qm-acts-as-generic-controller 0.1.7 → 0.1.8

data/Rakefile

@@ -9,7 +9,7 @@ begin
     gemspec.email = "marcin@saepia.net"
     gemspec.homepage = "http://q.saepia.net"
     gemspec.authors = ["Marcin Lewandowski"]
-    gemspec.version = "0.1.7"
+    gemspec.version = "0.1.8"
     gemspec.files = Rake::FileList.new [ "MIT-LICENSE", "Rakefile", "lib/*", "app/views/generic_controller/*" ]
     gemspec.add_dependency "qui-common-helpers", ">= 0.0.8"
     gemspec.add_dependency "qui-index-table", ">= 0.0.8"

data/lib/qm-acts-as-generic-controller-controller.rb

@@ -113,6 +113,8 @@ module QM
         end
 
         def create
+          remove_unprivileged_keys_from_params
+
           instance_variable_set(singular_variable, model.new(params[singular_variable(true)])) unless instance_variable_defined?(singular_variable)
 
           respond_to do |format|
@@ -154,14 +156,8 @@ module QM
         def update
           instance_variable_set(singular_variable, model.find(params[:id])) unless instance_variable_defined?(singular_variable)
 
-          if defined?(current_user) and current_user.respond_to? :privileged_attributes
-            params[singular_variable(true)].keys.each do |key|
-              unless current_user.privileged_attributes(model, :write).include? key
-                logger.info "Security warning: Deleting key '#{key}' from params hash, because user #{current_user.login} has not enough privileges to modify that attribute"
-                params[singular_variable(true)].delete key 
-              end
-            end
-          end
+          remove_unprivileged_keys_from_params
+
           instance_variable_get(singular_variable).update_attributes params[singular_variable(true)]
 
           respond_to do |format|
@@ -240,13 +236,29 @@ module QM
                 :delete_any
             end
             
-            render_generic_forbidden unless current_user.has_privileges? :class_name => model, :action => action
+            unless current_user.has_privileges? :class_name => model, :action => action
+              logger.info "Security warning: User #{current_user.login} has not enough privileges to perform action #{action} on #{model}"
+              render_generic_forbidden
+            end
+            
           end
           
           def check_limit_for_user
             render_generic_forbidden unless model.limit_for_user(current_user).include? model.find(params[:id]) if model.respond_to? :limit_for_user if defined?(current_user)
           end
 
+          def remove_unprivileged_keys_from_params
+            if defined?(current_user) and current_user.respond_to? :privileged_attributes
+              params[singular_variable(true)].keys.each do |key|
+                if not current_user.privileged_attributes(model, :write).include?(key) and (model.generic_field_associations.has_key?(key.to_sym) and not current_user.privileged_attributes(model, :write).include?(model.generic_field_associations[key.to_sym][:foreign_key]))
+                  logger.info "Security warning: Deleting key '#{key}' from params hash, because user #{current_user.login} has not enough privileges to modify that attribute"
+                  params[singular_variable(true)].delete key 
+                end
+              end
+            end
+          end
+          
+          
           
           def render_generic_forbidden
             # FIXME TODO render something more nice to user

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: qm-acts-as-generic-controller
 version: !ruby/object:Gem::Version 
-  hash: 21
+  hash: 11
   prerelease: false
   segments: 
   - 0
   - 1
-  - 7
-  version: 0.1.7
+  - 8
+  version: 0.1.8
 platform: ruby
 authors: 
 - Marcin Lewandowski