RubyGems - fat_free_crm - Versions diffs - 0.12.0 → 0.12.1 - Mend

fat_free_crm 0.12.0 → 0.12.1

Potentially problematic release.

This version of fat_free_crm might be problematic. Click here for more details.

Files changed (13) hide show

checksums.yaml +9 -9
data/Gemfile.lock +5 -3
data/app/controllers/application_controller.rb +2 -0
data/app/controllers/home_controller.rb +19 -12
data/app/models/users/user.rb +8 -0
data/config/initializers/secret_token.rb +1 -18
data/config/routes.rb +1 -1
data/lib/fat_free_crm/version.rb +1 -1
data/lib/tasks/ffcrm/secret.rake +17 -0
data/spec/controllers/home_controller_spec.rb +66 -15
data/spec/models/users/user_spec.rb +14 -0
data/spec/routing/users_routing_spec.rb +4 -5
metadata +4 -3

checksums.yaml CHANGED Viewed

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NjYzZTU1ZTMxNGUyNGI2M2FkNjExNjdlOTI0MDZjYzg0YmM5NTE5MA==
+    ZWNmOGI2ODA3NzM3ZWY1ZDZlZjE5ZDE5YjhmNTU2YmQ3MmQzZDljZQ==
   data.tar.gz: !binary |-
-    YjM0ZjE0ZDhjNjQxMTIxYmZjZTJiY2MyMzE3ZDA2MjRlYmU2ZDdlMg==
-!binary "U0hBNTEy":
+    ODQyMGQ0NDFlNDBkMTU2OWVmYzY1ODMzMmJkYTY3ZjVjOTY0MTQxNQ==
+SHA512:
   metadata.gz: !binary |-
-    OGY4M2Y1ZjQ4NGZkMDRhNWRiMTlmMTc2MjM5YWJhMmRlOWNlN2E1MjU1Njg2
-    YWZkNzU3ZmVlNDUxMmIxMGRmYmYxYTA1NGU2NzI0MDIyZjZkNzQ3NDYwZDBk
-    ZWYwMjE2NWIxYzgwYjhiZWM5MjYwYjMzYjNjZDkyYjBmNDY4NWQ=
+    NmFhNTU0YmVkZTBhNjkwZWQ3ZTYxODAyOGVkOGQ3Zjc3MzdmNmVkMDRlNGYx
+    MjljM2UxZDk4ZjY4MWMwNzBjZDk1YWMyODVmYjk2OGE1ODA3NDgwMDA2ZTcy
+    ODEyNTI5MGZjZDY5YjZmNDZlNzY4MmM0YmFhNDRkMjAyMGM2OTE=
   data.tar.gz: !binary |-
-    Yzc4OTkwOTgyOWI1NjNkODc4MzY5YjVjODc3MWJjZDhjM2M4YTBjOWMwZjMy
-    ZjdiZWYzNjU2YjM1YWM3YjkzYzgxZDUxMjZiYjgwNjM4NmQ2MmFiYzBlNWMx
-    MzAwMTllYTRjNmJlNmRmYjI1NzY4YWNkZjhhZjcxMGMwYWM2ODc=
+    ZDllMDRjYmIyZjI5YTJhNWE3MmY0ZmRmNzA0N2FiYTY0M2ZiMmRhNjg1ODE4
+    YmM4ODQyY2VjMjAyMGE1YzkxYWVkYzVmZjJkMjU5YjVjNjUzZDQ0MDc4OWEx
+    M2ZlMjMzMTJkNmEzODQ0ZjA4ZjA4NmI1Y2U3MTJhNWE4ODAwNjg=

data/Gemfile.lock CHANGED Viewed

@@ -132,7 +132,7 @@ GEM
       thor (>= 0.14, < 2.0)
     json (1.7.7)
     kgio (2.7.4)
-    libv8 (3.3.10.4)
+    libv8 (3.16.14.3)
     listen (0.7.3)
     mail (2.5.3)
       i18n (>= 0.4.0)
@@ -222,6 +222,7 @@ GEM
       ffi (>= 0.5.0)
     rdoc (3.12.2)
       json (~> 1.4)
+    ref (1.0.5)
     responds_to_parent (1.1.0)
     rest-client (1.6.7)
       mime-types (>= 1.16)
@@ -267,8 +268,9 @@ GEM
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.7)
-    therubyracer (0.10.1)
-      libv8 (~> 3.3.10)
+    therubyracer (0.12.0)
+      libv8 (~> 3.16.14.0)
+      ref
     thin (1.5.0)
       daemons (>= 1.0.9)
       eventmachine (>= 0.12.6)

data/app/controllers/application_controller.rb CHANGED Viewed

@@ -5,6 +5,8 @@
 #------------------------------------------------------------------------------
 class ApplicationController < ActionController::Base
+  protect_from_forgery
   before_filter :set_context
   before_filter :clear_setting_cache
   before_filter "hook(:app_before_filter, self)"

data/app/controllers/home_controller.rb CHANGED Viewed

@@ -58,14 +58,19 @@ class HomeController < ApplicationController
   # GET /home/timeline                                                     AJAX
   #----------------------------------------------------------------------------
   def timeline
-    unless params[:type].empty?
-      model = params[:type].camelize.constantize
-      item = model.find(params[:id])
-      item.update_attribute(:state, params[:state])
-    else
-      comments, emails = params[:id].split("+")
-      Comment.update_all("state = '#{params[:state]}'", "id IN (#{comments})") unless comments.blank?
-      Email.update_all("state = '#{params[:state]}'", "id IN (#{emails})") unless emails.blank?
+    state = params[:state].to_s
+    if %w(Collapsed Expanded).include?(state)
+      if (model_type = params[:type].to_s).present?
+        if %w(comment email).include?(model_type)
+          model = model_type.camelize.constantize
+          item = model.find(params[:id])
+          item.update_attribute(:state, state)
+        end
+      else
+        comments, emails = params[:id].split("+")
+        Comment.where(:id => comments.split(',')).update_all(:state => state) unless comments.blank?
+        Email.where(:id => emails.split(',')).update_all(:state => state) unless emails.blank?
+      end
     end
     render :nothing => true
@@ -118,6 +123,9 @@ class HomeController < ApplicationController
   end
   #----------------------------------------------------------------------------
+  # TODO: this is ugly, ugly code. It's being security patched now but urgently
+  # needs refactoring to use user id instead. Permuations based on name or email
+  # yield incorrect results.
   def activity_user
     user = current_user.pref[:activity_user]
     if user && user != "all_users"
@@ -126,12 +134,11 @@ class HomeController < ApplicationController
         else # first_name middle_name last_name any_name
           name_query = if user.include?(" ")
             user.name_permutations.map{ |first, last|
-              "(upper(first_name) LIKE upper('%#{first}%') AND upper(last_name) LIKE upper('%#{last}%'))"
-            }.join(" OR ")
+              User.where(:first_name => first, :last_name => last)
+            }.map(&:to_a).flatten.first
           else
-            "upper(first_name) LIKE upper('%#{user}%') OR upper(last_name) LIKE upper('%#{user}%')"
+            [User.where(:first_name => user), User.where(:last_name => user)].map(&:to_a).flatten.first
           end
-          User.where(name_query).first
         end
     end
     user.is_a?(User) ? user.id : nil

data/app/models/users/user.rb CHANGED Viewed

@@ -146,6 +146,14 @@ class User < ActiveRecord::Base
     super(value)
   end
+  def to_json(options = nil)
+    [name].to_json
+  end
+  def to_xml(options = nil)
+    [name].to_xml
+  end
   private
   # Suspend newly created user if signup requires an approval.

data/config/initializers/secret_token.rb CHANGED Viewed

@@ -1,18 +1 @@
-# Copyright (c) 2008-2013 Michael Dvorkin and contributors.
-#
-# Fat Free CRM is freely distributable under the terms of MIT license.
-# See MIT-LICENSE file or http://www.opensource.org/licenses/mit-license.php
-#------------------------------------------------------------------------------
-# Be sure to restart your server when you modify this file.
-# Your secret key for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
-# PLEASE NOTE: This secret token must be changed in your fork of Fat Free CRM.
-# This problem is mitigated when running Fat Free CRM as a Rails Engine.
-if defined?(FatFreeCRM::Application)
-  FatFreeCRM::Application.config.secret_token = '51aa366864a80316a85cff0d3762347f4ae3d029d548bef034d56e82b1a2ffac5353ee6719d9b64e4354e2a0b1a901679f46a851c360a2ea377188e4b196b6b6'
-end
+FatFreeCRM::Application.config.secret_token = 'bb6810b6691d68fae269cfa4ce1805a5b4b0826e2680988e1102a4b3b80e5753af76d25a90f3ba7bc4c2fa68c4bce3b36df72baa18a0e35a71d3199918766db9'

