diff --git a/app/controllers/aspects_controller.rb b/app/controllers/aspects_controller.rb index edd558933..e3af0af2d 100644 --- a/app/controllers/aspects_controller.rb +++ b/app/controllers/aspects_controller.rb @@ -4,6 +4,7 @@ class AspectsController < ApplicationController before_filter :authenticate_user! + before_filter :save_sort_order, :only => :index respond_to :html respond_to :json, :only => [:show, :create] @@ -15,33 +16,27 @@ class AspectsController < ApplicationController else @aspects = current_user.aspects.includes(:contacts => {:person => :profile}) end - @selected_contacts = @aspects.inject([]){|arr, aspect| arr.concat(aspect.contacts)} + @selected_contacts = @aspects.inject([]) { |arr, aspect| arr.concat(aspect.contacts) } @selected_contacts.uniq! # redirect to signup if (current_user.getting_started == true || @aspects.blank?) && !request.format.mobile? && !request.format.js? redirect_to getting_started_path else - if params[:sort_order].blank? and session[:sort_order].blank? - session[:sort_order] = 'updated_at' - elsif not params[:sort_order].blank? and not session[:sort_order] == params[:sort_order] - session[:sort_order] = params[:sort_order] == 'created_at' ? 'created_at' : 'updated_at' - end - sort_order = session[:sort_order] == 'created_at' ? 'created_at' : 'updated_at' - @aspect_ids = @aspects.map{|a| a.id} + @aspect_ids = @aspects.map { |a| a.id } @posts = StatusMessage.joins(:aspects).where(:pending => false, - :aspects => {:id => @aspect_ids}).includes(:comments, :photos, :likes, :dislikes).select('DISTINCT `posts`.*').paginate( - :page => params[:page], :per_page => 15, :order => sort_order + ' DESC') + :aspects => {:id => @aspect_ids}).includes(:comments, :photos, :likes, :dislikes).select('DISTINCT `posts`.*').paginate( + :page => params[:page], :per_page => 15, :order => session[:sort_order] + ' DESC') @fakes = PostsFake.new(@posts) @contact_count = current_user.contacts.count @aspect = :all unless params[:a_ids] @aspect ||= @aspects.first #used in mobile - end end + def create @aspect = current_user.aspects.create(params[:aspect]) #hack, we don't know why mass assignment is not working @@ -61,12 +56,12 @@ class AspectsController < ApplicationController respond_to do |format| format.js { render :json => {:html => render_to_string( - :partial => 'aspects/aspect_list_item', - :locals => {:aspect => @aspect, - :person => @person, - :contact => @contact} - ), :aspect_id => @aspect.id},:status => 201 } - end + :partial => 'aspects/aspect_list_item', + :locals => {:aspect => @aspect, + :person => @person, + :contact => @contact} + ), :aspect_id => @aspect.id}, :status => 201 } + end else respond_with @aspect end @@ -85,10 +80,10 @@ class AspectsController < ApplicationController begin current_user.drop_aspect @aspect - flash[:notice] = I18n.t 'aspects.destroy.success',:name => @aspect.name + flash[:notice] = I18n.t 'aspects.destroy.success', :name => @aspect.name redirect_to aspects_path rescue ActiveRecord::StatementInvalid => e - flash[:error] = I18n.t 'aspects.destroy.failure',:name => @aspect.name + flash[:error] = I18n.t 'aspects.destroy.failure', :name => @aspect.name redirect_to aspects_path end end @@ -104,7 +99,7 @@ class AspectsController < ApplicationController def edit @aspect = current_user.aspects.where(:id => params[:id]).includes(:contacts => {:person => :profile}).first - @contacts = current_user.contacts.includes(:person => :profile).all.sort!{|x, y| x.person.name <=> y.person.name}.reverse! + @contacts = current_user.contacts.includes(:person => :profile).all.sort! { |x, y| x.person.name <=> y.person.name }.reverse! unless @aspect render :file => "#{Rails.root}/public/404.html", :layout => false, :status => 404 else @@ -124,13 +119,13 @@ class AspectsController < ApplicationController def update @aspect = current_user.aspects.where(:id => params[:id]).first - if @aspect.update_attributes!( params[:aspect] ) + if @aspect.update_attributes!(params[:aspect]) #hack, we don't know why mass assignment is not working @aspect.contacts_visible = params[:aspect][:contacts_visible] @aspect.save - flash[:notice] = I18n.t 'aspects.update.success',:name => @aspect.name + flash[:notice] = I18n.t 'aspects.update.success', :name => @aspect.name else - flash[:error] = I18n.t 'aspects.update.failure',:name => @aspect.name + flash[:error] = I18n.t 'aspects.update.failure', :name => @aspect.name end respond_with @aspect @@ -146,4 +141,16 @@ class AspectsController < ApplicationController end @aspect.save end + + protected + + def save_sort_order + if params[:sort_order].present? + session[:sort_order] = (params[:sort_order] == 'created_at') ? 'created_at' : 'updated_at' + elsif session[:sort_order].blank? + session[:sort_order] = 'updated_at' + else + session[:sort_order] = (session[:sort_order] == 'created_at') ? 'created_at' : 'updated_at' + end + end end diff --git a/spec/controllers/aspects_controller_spec.rb b/spec/controllers/aspects_controller_spec.rb index fbe72ceb8..5d288ed96 100644 --- a/spec/controllers/aspects_controller_spec.rb +++ b/spec/controllers/aspects_controller_spec.rb @@ -126,6 +126,13 @@ describe AspectsController do get :index, :sort_order => "updated_at" assigns(:posts).should == @posts end + + it "doesn't allow SQL injection" do + get :index, :sort_order => "\"; DROP TABLE users;" + assigns(:posts).should == @posts + get :index, :sort_order => "created_at" + assigns(:posts).should == @posts.reverse + end end it "returns all posts by default" do