##// END OF EJS Templates
jro_apps » redmine
RSS
Prevent mass-assignment when adding/updating a forum message (#10390)....
Jean-Philippe Lang -
r9013:286bda14f14d
parent child
Show More
Side by Side Unified
Context file:
r9013:286bda14f14d Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,148 +1,143
1 # Redmine - project management software
1 # Redmine - project management software
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
7 # of the License, or (at your option) any later version.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU General Public License
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class MessagesController < ApplicationController
18 class MessagesController < ApplicationController
19 menu_item :boards
19 menu_item :boards
20 default_search_scope :messages
20 default_search_scope :messages
21 before_filter :find_board, :only => [:new, :preview]
21 before_filter :find_board, :only => [:new, :preview]
22 before_filter :find_message, :except => [:new, :preview]
22 before_filter :find_message, :except => [:new, :preview]
23 before_filter :authorize, :except => [:preview, :edit, :destroy]
23 before_filter :authorize, :except => [:preview, :edit, :destroy]
24
24
25 helper :watchers
25 helper :watchers
26 helper :attachments
26 helper :attachments
27 include AttachmentsHelper
27 include AttachmentsHelper
28
28
29 REPLIES_PER_PAGE = 25 unless const_defined?(:REPLIES_PER_PAGE)
29 REPLIES_PER_PAGE = 25 unless const_defined?(:REPLIES_PER_PAGE)
30
30
31 # Show a topic and its replies
31 # Show a topic and its replies
32 def show
32 def show
33 page = params[:page]
33 page = params[:page]
34 # Find the page of the requested reply
34 # Find the page of the requested reply
35 if params[:r] && page.nil?
35 if params[:r] && page.nil?
36 offset = @topic.children.count(:conditions => ["#{Message.table_name}.id < ?", params[:r].to_i])
36 offset = @topic.children.count(:conditions => ["#{Message.table_name}.id < ?", params[:r].to_i])
37 page = 1 + offset / REPLIES_PER_PAGE
37 page = 1 + offset / REPLIES_PER_PAGE
38 end
38 end
39
39
40 @reply_count = @topic.children.count
40 @reply_count = @topic.children.count
41 @reply_pages = Paginator.new self, @reply_count, REPLIES_PER_PAGE, page
41 @reply_pages = Paginator.new self, @reply_count, REPLIES_PER_PAGE, page
42 @replies = @topic.children.find(:all, :include => [:author, :attachments, {:board => :project}],
42 @replies = @topic.children.find(:all, :include => [:author, :attachments, {:board => :project}],
43 :order => "#{Message.table_name}.created_on ASC",
43 :order => "#{Message.table_name}.created_on ASC",
44 :limit => @reply_pages.items_per_page,
44 :limit => @reply_pages.items_per_page,
45 :offset => @reply_pages.current.offset)
45 :offset => @reply_pages.current.offset)
46
46
47 @reply = Message.new(:subject => "RE: #{@message.subject}")
47 @reply = Message.new(:subject => "RE: #{@message.subject}")
48 render :action => "show", :layout => false if request.xhr?
48 render :action => "show", :layout => false if request.xhr?
49 end
49 end
50
50
51 # Create a new topic
51 # Create a new topic
52 def new
52 def new
53 @message = Message.new(params[:message])
53 @message = Message.new
54 @message.author = User.current
54 @message.author = User.current
55 @message.board = @board
55 @message.board = @board
56 if params[:message] && User.current.allowed_to?(:edit_messages, @project)
56 @message.safe_attributes = params[:message]
57 @message.locked = params[:message]['locked']
58 @message.sticky = params[:message]['sticky']
59 end
60 if request.post?
57 if request.post?
61 @message.save_attachments(params[:attachments])
58 @message.save_attachments(params[:attachments])
62 if @message.save
59 if @message.save
63 call_hook(:controller_messages_new_after_save, { :params => params, :message => @message})
60 call_hook(:controller_messages_new_after_save, { :params => params, :message => @message})
64 render_attachment_warning_if_needed(@message)
61 render_attachment_warning_if_needed(@message)
65 redirect_to :action => 'show', :id => @message
62 redirect_to :action => 'show', :id => @message
66 end
63 end
67 end
64 end
68 end
65 end
69
66
70 # Reply to a topic
67 # Reply to a topic
71 def reply
68 def reply
72 @reply = Message.new(params[:reply])
69 @reply = Message.new
73 @reply.author = User.current
70 @reply.author = User.current
74 @reply.board = @board
71 @reply.board = @board
72 @reply.safe_attributes = params[:reply]
75 @topic.children << @reply
73 @topic.children << @reply
76 if !@reply.new_record?
