Fix params + steamid bug

2025-01-14 13:51:26 +00:00 · 2020-03-18 23:23:30 +02:00 · 2020-03-18 23:23:30 +02:00 · c9b7036047
commit c9b7036047
parent 61e90d58c0
3 changed files with 11 additions and 9 deletions
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -47,7 +47,7 @@ class PostsController < ApplicationController
  def trash
    raise AccessError unless @post.can_destroy? cuser
    @post.trash
-    if Topic.exists? @post.topic
+    if @post.topic.exists?
      redirect_to @post.topic
    else
      redirect_to @post.topic.forum
@ -57,7 +57,7 @@ class PostsController < ApplicationController
  def destroy
    raise AccessError unless @post.can_destroy? cuser
    @post.destroy
-    if Topic.exists? @post.topic
+    if @post.topic.exists?
      redirect_to @post.topic
    else
      redirect_to @post.topic.forum
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -53,7 +53,7 @@ class UsersController < ApplicationController
  end

  def create
-    @user = User.new(User.params(params, cuser))
+    @user = User.new(User.params(params, cuser, "create"))
    # FIXME: move to model
    @user.lastvisit = Date.today
    @user.lastip = request.env['REMOTE_ADDR']
@ -75,7 +75,7 @@ class UsersController < ApplicationController
    raise AccessError unless @user.can_update? cuser
    # FIXME: use permit
    params[:user].delete(:username) unless @user.can_change_name? cuser
-    if @user.update_attributes(User.params(params, cuser))
+    if @user.update_attributes(User.params(params, cuser, "update"))
      flash[:notice] = t(:users_update)
      redirect_to_back
    else
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -115,7 +115,7 @@ class User < ActiveRecord::Base
  validates_length_of :email, :maximum => 50
  validates_format_of :email, :with => /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i
  validates_length_of :steamid, :maximum => 30
-  validates_format_of :steamid, :with => /\A([0-9]{1,10}:){2}[0-9]{1,10}\Z/
+  validates_format_of :steamid, :with => /\ASTEAM_[0-5]:[01]:\d+\Z/
  validates_length_of :time_zone, :maximum => 100, :allow_blank => true, :allow_nil => true
  validates_inclusion_of [:public_email], :in => [true, false], :allow_nil => true
  validate :validate_team
@ -354,10 +354,12 @@ class User < ActiveRecord::Base
    Group.find(Group::CASTERS).users.order(:username)
  end

-  def self.params(params, cuser)
-    profile_attrs = cuser.profile.attributes.keys - ["id", "created_at", "updated_at"]
-    allowed = [:raw_password, :firstname, :lastname, :email, :steamid, :country, :birthdate, :timezone, :public_email, :filter, :time_zone, :team_id, profile_attributes: [profile_attrs]]
-    allowed << :username if cuser.admin?
+  def self.params(params, cuser, operation)
+    profile_attrs ||= cuser.profile.attributes.keys - ["id", "created_at", "updated_at"] if cuser
+    allowed = [:raw_password, :firstname, :lastname, :email, :steamid, :country, \
+               :birthdate, :timezone, :public_email, :filter, :time_zone, :team_id, \
+               profile_attributes: [profile_attrs]]
+    allowed << :username if cuser&.admin? || operation == 'create'
    params.require(:user).permit(*allowed)
  end
 end