diff --git a/.gitignore b/.gitignore index faea331..86eb146 100755 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ coverage .tags /.vagrant +/vendor/ruby diff --git a/Gemfile b/Gemfile index 3539b41..5799cac 100755 --- a/Gemfile +++ b/Gemfile @@ -56,6 +56,9 @@ end gem 'jquery-rails' +## strong parameters in Rails 3 (see rails gem above) +gem 'strong_parameters' + # To use ActiveModel has_secure_password gem 'bcrypt' diff --git a/Gemfile.lock b/Gemfile.lock index 06e1b20..3154384 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -267,6 +267,11 @@ GEM rack (~> 1.0) tilt (~> 1.1, != 1.3.0) sqlite3 (1.3.10) + strong_parameters (0.2.3) + actionpack (~> 3.0) + activemodel (~> 3.0) + activesupport (~> 3.0) + railties (~> 3.0) temple (0.6.10) terminal-table (1.4.5) therubyracer (0.12.1) @@ -335,6 +340,7 @@ DEPENDENCIES sass-rails simplecov sqlite3 + strong_parameters therubyracer travis-lint uglifier diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb index 83b992c..e657297 100644 --- a/app/controllers/messages_controller.rb +++ b/app/controllers/messages_controller.rb @@ -33,4 +33,10 @@ class MessagesController < ApplicationController end end end -end \ No newline at end of file + + private + + def message_params + params.require(:message).permit(:creator_id, :message, :read, :receiver_id) + end +end diff --git a/app/controllers/schedule_controller.rb b/app/controllers/schedule_controller.rb index 65caa2e..d940a9d 100644 --- a/app/controllers/schedule_controller.rb +++ b/app/controllers/schedule_controller.rb @@ -4,7 +4,7 @@ class ScheduleController < ApplicationController message = false if params[:schedule][:event_type] == "pto" - sched = Schedule.new(params[:schedule]) + sched = Schedule.new(schedule_params) sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1]) sched.user_id = current_user.user_id a = sched.date_end @@ -56,4 +56,10 @@ class ScheduleController < ApplicationController end return vals end + + private + + def schedule_params + params.require(:schedule).permit(:date_begin, :date_end, :event_desc, :event_name, :event_type) + end end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 1fb5d4a..8db2dc0 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -7,7 +7,7 @@ class UsersController < ApplicationController end def create - user = User.new(params[:user]) + user = User.new(user_params) user.build_benefits_data if user.save session[:user_id] = user.user_id @@ -35,7 +35,7 @@ class UsersController < ApplicationController if user user.skip_user_id_assign = true user.skip_hash_password = true - user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k }) + user.update_attributes(user_params_without_password) if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation]) user.skip_hash_password = false user.password = params[:user][:password] @@ -50,4 +50,15 @@ class UsersController < ApplicationController redirect_to user_account_settings_path(:user_id => current_user.user_id) end end + + private + + def user_params + params.require(:user).permit(:email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation) + end + + # unpermitted attributes are ignored in production + def user_params_without_password + params.require(:user).permit(:email, :admin, :first_name, :last_name) + end end diff --git a/app/models/analytics.rb b/app/models/analytics.rb index 2d9fbe5..d84e777 100644 --- a/app/models/analytics.rb +++ b/app/models/analytics.rb @@ -1,6 +1,4 @@ class Analytics < ActiveRecord::Base - attr_accessible :ip_address, :referrer, :user_agent - scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")} def self.count_by_col(col) diff --git a/app/models/benefits.rb b/app/models/benefits.rb index 144a2f4..4deae64 100644 --- a/app/models/benefits.rb +++ b/app/models/benefits.rb @@ -1,5 +1,4 @@ class Benefits < ActiveRecord::Base - attr_accessor :backup def self.save(file, backup=false) data_path = Rails.root.join("public", "data") diff --git a/app/models/key_management.rb b/app/models/key_management.rb index 70adbd1..7188efa 100644 --- a/app/models/key_management.rb +++ b/app/models/key_management.rb @@ -1,5 +1,4 @@ class KeyManagement < ActiveRecord::Base - attr_accessible :iv, :user_id belongs_to :work_info belongs_to :user end diff --git a/app/models/message.rb b/app/models/message.rb index 12aaaba..7de4c26 100644 --- a/app/models/message.rb +++ b/app/models/message.rb @@ -1,6 +1,5 @@ class Message < ActiveRecord::Base belongs_to :user - attr_accessible :creator_id, :message, :read, :receiver_id validates_presence_of :creator_id, :receiver_id, :message def creator_name diff --git a/app/models/paid_time_off.rb b/app/models/paid_time_off.rb index 409d355..c398f77 100644 --- a/app/models/paid_time_off.rb +++ b/app/models/paid_time_off.rb @@ -1,5 +1,4 @@ class PaidTimeOff < ActiveRecord::Base - attr_accessible :pto_earned, :pto_taken, :sick_days_earned, :sick_days_taken belongs_to :user has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy diff --git a/app/models/pay.rb b/app/models/pay.rb index 2218d11..7a35563 100644 --- a/app/models/pay.rb +++ b/app/models/pay.rb @@ -1,7 +1,4 @@ class Pay < ActiveRecord::Base - # mass-assignable attributes - attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit - # Associations belongs_to :user diff --git a/app/models/performance.rb b/app/models/performance.rb index 73f25c1..5dfad88 100644 --- a/app/models/performance.rb +++ b/app/models/performance.rb @@ -1,5 +1,4 @@ class Performance < ActiveRecord::Base - attr_accessible :comments, :date_submitted, :reviewer, :score belongs_to :user def reviewer_name diff --git a/app/models/retirement.rb b/app/models/retirement.rb index 47048a0..c3c981c 100644 --- a/app/models/retirement.rb +++ b/app/models/retirement.rb @@ -1,4 +1,3 @@ class Retirement < ActiveRecord::Base - attr_accessible :employee_contrib, :employer_contrib, :total belongs_to :user end diff --git a/app/models/schedule.rb b/app/models/schedule.rb index fc66df7..6692c27 100644 --- a/app/models/schedule.rb +++ b/app/models/schedule.rb @@ -1,5 +1,4 @@ class Schedule < ActiveRecord::Base - attr_accessible :date_begin, :date_end, :event_desc, :event_name, :event_type belongs_to :paid_time_off validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type diff --git a/app/models/user.rb b/app/models/user.rb index 9c5cc7f..263b56d 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,7 +1,6 @@ require 'encryption' class User < ActiveRecord::Base - attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation validates :password, :presence => true, :confirmation => true, :length => {:within => 6..40}, diff --git a/app/models/work_info.rb b/app/models/work_info.rb index 2816dfa..9484803 100644 --- a/app/models/work_info.rb +++ b/app/models/work_info.rb @@ -1,5 +1,4 @@ class WorkInfo < ActiveRecord::Base - attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked belongs_to :user has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy #before_save :encrypt_ssn diff --git a/config/initializers/strong_parameters.rb b/config/initializers/strong_parameters.rb new file mode 100644 index 0000000..394c1f5 --- /dev/null +++ b/config/initializers/strong_parameters.rb @@ -0,0 +1 @@ +ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection) diff --git a/db/schema.rb b/db/schema.rb index 705f2a3..a51d0db 100755 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 20140804171756) do +ActiveRecord::Schema.define(:version => 20140408185601) do create_table "analytics", :force => true do |t| t.string "ip_address"