74 if !@reply.new_record?
77 call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply})
75 call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply})
78 attachments = Attachment.attach_files(@reply, params[:attachments])
76 attachments = Attachment.attach_files(@reply, params[:attachments])
79 render_attachment_warning_if_needed(@reply)
77 render_attachment_warning_if_needed(@reply)
80 end
78 end
81 redirect_to :action => 'show', :id => @topic, :r => @reply
79 redirect_to :action => 'show', :id => @topic, :r => @reply
82 end
80 end
83
81
84 # Edit a message
82 # Edit a message
85 def edit
83 def edit
86 (render_403; return false) unless @message.editable_by?(User.current)
84 (render_403; return false) unless @message.editable_by?(User.current)
87 if params[:message]
85 @message.safe_attributes = params[:message]
88 @message.locked = params[:message]['locked']
86 if request.post? && @message.save
89 @message.sticky = params[:message]['sticky']
90 end
91 if request.post? && @message.update_attributes(params[:message])
92 attachments = Attachment.attach_files(@message, params[:attachments])
87 attachments = Attachment.attach_files(@message, params[:attachments])
93 render_attachment_warning_if_needed(@message)
88 render_attachment_warning_if_needed(@message)
94 flash[:notice] = l(:notice_successful_update)
89 flash[:notice] = l(:notice_successful_update)
95 @message.reload
90 @message.reload
96 redirect_to :action => 'show', :board_id => @message.board, :id => @message.root, :r => (@message.parent_id && @message.id)
91 redirect_to :action => 'show', :board_id => @message.board, :id => @message.root, :r => (@message.parent_id && @message.id)
97 end
92 end
98 end
93 end
99
94
100 # Delete a messages
95 # Delete a messages
101 def destroy
96 def destroy
102 (render_403; return false) unless @message.destroyable_by?(User.current)
97 (render_403; return false) unless @message.destroyable_by?(User.current)
103 @message.destroy
98 @message.destroy
104 redirect_to @message.parent.nil? ?
99 redirect_to @message.parent.nil? ?
105 { :controller => 'boards', :action => 'show', :project_id => @project, :id => @board } :
100 { :controller => 'boards', :action => 'show', :project_id => @project, :id => @board } :
106 { :action => 'show', :id => @message.parent, :r => @message }
101 { :action => 'show', :id => @message.parent, :r => @message }
107 end
102 end
108
103
109 def quote
104 def quote
110 user = @message.author
105 user = @message.author
111 text = @message.content
106 text = @message.content
112 subject = @message.subject.gsub('"', '\"')
107 subject = @message.subject.gsub('"', '\"')
113 subject = "RE: #{subject}" unless subject.starts_with?('RE:')
108 subject = "RE: #{subject}" unless subject.starts_with?('RE:')
114 content = "#{ll(Setting.default_language, :text_user_wrote, user)}\\n> "
109 content = "#{ll(Setting.default_language, :text_user_wrote, user)}\\n> "
115 content << text.to_s.strip.gsub(%r{<pre>((.|\s)*?)</pre>}m, '[...]').gsub('"', '\"').gsub(/(\r?\n|\r\n?)/, "\\n> ") + "\\n\\n"
110 content << text.to_s.strip.gsub(%r{<pre>((.|\s)*?)</pre>}m, '[...]').gsub('"', '\"').gsub(/(\r?\n|\r\n?)/, "\\n> ") + "\\n\\n"
116 render(:update) { |page|
111 render(:update) { |page|
117 page << "$('message_subject').value = \"#{subject}\";"
112 page << "$('message_subject').value = \"#{subject}\";"
118 page.<< "$('message_content').value = \"#{content}\";"
113 page.<< "$('message_content').value = \"#{content}\";"
119 page.show 'reply'
114 page.show 'reply'
120 page << "Form.Element.focus('message_content');"
115 page << "Form.Element.focus('message_content');"
121 page << "Element.scrollTo('reply');"
116 page << "Element.scrollTo('reply');"
122 page << "$('message_content').scrollTop = $('message_content').scrollHeight - $('message_content').clientHeight;"
117 page << "$('message_content').scrollTop = $('message_content').scrollHeight - $('message_content').clientHeight;"