data/config/routes.rb CHANGED Viewed

@@ -137,7 +137,7 @@ Rails.application.routes.draw do
     end
   end
-  resources :users, :id => /\d+/ do
+  resources :users, :id => /\d+/, :except => [:index, :destroy] do
     member do
       get :avatar
       get :password

data/lib/fat_free_crm/version.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module FatFreeCRM
   module VERSION #:nodoc:
     MAJOR = 0
     MINOR = 12
-    TINY  = 0
+    TINY  = 1
     PRE   = nil
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

data/lib/tasks/ffcrm/secret.rake ADDED Viewed

@@ -0,0 +1,17 @@
+# Copyright (c) 2008-2013 Michael Dvorkin and contributors.
+#
+# Fat Free CRM is freely distributable under the terms of MIT license.
+# See MIT-LICENSE file or http://www.opensource.org/licenses/mit-license.php
+#------------------------------------------------------------------------------
+namespace :ffcrm do
+  desc "Generate a secret token for Rails to use."
+  task :secret do
+    require 'securerandom'
+    secret = SecureRandom.hex(64)
+    filename = File.join(Rails.root, 'config', 'initializers', 'secret_token.rb')
+    File.open(filename, 'w'){|f| f.puts "FatFreeCRM::Application.config.secret_token = '#{secret}'"}
+  end
+end

data/spec/controllers/home_controller_spec.rb CHANGED Viewed

@@ -42,13 +42,13 @@ describe HomeController do
       assigns[:my_tasks].should == [task_1, task_2, task_3, task_4]
     end
-		it "should not display completed tasks" do
-			task_1 = FactoryGirl.create(:task, :user_id => current_user.id, :name => "Your first task", :bucket => "due_asap", :assigned_to => current_user.id)
-			task_2 = FactoryGirl.create(:task, :user_id => current_user.id, :name => "Completed task", :bucket => "due_asap", :completed_at => 1.days.ago, :completed_by => current_user.id, :assigned_to => current_user.id)
+    it "should not display completed tasks" do
+      task_1 = FactoryGirl.create(:task, :user_id => current_user.id, :name => "Your first task", :bucket => "due_asap", :assigned_to => current_user.id)
+      task_2 = FactoryGirl.create(:task, :user_id => current_user.id, :name => "Completed task", :bucket => "due_asap", :completed_at => 1.days.ago, :completed_by => current_user.id, :assigned_to => current_user.id)
-			get :index
-			assigns[:my_tasks].should == [task_1]
-		end
+      get :index
+      assigns[:my_tasks].should == [task_1]
+    end
     it "should get a list of my opportunities ordered by closes_on" do
       opportunity_1 = FactoryGirl.create(:opportunity, :name => "Your first opportunity", :closes_on => 15.days.from_now, :assigned_to => current_user.id, :stage => 'proposal')
@@ -153,42 +153,93 @@ describe HomeController do
       session[:hello].should == true
     end
   end
   describe "activity_user" do
     before(:each) do
       @user = mock(User, :id => 1, :is_a? => true)
       @cur_user = mock(User)
     end
     it "should find a user by email" do
       @cur_user.stub!(:pref).and_return(:activity_user => 'billy@example.com')
       controller.instance_variable_set(:@current_user, @cur_user)
       User.should_receive(:where).with(:email => 'billy@example.com').and_return([@user])
       controller.send(:activity_user).should == 1
     end
     it "should find a user by first name or last name" do
       @cur_user.stub!(:pref).and_return(:activity_user => 'Billy')
       controller.instance_variable_set(:@current_user, @cur_user)
-      User.should_receive(:where).with("upper(first_name) LIKE upper('%Billy%') OR upper(last_name) LIKE upper('%Billy%')").and_return([@user])
+      User.should_receive(:where).with(:first_name => 'Billy').and_return([@user])
+      User.should_receive(:where).with(:last_name => 'Billy').and_return([@user])
       controller.send(:activity_user).should == 1
     end
     it "should find a user by first name and last name" do
       @cur_user.stub!(:pref).and_return(:activity_user => 'Billy Elliot')
       controller.instance_variable_set(:@current_user, @cur_user)
-      User.should_receive(:where).with("(upper(first_name) LIKE upper('%Billy%') AND upper(last_name) LIKE upper('%Elliot%')) OR (upper(first_name) LIKE upper('%Elliot%') AND upper(last_name) LIKE upper('%Billy%'))").and_return([@user])
+      User.should_receive(:where).with(:first_name => 'Billy', :last_name => "Elliot").and_return([@user])
+      User.should_receive(:where).with(:first_name => 'Elliot', :last_name => "Billy").and_return([@user])
       controller.send(:activity_user).should == 1
     end
     it "should return nil when 'all_users' is specified" do
       @cur_user.stub!(:pref).and_return(:activity_user => 'all_users')
       controller.instance_variable_set(:@current_user, @cur_user)
       User.should_not_receive(:where)
       controller.send(:activity_user).should == nil
     end
+  end
+  describe "timeline" do
+    before(:each) do
+      require_user
+    end
+    it "should collapse all comments and emails on a specific contact" do
+      comment = double(Comment)
+      Comment.should_receive(:find).with("1").and_return(comment)
+      comment.should_receive(:update_attribute).with(:state, 'Collapsed')
+      xhr :get, :timeline, :type => "comment", :id => "1", :state => "Collapsed"
+    end
+    it "should expand all comments and emails on a specific contact" do
+      comment = double(Comment)
+      Comment.should_receive(:find).with("1").and_return(comment)
+      comment.should_receive(:update_attribute).with(:state, 'Expanded')
+      xhr :get, :timeline, :type => "comment", :id => "1", :state => "Expanded"
+    end
+    it "should not do anything when state neither Expanded nor Collapsed" do
+      comment = double(Comment)
+      Comment.should_not_receive(:find).with("1")
+      xhr :get, :timeline, :type => "comment", :id => "1", :state => "Explode"
+    end
+    it "should collapse all comments and emails on Contact" do
+      where_stub = double
+      where_stub.should_receive(:update_all).with(:state => "Collapsed")
+      Comment.should_receive(:where).and_return(where_stub)
+      xhr :get, :timeline, :id => "1,2,3,4+", :state => "Collapsed"
+    end
+    it "should not allow an arbitary state (sanitizes input)" do
+      where_stub = double
+      where_stub.should_receive(:update_all).with(:state => "Expanded")
+      Comment.should_receive(:where).and_return(where_stub)
+      xhr :get, :timeline, :id => "1,2,3,4+", :state => "Expanded"
+    end
+    it "should not update an arbitary model (sanitizes input)" do
+      where_stub = double
+      where_stub.should_receive(:update_all).with(:state => "Expanded")
+      Comment.should_receive(:where).and_return(where_stub)
+      xhr :get, :timeline, :id => "1,2,3,4+", :state => "Expanded"
+    end
   end
 end

