team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #480 from OWASP/fix/dropdown-display-and-readme-cleanup

Browse Source 
Add styling to admin user management page and fix form submission
This commit is contained in:
Ken Johnson
2025-12-11 11:55:33 +00:00
committed by GitHub
parent d08af9cdbf 7b77d8281c
commit 51d1a5f8c8
2 changed files with 60 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/admin_controller.rb
+10 -4
View File
@@ -2,7 +2,6 @@
class AdminController < ApplicationController
before_action :administrative, if: :admin_param, except: [:get_user]
skip_before_action :has_info
layout false, only: [:get_all_users]
def dashboard
end
@@ -34,9 +33,16 @@ class AdminController < ApplicationController
def update_user
user = User.find_by_id(params[:admin_id])
if user
user.update(params[:user].reject { |k| k == ("password" || "password_confirmation") })
pass = params[:user][:password]
user.password = pass if !(pass.blank?)
# VULNERABILITY: Using params[:user] directly without strong parameters
# This allows mass assignment of any user attribute including 'admin'
# See wiki: Extras:-Mass-Assignment-Admin-Role.md
user_params = params[:user].to_unsafe_h if params[:user].respond_to?(:to_unsafe_h)
user_params ||= params[:user]
# Filter out password fields if blank to avoid validation errors
filtered_params = user_params.reject { |k, v| (k == "password" || k == "password_confirmation") && v.blank? }
user.update(filtered_params)
user.save!
flash[:success] = "User updated successfully"
redirect_to admin_get_all_users_path(current_user.id)
app/views/admin/get_all_users.html.erb
+50 -38
View File
@@ -1,41 +1,53 @@
<div id="dt_example" class="example_alt_pagination">
<table class="table table-striped table-hover table-bordered pull-left" id="data-table">
<thead>
<tr>
<th>
Name
</th>
<th>
Email
</th>
<th>
Admin User
</th>
<th>
Action
</th>
</tr>
</thead>
<tbody>
<% @users.each do |u|%>
<tr>
<td style="word-wrap:break-word;">
<%= "#{u.first_name} #{u.last_name}"%>
</td>
<td>
<%= u.email%>
</td>
<td>
<%= u.admin ? %{<span class="fs1" aria-label="check" data-icon="&#xe0fe;"}.html_safe : nil %>
</td>
<td>
<%= link_to "Edit", admin_get_user_path(u.id), {:style => "width:70px", :class => "btn btn-inverse"}%>
</td>
</tr>
<% end %>
</tbody>
</table>
<div class="clearfix">
<div class="container-fluid">
<!-- Header -->
<div class="row mb-4">
<div class="col-12">
<h2 class="mb-3">
<i class="bi bi-people-fill text-primary"></i> Manage Users
</h2>
<p class="text-muted">View and manage all system users</p>
</div>
</div>
<!-- Users Table -->
<div class="row">
<div class="col-12">
<div class="card shadow-sm">
<div class="card-body">
<div id="dt_example" class="example_alt_pagination">
<table class="table table-striped table-hover table-bordered" id="data-table">
<thead>
<tr>
<th>Name</th>
<th>Email</th>
<th>Admin User</th>
<th>Action</th>
</tr>
</thead>
<tbody>
<% @users.each do |u| %>
<tr>
<td style="word-wrap:break-word;">
<%= "#{u.first_name} #{u.last_name}" %>
</td>
<td>
<%= u.email %>
</td>
<td class="text-center">
<%= u.admin ? '<i class="bi bi-check-circle-fill text-success" title="Admin"></i>'.html_safe : '<i class="bi bi-dash-circle text-muted" title="Not Admin"></i>'.html_safe %>
</td>
<td>
<%= link_to admin_get_user_path(u.id), class: "btn btn-sm btn-outline-primary" do %>
<i class="bi bi-pencil"></i> Edit
<% end %>
</td>
</tr>
<% end %>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>