github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-23 18:41:07 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Validate the entity when downloading a CSV

Browse Source
This commit is contained in:
Robin Ward
2017-05-19 15:59:37 -04:00
parent 0a8e16d049
commit 908433a7a0
4 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/export_csv_controller.rb
View File

@ -3,7 +3,7 @@ class ExportCsvController < ApplicationController
skip_before_filter :preload_json, :check_xhr, only: [:show]
def export_entity
guardian.ensure_can_export_entity!(export_params[:entity_type])
guardian.ensure_can_export_entity!(export_params[:entity])
Jobs.enqueue(:export_csv_file, entity: export_params[:entity], user_id: current_user.id, args: export_params[:args])
render json: success_json
end
@ -29,8 +29,7 @@ class ExportCsvController < ApplicationController
def export_params
@_export_params ||= begin
params.require(:entity)
params.require(:entity_type)
params.permit(:entity, :entity_type, args: [:name, :start_date, :end_date, :category_id, :group_id, :trust_level])
params.permit(:entity, args: [:name, :start_date, :end_date, :category_id, :group_id, :trust_level])
end
end
end