Correcting some security warnings

2018-09-30 19:02:49 +02:00 · 2018-09-30 19:02:49 +02:00 · a372b962ab
commit a372b962ab
parent 2cd11098f4
6 changed files with 9 additions and 10 deletions
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@ -4,11 +4,11 @@ class EventsController < ApplicationController
  has_scope :region, :locality, :tag, :daylimit, :year
  has_scope :near, type: :hash, using: %i[location distance]

-  before_action :set_events, only: [:index]
+  before_action :set_events, only: :index
  before_action :set_event, except: %i[index new preview_create create]
  before_action :set_create_event, only: %i[new preview_create create]
  before_action :check_secret, only: %i[edit preview update destroy]
-  before_action :set_mailer_host
+  before_action :set_mailer_host, only: %i[create update destroy]
  rescue_from ActiveRecord::StaleObjectError, with: :locked

  def index
@ -88,9 +88,7 @@ class EventsController < ApplicationController

  # Use callbacks to share common setup or constraints between actions
  def set_event
-    @event = Event.moderated
-    @event = Event.where secret: params[:secret] if params[:secret].present?
-    @event = @event.find params[:id]
+    @event = Event.find params[:id]
  end

  def set_create_event
--- a/app/views/events/show.html.haml
+++ b/app/views/events/show.html.haml
@ -55,7 +55,7 @@
  %p
    %em.fa.fa-external-link-alt
    %span.label= Event.human_attribute_name :url
-    = link_to @event.url, sanitize(@event.url)
+    = link_to @event.url, @event.url.html_safe
 - if @event.contact.present?
  %p
    %em.fa.fa-envelope
--- a/app/views/orgas/_form.html.haml
+++ b/app/views/orgas/_form.html.haml
@ -31,8 +31,8 @@
    = f.label :city
    = f.text_field :city, list: :cities
    %datalist#cities
-      - Event.group(:city).order('count(city) desc').pluck(:city).each do |city|
-        %option= city
+      - Event.group(:city).order('1 desc').count.each do |r|
+        %option= r[0]
  .field.department
    = f.label :department
    = f.text_field :department
--- a/app/views/orgas/show.html.haml
+++ b/app/views/orgas/show.html.haml
@ -39,7 +39,7 @@
    %dt.url
      %em.fa.fa-external-link-alt
      = Orga.human_attribute_name :url
-    %dd= link_to @orga.url, sanitize(@orga.url)
+    %dd= link_to @orga.url, @orga.url.html_safe
  - if @orga.diaspora.present?
    %dt.diaspora<
      = Orga.human_attribute_name :diaspora
--- a/config/application.rb
+++ b/config/application.rb
@ -47,5 +47,7 @@ module AgendaDuLibreRails
    # time being
    # TODO
    config.action_controller.per_form_csrf_tokens = false
+
+    config.active_record.sqlite3.represent_boolean_as_integer = true
  end
 end
--- a/config/initializers/paper_trail.rb
+++ b/config/initializers/paper_trail.rb
@ -1 +0,0 @@
-PaperTrail.config.track_associations = false
				`@ -1 +0,0 @@`
				`PaperTrail.config.track_associations = false`