fat_free_crm 0.13.0 → 0.13.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b730c5c2d600766afc3d141b7b3a27320d266cb0
-  data.tar.gz: 3184062c0cbfb30233ed2a72a6ef9bd0fad3bd6b
+  metadata.gz: 9ec069bee0f0bade1f8ccaf400c483acf1806f99
+  data.tar.gz: 267efa985f28e83578031082c510be10d6e3eae7
 SHA512:
-  metadata.gz: 0c3361fee7c5d1de8f15c32782a0b11b5a4f327b2a778f70106bbceaf25557267ca61e9caaee52a5d182b1c0da9d2773d885fe3776881607ce8f36bdf1f25b8a
-  data.tar.gz: 55808fc5ea278a591c7396ec21c12f400d459acacd482cd73ad1b98105e85ff1951ec68a3d7930b6a1de0f00b6c96d70c0902816fce23ddb9c048026b2505e3d
+  metadata.gz: 196ac4c6e50d2987143f102fa7d0d22c36d5e55c2942944bb156741abf5b372ecb94ae3b09914b240781b78a934c3a2c8610b738673aa463630b0237d312522e
+  data.tar.gz: ac3c0ef7606d672faad180129d1803ba69f184b640b8509aff0cfce38c4e7dfbbc5758e6483e5cd25072747224ab7fba87824df26d64745953d9fc74411e8e84

data/Capfile

@@ -1,5 +1,2 @@
 load 'deploy'
-# Uncomment if you are using Rails' asset pipeline
-    # load 'deploy/assets'
-Dir['vendor/gems/*/recipes/*.rb','vendor/plugins/*/recipes/*.rb'].each { |plugin| load(plugin) }
-load 'config/deploy' # remove this line to skip loading any of the default tasks
+load 'config/deploy'

data/Gemfile.lock

@@ -174,7 +174,6 @@ GEM
       slop (~> 3.4)
     pry-rails (0.3.2)
       pry (>= 0.9.10)
-    psych (1.3.4)
     quiet_assets (1.0.2)
       railties (>= 3.1, < 5.0)
     rack (1.4.5)

data/README.md

@@ -54,6 +54,7 @@ Visit our website at http://www.fatfreecrm.com/
 
 ## System Requirements
 
+* FFCRM gem versions 0.12.1 or higher (previous versions had [**known security vulnerabilities**](https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-(27th-Dec-2013))
 * Ruby v2.0.0 recommended (it's faster!)
   * Ruby 1.9.3 is also compatible
   * Ruby 1.9.2 should be compatible but is not longer supported

data/app/assets/javascripts/lists.js.coffee

@@ -65,7 +65,7 @@
       icon.removeClass('fa-times-circle').addClass(iconText)
 
     getIcon = (listType) ->
-      switch (listType) 
+      switch (listType)
         when "tasks" then "fa-check-square-o"
         when "campaigns" then "fa-bar-chart-o"
         when "leads" then "fa-tasks"
@@ -83,4 +83,3 @@
       img_el.attr('src', "/assets/tab_icons/" + img_el.data('controller') + "_active.png")
 
 ) jQuery
-

data/app/controllers/application_controller.rb

@@ -24,6 +24,8 @@ class ApplicationController < ActionController::Base
   rescue_from ActiveRecord::RecordNotFound, :with => :respond_to_not_found
   rescue_from CanCan::AccessDenied,         :with => :respond_to_access_denied
 
