Commit 66a07bd9 authored by James Fleming's avatar James Fleming Committed by Jonne Haß

Remove attributes protection.

Use a blacklist approach instead of a blacklist approach in Profile#receive.

Remove attr_accessible from models and make specs pass.
parent e8db2804
......@@ -9,8 +9,6 @@ class AccountDeletion < ActiveRecord::Base
belongs_to :person
after_create :queue_delete_account
attr_accessible :person
xml_name :account_deletion
xml_attr :diaspora_handle
......
......@@ -3,8 +3,6 @@
# the COPYRIGHT file.
class Aspect < ActiveRecord::Base
include ActiveModel::ForbiddenAttributesProtection
belongs_to :user
has_many :aspect_memberships, :dependent => :destroy
......
class Block < ActiveRecord::Base
include ActiveModel::ForbiddenAttributesProtection
belongs_to :person
belongs_to :user
......
class Conversation < ActiveRecord::Base
include Diaspora::Federated::Base
include Diaspora::Guid
include ActiveModel::ForbiddenAttributesProtection
xml_attr :subject
xml_attr :created_at
......
......@@ -9,8 +9,6 @@ class Invitation < ActiveRecord::Base
belongs_to :recipient, :class_name => 'User'
belongs_to :aspect
attr_accessible :sender, :recipient, :aspect, :language, :service, :identifier, :admin, :message
before_validation :set_email_as_default_service
# before_create :share_with_exsisting_user, :if => :recipient_id?
......
class OEmbedCache < ActiveRecord::Base
serialize :data
attr_accessible :url
validates :data, :presence => true
has_many :posts
......
......@@ -41,7 +41,6 @@ class Photo < ActiveRecord::Base
validates_associated :status_message
delegate :author_name, to: :status_message, prefix: true
attr_accessible :text, :pending
validate :ownership_of_status_message
before_destroy :ensure_user_picture
......@@ -69,7 +68,7 @@ class Photo < ActiveRecord::Base
end
def self.diaspora_initialize(params = {})
photo = self.new params.to_hash
photo = self.new params.to_hash.slice(:text, :pending)
photo.author = params[:author]
photo.public = params[:public] if params[:public]
photo.pending = params[:pending] if params[:pending]
......
......@@ -116,7 +116,7 @@ class Post < ActiveRecord::Base
#############
def self.diaspora_initialize(params)
new_post = self.new params.to_hash
new_post = self.new params.to_hash.stringify_keys.slice(*self.column_names)
new_post.author = params[:author]
new_post.public = params[:public] if params[:public]
new_post.pending = params[:pending] if params[:pending]
......
......@@ -38,9 +38,6 @@ class Profile < ActiveRecord::Base
validate :max_tags
validate :valid_birthday
attr_accessible :first_name, :last_name, :image_url, :image_url_medium,
:image_url_small, :birthday, :gender, :bio, :location, :searchable, :date, :tag_string, :nsfw
belongs_to :person
before_validation do
self.tag_string = self.tag_string.split[0..4].join(' ')
......@@ -57,7 +54,8 @@ class Profile < ActiveRecord::Base
def receive(user, person)
Rails.logger.info("event=receive payload_type=profile sender=#{person} to=#{user}")
person.profile.update_attributes self.attributes.merge(:tag_string => self.tag_string)
profiles_attr = self.attributes.merge('tag_string' => self.tag_string).slice('diaspora_handle', 'first_name', 'last_name', 'image_url', 'image_url_small', 'image_url_medium', 'birthday', 'gender', 'bio', 'location', 'searchable', 'nsfw', 'tag_string')
person.profile.update_attributes(profiles_attr)
person.profile
end
......
......@@ -6,7 +6,6 @@ class Reshare < Post
belongs_to :root, :class_name => 'Post', :foreign_key => :root_guid, :primary_key => :guid
validate :root_must_be_public
attr_accessible :root_guid, :public
validates_presence_of :root, :on => :create
validates_uniqueness_of :root_guid, :scope => :author_id
delegate :author, to: :root, prefix: true
......
......@@ -25,7 +25,6 @@ class StatusMessage < Post
# therefore, we put the validation in a before_destory callback instead of a validation
before_destroy :presence_of_content
attr_accessible :text, :provider_display_name, :frame_name
attr_accessor :oembed_url
before_create :filter_mentions
......
......@@ -7,7 +7,6 @@ class User < ActiveRecord::Base
include Connecting
include Querying
include SocialActions
include ActiveModel::ForbiddenAttributesProtection
scope :logged_in_since, lambda { |time| where('last_sign_in_at > ?', time) }
scope :monthly_actives, lambda { |time = Time.now| logged_in_since(time - 1.month) }
......@@ -327,6 +326,7 @@ class User < ActiveRecord::Base
params[:image_url_small] = photo.url(:thumb_small)
end
params.stringify_keys!.slice!(*(Profile.column_names+['tag_string', 'date']))
if self.profile.update_attributes(params)
deliver_profile_update
true
......
......@@ -26,24 +26,6 @@ describe Photo do
@saved_photo.save
end
describe "protected attributes" do
it "doesn't allow mass assignment of person" do
@photo.save!
@photo.update_attributes(:author => FactoryGirl.build(:person))
@photo.reload.author.should == @user.person
end
it "doesn't allow mass assignment of person_id" do
@photo.save!
@photo.update_attributes(:author_id => FactoryGirl.build(:person).id)
@photo.reload.author.should == @user.person
end
it 'allows assignment of text' do
@photo.save!
@photo.update_attributes(:text => "this is awesome!!")
@photo.reload.text.should == "this is awesome!!"
end
end
describe 'after_create' do
it 'calls #queue_processing_job' do
@photo.should_receive(:queue_processing_job)
......
......@@ -466,7 +466,7 @@ describe User do
end
it 'dispatches the profile when tags are set' do
@params = {:tags => '#what #hey'}
@params = {:tag_string => '#what #hey'}
mailman = Postzord::Dispatcher.build(alice, Profile.new)
Postzord::Dispatcher.should_receive(:build).and_return(mailman)
alice.update_profile(@params).should be_true
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment