end
                 end
                 def chg_passwd
                   user = User.find(session[:user_id])
                   user.password = params[:passwd]
                   user.password_confirmation = params[:passwd_verify]
                   if user.save
                     flash[:notice] = 'password changed'
                   else
                     flash[:notice] = 'Error: password changing failed'
                   end
                   redirect_to :action => 'index'
                 end
                 def new
                   @user = User.new
                   render :action => 'new', :layout => 'empty'
                 end
                 def register
                   if(params[:cancel])
                     redirect_to :controller => 'main', :action => 'login'
                     return
                   end
-            -     @user = User.new(params[:user])
+            +     @user = User.new(user_params)
                   @user.password_confirmation = @user.password = User.random_password
                   @user.activated = false
                   if (@user.valid?) and (@user.save)
                     if send_confirmation_email(@user)
                       render :action => 'new_splash', :layout => 'empty'
                     else
                       @admin_email = GraderConfiguration['system.admin_email']
                       render :action => 'email_error', :layout => 'empty'
                     end
                   else
                     @user.errors.add(:base,"Email cannot be blank") if @user.email==''
                     render :action => 'new', :layout => 'empty'
                   end
                 end
                 def confirm
                   login = params[:login]
                   key = params[:activation]
                   @user = User.find_by_login(login)
                   if (@user) and (@user.verify_activation_key(key))
                     if @user.valid?  # check uniquenss of email
                       @user.activated = true
                       @user.save
                       @result = :successful
                     else
                       @result = :email_used
                     end
                   else
                     @result = :failed
                   end
                   render :action => 'confirm', :layout => 'empty'
                 end
                 def forget
                   render :action => 'forget', :layout => 'empty'
                 end
                 def retrieve_password
                   email = params[:email]
                   user = User.find_by_email(email)
                   if user
                     last_updated_time = user.updated_at || user.created_at || (Time.now.gmtime - 1.hour)
                     if last_updated_time > Time.now.gmtime - 5.minutes
                       flash[:notice] = 'The account has recently created or new password has recently been requested.  Please wait for 5 minutes'
                     else
                       user.password = user.password_confirmation = User.random_password
                       user.save
                       send_new_password_email(user)
                                            :login => user.login,
                                            :activation => user.activation_key)
                   home_url = url_for(:controller => 'main', :action => 'index')
                   mail_subject = "[#{contest_name}] Confirmation"
                   mail_body = t('registration.email_body', {
                                   :full_name => user.full_name,
                                   :contest_name => contest_name,
                                   :login => user.login,
                                   :password => user.password,
                                   :activation_url => activation_url,
                                   :admin_email => GraderConfiguration['system.admin_email']
                                 })
                   logger.info mail_body
                   send_mail(user.email, mail_subject, mail_body)
                 end
                 def send_new_password_email(user)
                   contest_name = GraderConfiguration['contest.name']
                   mail_subject = "[#{contest_name}] Password recovery"
                   mail_body = t('registration.password_retrieval.email_body', {
                                   :full_name => user.full_name,
                                   :contest_name => contest_name,
                                   :login => user.login,
                                   :password => user.password,
                                   :admin_email => GraderConfiguration['system.admin_email']
                                 })
                   logger.info mail_body
                   send_mail(user.email, mail_subject, mail_body)
                 end
                 # allow viewing of regular user profile only when options allow so
                 # only admins can view admins profile
                 def profile_authorization
                   #if view admins' profile, allow only admin
                   return false unless(params[:id])
                   user = User.find(params[:id])
                   return false unless user
                   return admin_authorization if user.admin?
                   return true if GraderConfiguration["right.user_view_submission"]
                   #finally, we allow only admin
                   admin_authorization
                 end
+            +   private
+            +     def user_params
+            +       params.require(:user).permit(:login, :full_name, :email)
+            +     end
               end

Write
Preview

You need to be logged in to leave comments. Login now

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository permissions settings

Sign in to your account

Author

r637:d56b2e7de528 - Wed, 25 Jan 2017 10:06:16 - 4 files changed: 9 inserted, 5 deleted

Sign in to your account

Commit r637:d56b2e7de528 public

Author

r637:d56b2e7de528 - Wed, 25 Jan 2017 10:06:16 - 4 files changed: 9 inserted, 5 deleted

Commit `r637:d56b2e7de528` public