From a372b962abbe15d010c6b561245ff52155bfab3b Mon Sep 17 00:00:00 2001 From: echarp Date: Sun, 30 Sep 2018 19:02:49 +0200 Subject: [PATCH] Correcting some security warnings --- app/controllers/events_controller.rb | 8 +++----- app/views/events/show.html.haml | 2 +- app/views/orgas/_form.html.haml | 4 ++-- app/views/orgas/show.html.haml | 2 +- config/application.rb | 2 ++ config/initializers/paper_trail.rb | 1 - 6 files changed, 9 insertions(+), 10 deletions(-) delete mode 100644 config/initializers/paper_trail.rb diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb index 14bd063a..0da0bb17 100644 --- a/app/controllers/events_controller.rb +++ b/app/controllers/events_controller.rb @@ -4,11 +4,11 @@ class EventsController < ApplicationController has_scope :region, :locality, :tag, :daylimit, :year has_scope :near, type: :hash, using: %i[location distance] - before_action :set_events, only: [:index] + before_action :set_events, only: :index before_action :set_event, except: %i[index new preview_create create] before_action :set_create_event, only: %i[new preview_create create] before_action :check_secret, only: %i[edit preview update destroy] - before_action :set_mailer_host + before_action :set_mailer_host, only: %i[create update destroy] rescue_from ActiveRecord::StaleObjectError, with: :locked def index @@ -88,9 +88,7 @@ class EventsController < ApplicationController # Use callbacks to share common setup or constraints between actions def set_event - @event = Event.moderated - @event = Event.where secret: params[:secret] if params[:secret].present? - @event = @event.find params[:id] + @event = Event.find params[:id] end def set_create_event diff --git a/app/views/events/show.html.haml b/app/views/events/show.html.haml index 8e5d0a99..920d1345 100644 --- a/app/views/events/show.html.haml +++ b/app/views/events/show.html.haml @@ -55,7 +55,7 @@ %p %em.fa.fa-external-link-alt %span.label= Event.human_attribute_name :url - = link_to @event.url, sanitize(@event.url) + = link_to @event.url, @event.url.html_safe - if @event.contact.present? %p %em.fa.fa-envelope diff --git a/app/views/orgas/_form.html.haml b/app/views/orgas/_form.html.haml index 8ca36115..fc6875aa 100644 --- a/app/views/orgas/_form.html.haml +++ b/app/views/orgas/_form.html.haml @@ -31,8 +31,8 @@ = f.label :city = f.text_field :city, list: :cities %datalist#cities - - Event.group(:city).order('count(city) desc').pluck(:city).each do |city| - %option= city + - Event.group(:city).order('1 desc').count.each do |r| + %option= r[0] .field.department = f.label :department = f.text_field :department diff --git a/app/views/orgas/show.html.haml b/app/views/orgas/show.html.haml index 43a22bd1..80dad3e2 100644 --- a/app/views/orgas/show.html.haml +++ b/app/views/orgas/show.html.haml @@ -39,7 +39,7 @@ %dt.url %em.fa.fa-external-link-alt = Orga.human_attribute_name :url - %dd= link_to @orga.url, sanitize(@orga.url) + %dd= link_to @orga.url, @orga.url.html_safe - if @orga.diaspora.present? %dt.diaspora< = Orga.human_attribute_name :diaspora diff --git a/config/application.rb b/config/application.rb index a1ac9b05..b32c9c64 100644 --- a/config/application.rb +++ b/config/application.rb @@ -47,5 +47,7 @@ module AgendaDuLibreRails # time being # TODO config.action_controller.per_form_csrf_tokens = false + + config.active_record.sqlite3.represent_boolean_as_integer = true end end diff --git a/config/initializers/paper_trail.rb b/config/initializers/paper_trail.rb deleted file mode 100644 index 39a66791..00000000 --- a/config/initializers/paper_trail.rb +++ /dev/null @@ -1 +0,0 @@ -PaperTrail.config.track_associations = false