kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Do not pass unsanitized params to issue move service

Browse source
This commit is contained in:
Grzegorz Bizon 2016-02-24 11:52:02 +01:00
parent 4cbe87d50e
commit 57eb395488
3 changed files with 11 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
app/controllers/projects/issues_controller.rb
View file

@ -88,7 +88,8 @@ class Projects::IssuesController < Projects::ApplicationController
def update def update
@issue = Issues::UpdateService.new(project, current_user, issue_params).execute(issue) @issue = Issues::UpdateService.new(project, current_user, issue_params).execute(issue)
move_service = Issues::MoveService.new(project, current_user, params.require(:issue).permit!, @issue) move_service = Issues::MoveService.new(project, current_user, issue_params,
@issue, params['move_to_project_id'])
if move_service.move? if move_service.move?
@issue = move_service.execute @issue = move_service.execute

7
app/services/issues/move_service.rb
View file

@ -1,15 +1,12 @@
module Issues module Issues
class MoveService < Issues::BaseService class MoveService < Issues::BaseService
def initialize(project, current_user, params, issue) def initialize(project, current_user, params, issue, new_project_id)
super(project, current_user, params) super(project, current_user, params)
@issue_old = issue @issue_old = issue
@issue_new = @issue_old.dup @issue_new = @issue_old.dup
@project_old = @project @project_old = @project
@project_new = Project.find(new_project_id) if new_project_id
if params['move_to_project_id']
@project_new = Project.find(params['move_to_project_id'])
end
end end
def execute def execute

10
spec/services/issues/move_service_spec.rb
View file

@ -7,10 +7,14 @@ describe Issues::MoveService, services: true do
let(:old_project) { create(:project) } let(:old_project) { create(:project) }
let(:old_issue) { create(:issue, title: title, description: description, project: old_project) } let(:old_issue) { create(:issue, title: title, description: description, project: old_project) }
let(:new_project) { create(:project) } let(:new_project) { create(:project) }
let(:move_service) { described_class.new(old_project, user, move_params, old_issue) } let(:issue_params) { old_issue.serializable_hash }
let(:move_service) do
described_class.new(old_project, user, issue_params, old_issue, new_project_id)
end
shared_context 'issue move requested' do shared_context 'issue move requested' do
let(:move_params) { { 'move_to_project_id' => new_project.id } } let(:new_project_id) { new_project.id }
end end
shared_context 'user can move issue' do shared_context 'user can move issue' do
@ -108,7 +112,7 @@ describe Issues::MoveService, services: true do
end end
context 'issue move not requested' do context 'issue move not requested' do
let(:move_params) { {} } let(:new_project_id) { nil }
describe '#move?' do describe '#move?' do
subject { move_service.move? } subject { move_service.move? }