123 }
118 }
124 end
119 end
125
120
126 def preview
121 def preview
127 message = @board.messages.find_by_id(params[:id])
122 message = @board.messages.find_by_id(params[:id])
128 @attachements = message.attachments if message
123 @attachements = message.attachments if message
129 @text = (params[:message] || params[:reply])[:content]
124 @text = (params[:message] || params[:reply])[:content]
130 render :partial => 'common/preview'
125 render :partial => 'common/preview'
131 end
126 end
132
127
133 private
128 private
134 def find_message
129 def find_message
135 find_board
130 find_board
136 @message = @board.messages.find(params[:id], :include => :parent)
131 @message = @board.messages.find(params[:id], :include => :parent)
137 @topic = @message.root
132 @topic = @message.root
138 rescue ActiveRecord::RecordNotFound
133 rescue ActiveRecord::RecordNotFound
139 render_404
134 render_404
140 end
135 end
141
136
142 def find_board
137 def find_board
143 @board = Board.find(params[:board_id], :include => :project)
138 @board = Board.find(params[:board_id], :include => :project)
144 @project = @board.project
139 @project = @board.project
145 rescue ActiveRecord::RecordNotFound
140 rescue ActiveRecord::RecordNotFound
146 render_404
141 render_404
147 end
142 end
148 end
143 end
Show file before | Show file after | Hide comments
@@ -1,104 +1,111
1 # Redmine - project management software
1 # Redmine - project management software
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
7 # of the License, or (at your option) any later version.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU General Public License
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class Message < ActiveRecord::Base
18 class Message < ActiveRecord::Base
19 include Redmine::SafeAttributes
19 belongs_to :board
20 belongs_to :board
20 belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
21 belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
21 acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC"
22 acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC"
22 acts_as_attachable
23 acts_as_attachable
23 belongs_to :last_reply, :class_name => 'Message', :foreign_key => 'last_reply_id'
24 belongs_to :last_reply, :class_name => 'Message', :foreign_key => 'last_reply_id'
24
25
25 acts_as_searchable :columns => ['subject', 'content'],
26 acts_as_searchable :columns => ['subject', 'content'],
26 :include => {:board => :project},
27 :include => {:board => :project},
27 :project_key => "#{Board.table_name}.project_id",
28 :project_key => "#{Board.table_name}.project_id",
28 :date_column => "#{table_name}.created_on"
29 :date_column => "#{table_name}.created_on"
29 acts_as_event :title => Proc.new {|o| "#{o.board.name}: #{o.subject}"},
30 acts_as_event :title => Proc.new {|o| "#{o.board.name}: #{o.subject}"},
30 :description => :content,
31 :description => :content,
31 :type => Proc.new {|o| o.parent_id.nil? ? 'message' : 'reply'},
32 :type => Proc.new {|o| o.parent_id.nil? ? 'message' : 'reply'},
32 :url => Proc.new {|o| {:controller => 'messages', :action => 'show', :board_id => o.board_id}.merge(o.parent_id.nil? ? {:id => o.id} :
33 :url => Proc.new {|o| {:controller => 'messages', :action => 'show', :board_id => o.board_id}.merge(o.parent_id.nil? ? {:id => o.id} :
33 {:id => o.parent_id, :r => o.id, :anchor => "message-#{o.id}"})}
34 {:id => o.parent_id, :r => o.id, :anchor => "message-#{o.id}"})}
34
35
35 acts_as_activity_provider :find_options => {:include => [{:board => :project}, :author]},
36 acts_as_activity_provider :find_options => {:include => [{:board => :project}, :author]},
36 :author_key => :author_id
37 :author_key => :author_id
37 acts_as_watchable
38 acts_as_watchable
38
39
39 attr_protected :locked, :sticky
40 attr_protected :locked, :sticky
40 validates_presence_of :board, :subject, :content