+  include ERB::Util # to give us h and j methods
+
   # Common auto_complete handler for all core controllers.
   #----------------------------------------------------------------------------
   def auto_complete
@@ -40,7 +42,7 @@ class ApplicationController < ActionController::Base
     respond_to do |format|
       format.any(:js, :html)   { render :partial => 'auto_complete' }
       format.json { render :json => @auto_complete.inject({}){|h,a|
-        h[a.id] = a.respond_to?(:full_name) ? a.full_name : a.name; h
+        h[a.id] = a.respond_to?(:full_name) ? j(a.full_name) : j(a.name); h
       }}
     end
   end
@@ -50,7 +52,7 @@ private
   #
   # Takes { :related => 'campaigns/7' } or { :related => '5' }
   #   and returns array of object ids that should be excluded from search
-  #   assumes controller_name is an method on 'related' class that returns a collection
+  #   assumes controller_name is a method on 'related' class that returns a collection
   #----------------------------------------------------------------------------
   def auto_complete_ids_to_exclude(related)
     return [] if related.blank?
@@ -145,7 +147,7 @@ private
 
   #----------------------------------------------------------------------------
   def can_signup?
-    [ :allowed, :needs_approval ].include? Setting.user_signup
+    User.can_signup?
   end
 
   #----------------------------------------------------------------------------
@@ -199,10 +201,10 @@ private
     flash[:warning] = t(:msg_asset_not_available, asset)
 
     respond_to do |format|
-      format.html { redirect_to :action => :index }
+      format.html { redirect_to(redirection_url) }
       format.js   { render(:update) { |page| page.reload } }
-      format.json { render :text => flash[:warning], :status => :not_found }
-      format.xml  { render :text => flash[:warning], :status => :not_found }
+      format.json { render :text => flash[:warning],  :status => :not_found }
+      format.xml  { render :xml => [flash[:warning]], :status => :not_found }
     end
   end
 
@@ -213,32 +215,32 @@ private
 
     url = send("#{related.pluralize}_path")
     respond_to do |format|
-      format.html { redirect_to url }
-      format.js   { render(:update) { |page| page.redirect_to url } }
-      format.json { render :text => flash[:warning], :status => :not_found }
-      format.xml  { render :text => flash[:warning], :status => :not_found }
+      format.html { redirect_to(url) }
+      format.js   { render(:update) { |page| page.redirect_to(url) } }
+      format.json { render :text => flash[:warning],  :status => :not_found }
+      format.xml  { render :xml => [flash[:warning]], :status => :not_found }
     end
   end
 
   #----------------------------------------------------------------------------
   def respond_to_access_denied
-    if self.action_name == "show"
-      flash[:warning] = t(:msg_asset_not_authorized, asset)
-
-    else
-      flick = case self.action_name
-        when "destroy" then "delete"
-        when "promote" then "convert"
-        else self.action_name
-      end
-      flash[:warning] = t(:msg_cant_do, :action => flick, :asset => asset)
-    end
-
+    flash[:warning] = t(:msg_not_authorized, default: 'You are not authorized to take this action.')
     respond_to do |format|
-      format.html { redirect_to :action => :index }
+      format.html { redirect_to(redirection_url) }
       format.js   { render(:update) { |page| page.reload } }
-      format.json { render :text => flash[:warning], :status => :unauthorized }
-      format.xml  { render :text => flash[:warning], :status => :unauthorized }
+      format.json { render :text => flash[:warning],  :status => :unauthorized }
+      format.xml  { render :xml => [flash[:warning]], :status => :unauthorized }
     end
   end
+
+  #----------------------------------------------------------------------------
+  def redirection_url
+    # Try to redirect somewhere sensible. Note: not all controllers have an index action
+    url = if current_user.present?
+      (respond_to?(:index) and self.action_name != 'index') ? { action: 'index' } : root_url
+    else
+      login_url
+    end
+  end
+
 end

data/app/controllers/emails_controller.rb

@@ -6,35 +6,6 @@
 class EmailsController < ApplicationController
   before_filter :require_user
 