data/spec/models/users/user_spec.rb CHANGED Viewed

@@ -209,4 +209,18 @@ describe User do
       @user.single_access_token.should == "token"
     end
   end
+  describe "serialization" do
+    let(:user) { FactoryGirl.build(:user) }
+    it "to json" do
+      expect(user.to_json).to eql([user.name].to_json)
+    end
+    it "to xml" do
+      expect(user.to_xml).to eql([user.name].to_xml)
+    end
+  end
 end

data/spec/routing/users_routing_spec.rb CHANGED Viewed

@@ -8,8 +8,8 @@ require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
 describe UsersController do
   describe "routing" do
-    it "recognizes and generates #index" do
-      { :get => "/users" }.should route_to(:controller => "users", :action => "index")
+    it "doesn't recognize #index" do
+      { :get => "/users" }.should_not be_routable
     end
     it "recognizes and generates #new as /signup" do
@@ -40,8 +40,8 @@ describe UsersController do
       { :put => "/opportunities/aaron" }.should_not be_routable
     end
-    it "recognizes and generates #destroy" do
-      { :delete => "/users/1" }.should route_to(:controller => "users", :action => "destroy", :id => "1")
+    it "doesn't recognize #destroy" do
+      { :delete => "/users/1" }.should_not be_routable
     end
     it "doesn't recognize #destroy with non-numeric id" do
@@ -81,4 +81,3 @@ describe UsersController do
     end
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fat_free_crm
 version: !ruby/object:Gem::Version
-  version: 0.12.0
+  version: 0.12.1
 platform: ruby
 authors:
 - Michael Dvorkin
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-06-28 00:00:00.000000000 Z
+date: 2013-12-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -1082,6 +1082,7 @@ files:
 - lib/tasks/ffcrm/demo.rake
 - lib/tasks/ffcrm/dropbox.rake
 - lib/tasks/ffcrm/missing_translations.rake
+- lib/tasks/ffcrm/secret.rake
 - lib/tasks/ffcrm/settings.rake
 - lib/tasks/ffcrm/setup.rake
 - lib/tasks/ffcrm/update_data.rake
@@ -1418,7 +1419,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.3
+rubygems_version: 2.1.11
 signing_key:
 specification_version: 4
 summary: Fat Free CRM