Restrict ransack searches for security

foodcoops · Jun 1, 2016 · 22563b0 · 22563b0
1 parent ef6fde4
commit 22563b0
Show file tree

Hide file tree

Showing 9 changed files with 64 additions and 4 deletions.
diff --git a/app/controllers/admin/base_controller.rb b/app/controllers/admin/base_controller.rb
@@ -1,10 +1,10 @@
 class Admin::BaseController < ApplicationController
   before_filter :authenticate_admin
-  
+
   def index
-    @user = self.current_user
+    @user = current_user
     @groups = Group.where(deleted_at: nil).order('created_on DESC').limit(10)
     @users = User.order('created_on DESC').limit(10)
   end
-  
+
 end
diff --git a/app/controllers/api/v1/order_articles_controller.rb b/app/controllers/api/v1/order_articles_controller.rb
@@ -27,7 +27,8 @@ def merge_ordered_scope(scope, ordered)
     elsif ordered == 'member'
       scope.joins(:group_order_articles).merge(current_ordergroup.group_order_articles)
     elsif ordered == 'all'
-      scope.where('quantity > 0 OR tolerance > 0')
+      table = scope.arel_table
+      scope.where(table[:quantity].gt(0).or(table[:tolerance].gt(0)))
     elsif ordered == 'supplier'
       scope.ordered
     else

diff --git a/app/models/article.rb b/app/models/article.rb
@@ -73,6 +73,14 @@ class Article < ActiveRecord::Base
   before_save :update_price_history
   before_destroy :check_article_in_use
 
+  def self.ransackable_attributes(auth_object = nil)
+    %w(id name supplier_id article_category_id unit note manufacturer origin unit_quantity order_number)
+  end
+
+  def self.ransackable_associations(auth_object = nil)
+    %w(article_category supplier order_articles orders)
+  end
+
   # The financial gross, net plus tax and deposti
   def gross_price
     ((price + deposit) * (tax / 100 + 1)).round(2)

diff --git a/app/models/article_category.rb b/app/models/article_category.rb
@@ -22,6 +22,14 @@ class ArticleCategory < ActiveRecord::Base
 
   before_destroy :check_for_associated_articles
 
+  def self.ransackable_attributes(auth_object = nil)
+    %w(id name)
+  end
+
+  def self.ransackable_associations(auth_object = nil)
+    %w(articles order_articles orders)
+  end
+
   # Find a category that matches a category name; may return nil.
   # TODO more intelligence like remembering earlier associations (global and/or per-supplier)
   def self.find_match(category)

diff --git a/app/models/financial_transaction.rb b/app/models/financial_transaction.rb
@@ -10,6 +10,14 @@ class FinancialTransaction < ActiveRecord::Base
 
   localize_input_of :amount
 
+  def self.ransackable_attributes(auth_object = nil)
+    %w(id amount note created_on user_id)
+  end
+
+  def self.ransackable_associations(auth_object = nil)
+    %w() # none, and certainly not user until we've secured that more
+  end
+
   # Use this save method instead of simple save and after callback
   def add_transaction!
     ordergroup.add_financial_transaction! amount, note, user

diff --git a/app/models/order.rb b/app/models/order.rb
@@ -38,6 +38,14 @@ class Order < ActiveRecord::Base
   include DateTimeAttributeValidate
   date_time_attribute :starts, :boxfill, :ends
 
+  def self.ransackable_attributes(auth_object = nil)
+    %w(id state supplier_id starts boxfill ends pickup)
+  end
+
+  def self.ransackable_associations(auth_object = nil)
+    %w(supplier articles order_articles)
+  end
+
   def stockit?
     supplier_id == 0
   end

diff --git a/app/models/order_article.rb b/app/models/order_article.rb
@@ -19,6 +19,14 @@ class OrderArticle < ActiveRecord::Base
   before_create :init_from_balancing
   after_destroy :update_ordergroup_prices
 
+  def self.ransackable_attributes(auth_object = nil)
+    %w(id order_id article_id quantity tolerance units_to_order)
+  end
+
+  def self.ransackable_associations(auth_object = nil)
+    %w(order article)
+  end
+
   # This method returns either the ArticlePrice or the Article
   # The first will be set, when the the order is finished
   def price

diff --git a/app/models/stock_article.rb b/app/models/stock_article.rb
@@ -9,6 +9,17 @@ class StockArticle < Article
 
   before_destroy :check_quantity
 
+  # @todo enable when ransack 1.7.1 / 1.8.0 is released
+  # ransack_alias :quantity_available, :quantity # in-line with {StockArticleSerializer}
+
+  def self.ransackable_attributes(auth_object = nil)
+    super(auth_object) - %w(supplier_id) + %w(quantity)
+  end
+
+  def self.ransackable_associations(auth_object = nil)
+    super(auth_object) - %w(supplier)
+  end
+
   # Update the quantity of items in stock
   def update_quantity!
     update_attribute :quantity, stock_changes.collect(&:quantity).sum

diff --git a/app/models/supplier.rb b/app/models/supplier.rb
@@ -23,6 +23,14 @@ class Supplier < ActiveRecord::Base
   scope :undeleted, -> { where(deleted_at: nil) }
   scope :having_articles, -> { where(id: Article.undeleted.select(:supplier_id).distinct) }
 
+  def self.ransackable_attributes(auth_object = nil)
+    %w(id name)
+  end
+
+  def self.ransackable_associations(auth_object = nil)
+    %w(articles stock_articles orders)
+  end
+
   # sync all articles with the external database
   # returns an array with articles(and prices), which should be updated (to use in a form)
   # also returns an array with outlisted_articles, which should be deleted