-  # GET /email
-  # GET /email.xml                                              not implemented
-  #----------------------------------------------------------------------------
-  # def index
-  # end
-
-  # GET /email/1
-  # GET /email/1.xml                                            not implemented
-  #----------------------------------------------------------------------------
-  # def show
-  # end
-
-  # GET /emails/new
-  # GET /emails/new.xml                                         not implemented
-  #----------------------------------------------------------------------------
-  # def new
-  # end
-
-  # GET /emails/1/edit                                          not implemented
-  #----------------------------------------------------------------------------
-  # def edit
-  # end
-
-  # PUT /emails/1
-  # PUT /emails/1.xml                                           not implemented
-  #----------------------------------------------------------------------------
-  # def update
-  # end
-
   # DELETE /emails/1
   # DELETE /emails/1.json
   # DELETE /emails/1.xml                                                   AJAX
@@ -42,7 +13,7 @@ class EmailsController < ApplicationController
   def destroy
     @email = Email.find(params[:id])
     @email.destroy
-
     respond_with(@email)
   end
+
 end

data/app/controllers/entities/contacts_controller.rb

@@ -68,7 +68,7 @@ class ContactsController < EntitiesController
         unless params[:account][:id].blank?
           @account = Account.find(params[:account][:id])
         else
-          if request.referer =~ /\/accounts\/(.+)$/
+          if request.referer =~ /\/accounts\/(\d+)\z/
             @account = Account.find($1) # related account
           else
             @account = Account.new(:user => current_user)

data/app/controllers/entities/opportunities_controller.rb

@@ -82,7 +82,7 @@ class OpportunitiesController < EntitiesController
         unless params[:account][:id].blank?
           @account = Account.find(params[:account][:id])
         else
-          if request.referer =~ /\/accounts\/(.+)$/
+          if request.referer =~ /\/accounts\/(\d+)\z/
             @account = Account.find($1) # related account
           else
             @account = Account.new(:user => current_user)

data/app/controllers/entities_controller.rb

@@ -115,7 +115,6 @@ protected
   def set_options
     unless params[:cancel].true?
       klass = controller_name.classify.constantize
-      action = params['action']
       @per_page = current_user.pref[:"#{controller_name}_per_page"] || klass.per_page
       @sort_by  = current_user.pref[:"#{controller_name}_sort_by"]  || klass.sort_by
     end

data/app/controllers/home_controller.rb

@@ -6,13 +6,9 @@
 class HomeController < ApplicationController
   before_filter :require_user, :except => [ :toggle, :timezone ]
   before_filter :set_current_tab, :only => :index
-  before_filter "hook(:home_before_filter, self, :amazing => true)"
 
   #----------------------------------------------------------------------------
   def index
-    @hello = "Hello world" # The hook below can access controller's instance variables.
-    hook(:home_controller, self, :params => "it works!")
-
     @activities = get_activities
     @my_tasks = Task.visible_on_dashboard(current_user).by_due_at
     @my_opportunities = Opportunity.visible_on_dashboard(current_user).by_closes_on.by_amount

data/app/controllers/passwords_controller.rb

@@ -44,8 +44,9 @@ class PasswordsController < ApplicationController
     end
   end
 
-  #----------------------------------------------------------------------------
   private
+
+  #----------------------------------------------------------------------------
   def load_user_using_perishable_token
     @user = User.find_using_perishable_token(params[:id])
     unless @user
@@ -60,7 +61,6 @@ class PasswordsController < ApplicationController
   #----------------------------------------------------------------------------
   def empty_password?
     (params[:user][:password] == params[:user][:password_confirmation]) &&
-    (params[:user][:password] =~ /^\s*$/)
+    (params[:user][:password].blank?)      # "   ".blank? == true
   end
 end
-

data/app/controllers/tasks_controller.rb

@@ -11,7 +11,7 @@ class TasksController < ApplicationController
   # GET /tasks
   #----------------------------------------------------------------------------
   def index
-    @view = params[:view] || "pending"
+    @view = view
     @tasks = Task.find_all_grouped(current_user, @view)
 
     respond_with @tasks do |format|
@@ -25,14 +25,13 @@ class TasksController < ApplicationController
   #----------------------------------------------------------------------------
   def show
     @task = Task.tracked_by(current_user).find(params[:id])
-
     respond_with(@task)
   end
 
