qm-acts-as-generic-controller 0.1.7 → 0.1.8
Sign up to get free protection for your applications and to get access to all the features.
- data/Rakefile +1 -1
- data/lib/qm-acts-as-generic-controller-controller.rb +21 -9
- metadata +3 -3
data/Rakefile
CHANGED
@@ -9,7 +9,7 @@ begin
|
|
9
9
|
gemspec.email = "marcin@saepia.net"
|
10
10
|
gemspec.homepage = "http://q.saepia.net"
|
11
11
|
gemspec.authors = ["Marcin Lewandowski"]
|
12
|
-
gemspec.version = "0.1.
|
12
|
+
gemspec.version = "0.1.8"
|
13
13
|
gemspec.files = Rake::FileList.new [ "MIT-LICENSE", "Rakefile", "lib/*", "app/views/generic_controller/*" ]
|
14
14
|
gemspec.add_dependency "qui-common-helpers", ">= 0.0.8"
|
15
15
|
gemspec.add_dependency "qui-index-table", ">= 0.0.8"
|
@@ -113,6 +113,8 @@ module QM
|
|
113
113
|
end
|
114
114
|
|
115
115
|
def create
|
116
|
+
remove_unprivileged_keys_from_params
|
117
|
+
|
116
118
|
instance_variable_set(singular_variable, model.new(params[singular_variable(true)])) unless instance_variable_defined?(singular_variable)
|
117
119
|
|
118
120
|
respond_to do |format|
|
@@ -154,14 +156,8 @@ module QM
|
|
154
156
|
def update
|
155
157
|
instance_variable_set(singular_variable, model.find(params[:id])) unless instance_variable_defined?(singular_variable)
|
156
158
|
|
157
|
-
|
158
|
-
|
159
|
-
unless current_user.privileged_attributes(model, :write).include? key
|
160
|
-
logger.info "Security warning: Deleting key '#{key}' from params hash, because user #{current_user.login} has not enough privileges to modify that attribute"
|
161
|
-
params[singular_variable(true)].delete key
|
162
|
-
end
|
163
|
-
end
|
164
|
-
end
|
159
|
+
remove_unprivileged_keys_from_params
|
160
|
+
|
165
161
|
instance_variable_get(singular_variable).update_attributes params[singular_variable(true)]
|
166
162
|
|
167
163
|
respond_to do |format|
|
@@ -240,13 +236,29 @@ module QM
|
|
240
236
|
:delete_any
|
241
237
|
end
|
242
238
|
|
243
|
-
|
239
|
+
unless current_user.has_privileges? :class_name => model, :action => action
|
240
|
+
logger.info "Security warning: User #{current_user.login} has not enough privileges to perform action #{action} on #{model}"
|
241
|
+
render_generic_forbidden
|
242
|
+
end
|
243
|
+
|
244
244
|
end
|
245
245
|
|
246
246
|
def check_limit_for_user
|
247
247
|
render_generic_forbidden unless model.limit_for_user(current_user).include? model.find(params[:id]) if model.respond_to? :limit_for_user if defined?(current_user)
|
248
248
|
end
|
249
249
|
|
250
|
+
def remove_unprivileged_keys_from_params
|
251
|
+
if defined?(current_user) and current_user.respond_to? :privileged_attributes
|
252
|
+
params[singular_variable(true)].keys.each do |key|
|
253
|
+
if not current_user.privileged_attributes(model, :write).include?(key) and (model.generic_field_associations.has_key?(key.to_sym) and not current_user.privileged_attributes(model, :write).include?(model.generic_field_associations[key.to_sym][:foreign_key]))
|
254
|
+
logger.info "Security warning: Deleting key '#{key}' from params hash, because user #{current_user.login} has not enough privileges to modify that attribute"
|
255
|
+
params[singular_variable(true)].delete key
|
256
|
+
end
|
257
|
+
end
|
258
|
+
end
|
259
|
+
end
|
260
|
+
|
261
|
+
|
250
262
|
|
251
263
|
def render_generic_forbidden
|
252
264
|
# FIXME TODO render something more nice to user
|
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: qm-acts-as-generic-controller
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 11
|
5
5
|
prerelease: false
|
6
6
|
segments:
|
7
7
|
- 0
|
8
8
|
- 1
|
9
|
-
-
|
10
|
-
version: 0.1.
|
9
|
+
- 8
|
10
|
+
version: 0.1.8
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Marcin Lewandowski
|