41 validates_presence_of :board, :subject, :content
41 validates_length_of :subject, :maximum => 255
42 validates_length_of :subject, :maximum => 255
42 validate :cannot_reply_to_locked_topic, :on => :create
43 validate :cannot_reply_to_locked_topic, :on => :create
43
44
44 after_create :add_author_as_watcher, :update_parent_last_reply
45 after_create :add_author_as_watcher, :update_parent_last_reply
45 after_update :update_messages_board
46 after_update :update_messages_board
46 after_destroy :reset_board_counters
47 after_destroy :reset_board_counters
47
48
48 named_scope :visible, lambda {|*args| { :include => {:board => :project},
49 named_scope :visible, lambda {|*args| { :include => {:board => :project},
49 :conditions => Project.allowed_to_condition(args.shift || User.current, :view_messages, *args) } }
50 :conditions => Project.allowed_to_condition(args.shift || User.current, :view_messages, *args) } }
50
51
52 safe_attributes 'subject', 'content'
53 safe_attributes 'locked', 'sticky',
54 :if => lambda {|message, user|
55 user.allowed_to?(:edit_messages, message.project)
56 }
57
51 def visible?(user=User.current)
58 def visible?(user=User.current)
52 !user.nil? && user.allowed_to?(:view_messages, project)
59 !user.nil? && user.allowed_to?(:view_messages, project)
53 end
60 end
54
61
55 def cannot_reply_to_locked_topic
62 def cannot_reply_to_locked_topic
56 # Can not reply to a locked topic
63 # Can not reply to a locked topic
57 errors.add :base, 'Topic is locked' if root.locked? && self != root
64 errors.add :base, 'Topic is locked' if root.locked? && self != root
58 end
65 end
59
66
60 def update_parent_last_reply
67 def update_parent_last_reply
61 if parent
68 if parent
62 parent.reload.update_attribute(:last_reply_id, self.id)
69 parent.reload.update_attribute(:last_reply_id, self.id)
63 end
70 end
64 board.reset_counters!
71 board.reset_counters!
65 end
72 end
66
73
67 def update_messages_board
74 def update_messages_board
68 if board_id_changed?
75 if board_id_changed?
69 Message.update_all("board_id = #{board_id}", ["id = ? OR parent_id = ?", root.id, root.id])
76 Message.update_all("board_id = #{board_id}", ["id = ? OR parent_id = ?", root.id, root.id])
70 Board.reset_counters!(board_id_was)
77 Board.reset_counters!(board_id_was)
71 Board.reset_counters!(board_id)
78 Board.reset_counters!(board_id)
72 end
79 end
73 end
80 end
74
81
75 def reset_board_counters
82 def reset_board_counters
76 board.reset_counters!
83 board.reset_counters!
77 end
84 end
78
85
79 def sticky=(arg)
86 def sticky=(arg)
80 write_attribute :sticky, (arg == true || arg.to_s == '1' ? 1 : 0)
87 write_attribute :sticky, (arg == true || arg.to_s == '1' ? 1 : 0)
81 end
88 end
82
89
83 def sticky?
90 def sticky?
84 sticky == 1
91 sticky == 1
85 end
92 end
86
93
87 def project
94 def project
88 board.project
95 board.project
89 end
96 end
90
97
91 def editable_by?(usr)
98 def editable_by?(usr)
92 usr && usr.logged? && (usr.allowed_to?(:edit_messages, project) || (self.author == usr && usr.allowed_to?(:edit_own_messages, project)))
99 usr && usr.logged? && (usr.allowed_to?(:edit_messages, project) || (self.author == usr && usr.allowed_to?(:edit_own_messages, project)))
93 end
100 end
94
101
95 def destroyable_by?(usr)
102 def destroyable_by?(usr)
96 usr && usr.logged? && (usr.allowed_to?(:delete_messages, project) || (self.author == usr && usr.allowed_to?(:delete_own_messages, project)))
103 usr && usr.logged? && (usr.allowed_to?(:delete_messages, project) || (self.author == usr && usr.allowed_to?(:delete_own_messages, project)))
97 end
104 end
98
105
99 private
106 private
100
107
101 def add_author_as_watcher
108 def add_author_as_watcher
102 Watcher.create(:watchable => self.root, :user => author)
109 Watcher.create(:watchable => self.root, :user => author)
103 end
110 end
104 end
111 end
General Comments 0
You need to be logged in to leave comments. Login now