   # GET /tasks/new
   #----------------------------------------------------------------------------
   def new
-    @view = params[:view] || "pending"
+    @view = view
     @task = Task.new
     @bucket = Setting.unroll(:task_bucket)[1..-1] << [ t(:due_specific_date, :default => 'On Specific Date...'), :specific_time ]
     @category = Setting.unroll(:task_category)
@@ -52,7 +51,7 @@ class TasksController < ApplicationController
   # GET /tasks/1/edit                                                      AJAX
   #----------------------------------------------------------------------------
   def edit
-    @view = params[:view] || "pending"
+    @view = view
     @task = Task.tracked_by(current_user).find(params[:id])
     @bucket = Setting.unroll(:task_bucket)[1..-1] << [ t(:due_specific_date, :default => 'On Specific Date...'), :specific_time ]
     @category = Setting.unroll(:task_category)
@@ -68,7 +67,7 @@ class TasksController < ApplicationController
   # POST /tasks
   #----------------------------------------------------------------------------
   def create
-    @view = params[:view] || "pending"
+    @view = view
     @task = Task.new(params[:task]) # NOTE: we don't display validation messages for tasks.
 
     respond_with(@task) do |format|
@@ -81,7 +80,7 @@ class TasksController < ApplicationController
   # PUT /tasks/1
   #----------------------------------------------------------------------------
   def update
-    @view = params[:view] || "pending"
+    @view = view
     @task = Task.tracked_by(current_user).find(params[:id])
     @task_before_update = @task.dup
 
@@ -107,7 +106,7 @@ class TasksController < ApplicationController
   # DELETE /tasks/1
   #----------------------------------------------------------------------------
   def destroy
-    @view = params[:view] || "pending"
+    @view = view
     @task = Task.tracked_by(current_user).find(params[:id])
     @task.destroy
 
@@ -142,7 +141,7 @@ class TasksController < ApplicationController
   # Ajax request to filter out a list of tasks.                            AJAX
   #----------------------------------------------------------------------------
   def filter
-    @view = params[:view] || "pending"
+    @view = view
 
     update_session do |filters|
       if params[:checked].true?
@@ -167,8 +166,7 @@ private
   # Collect data necessary to render filters sidebar.
   #----------------------------------------------------------------------------
   def update_sidebar
-    @view = params[:view]
-    @view = "pending" unless %w(pending assigned completed).include?(@view)
+    @view = view
     @task_total = Task.totals(current_user, @view)
 
     # Update filters session if we added, deleted, or completed a task.
@@ -189,4 +187,13 @@ private
       session[name] = filters unless filters.blank?
     end
   end
+
+  # Ensure view is allowed
+  #----------------------------------------------------------------------------
+  def view
+    view = params[:view]
+    views = Task::ALLOWED_VIEWS
+    views.include?(view) ? view : views.first
+  end
+
 end

data/app/controllers/users_controller.rb

@@ -5,44 +5,30 @@
 #------------------------------------------------------------------------------
 class UsersController < ApplicationController
 
-  before_filter :require_no_user, :only => [ :new, :create ]
-  before_filter :require_user, :only => [ :show, :redraw ]
   before_filter :set_current_tab, :only => [ :show, :opportunities_overview ] # Don't hightlight any tabs.
-  before_filter :require_and_assign_user, :except => [ :new, :create, :show, :avatar, :upload_avatar ]
-  before_filter :assign_given_or_current_user, :only => [ :show, :avatar, :upload_avatar, :edit, :update ]
 
-  load_resource
+  check_authorization
+  load_and_authorize_resource # handles all security
 
   respond_to :html, :only => [ :show, :new ]
 
   # GET /users/1
-  # GET /users/1.json
-  # GET /users/1.xml                                                       HTML
+  # GET /users/1.js
   #----------------------------------------------------------------------------
   def show
+    @user = current_user if params[:id].nil?
     respond_with(@user)
   end
 
   # GET /users/new
-  # GET /users/new.json
-  # GET /users/new.xml                                                     HTML
+  # GET /users/new.js
   #----------------------------------------------------------------------------
   def new
-    if can_signup?
-      respond_with(@user)
-    else
-      redirect_to login_path
-    end
-  end
-
-  # GET /users/1/edit                                                      AJAX
-  #----------------------------------------------------------------------------
-  def edit
     respond_with(@user)
   end
 
   # POST /users
-  # POST /users.xml                                                        HTML
+  # POST /users.js
   #----------------------------------------------------------------------------
   def create
     if @user.save
@@ -58,31 +44,29 @@ class UsersController < ApplicationController
     end
   end
 
-  # PUT /users/1
-  # PUT /users/1.json
-  # PUT /users/1.xml                                                       AJAX
+  # GET /users/1/edit.js
   #----------------------------------------------------------------------------
-  def update
-    @user.update_attributes(params[:user])
+  def edit
     respond_with(@user)
   end
 
-  # DELETE /users/1
-  # DELETE /users/1.xml                HTML and AJAX (not directly exposed yet)
+  # PUT /users/1
+  # PUT /users/1.js
   #----------------------------------------------------------------------------
-  def destroy
-    # not exposed
+  def update
+    @user.update_attributes(params[:user])
+    respond_with(@user)
   end
 
   # GET /users/1/avatar
-  # GET /users/1/avatar.xml                                                AJAX
+  # GET /users/1/avatar.js
   #----------------------------------------------------------------------------
   def avatar
     respond_with(@user)
   end
 
   # PUT /users/1/upload_avatar
-  # PUT /users/1/upload_avatar.xml                                         AJAX
+  # PUT /users/1/upload_avatar.js
   #----------------------------------------------------------------------------
   def upload_avatar
     if params[:gravatar]
@@ -106,19 +90,21 @@ class UsersController < ApplicationController
   end
 
   # GET /users/1/password
-  # GET /users/1/password.xml                                              AJAX
+  # GET /users/1/password.js
   #----------------------------------------------------------------------------
   def password
     respond_with(@user)
   end
 
   # PUT /users/1/change_password
-  # PUT /users/1/change_password.xml                                       AJAX
+  # PUT /users/1/change_password.js
   #----------------------------------------------------------------------------
   def change_password
     if @user.valid_password?(params[:current_password], true) || @user.password_hash.blank?
       unless params[:user][:password].blank?
-        @user.update_attributes(params[:user])
+        @user.password = params[:user][:password]
+        @user.password_confirmation = params[:user][:password_confirmation]
+        @user.save
         flash[:notice] = t(:msg_password_changed)
       else
         flash[:notice] = t(:msg_password_not_changed)
@@ -130,27 +116,18 @@ class UsersController < ApplicationController
     respond_with(@user)
   end
 
-  # POST /users/1/redraw                                                   AJAX
+  # POST /users/1/redraw
   #----------------------------------------------------------------------------
   def redraw
     current_user.preference[:locale] = params[:locale]
     render(:update) { |page| page.redirect_to user_path(current_user) }
   end
 
+  # GET /users/opportunities_overview
+  #----------------------------------------------------------------------------
   def opportunities_overview
     @users_with_opportunities = User.have_assigned_opportunities.order(:first_name)
     @unassigned_opportunities = Opportunity.unassigned.pipeline.order(:stage)
   end
 
-  private
-
-  #----------------------------------------------------------------------------
-  def require_and_assign_user
-    require_user
-    @user = current_user
-  end
-
-  def assign_given_or_current_user
-    @user = params[:id] ? User.find(params[:id]) : current_user
-  end
 end