pr97

Author: mr-exz

app/controllers/keys_controller.rb

@@ -37,7 +37,7 @@ def index
     end
 
     @keys = @keys.order(sort_clause) unless @keys.nil?
-    @keys = @keys.select { |key| key.whitelisted?(User, @project) } unless @keys.nil?
+    @keys = @keys.select { |key| key.whitelisted?(User.current, @project) } unless @keys.nil?
     @keys = [] if @keys.nil? # hack for decryption
 
     @limit = per_page_option
@@ -95,7 +95,7 @@ def all
     end
 
     @keys = @keys.order(sort_clause) unless @keys.nil?
-    @keys = @keys.select { |key| key.whitelisted?(User, key.project) } unless @keys.nil?
+    @keys = @keys.select { |key| key.whitelisted?(User.current, key.project) } unless @keys.nil?
     @keys = [] if @keys.nil? # hack for decryption
 
     @limit = per_page_option
@@ -169,7 +169,7 @@ def update_wishlist
   end
 
   def edit
-    if !@key.whitelisted?(User, @project)
+    if !@key.whitelisted?(User.current, @project)
       render_error t("error.key.not_whitelisted")
       return
     else
@@ -181,7 +181,7 @@ def edit
   end
 
   def show
-    if !@key.whitelisted?(User, @project)
+    if !@key.whitelisted?(User.current, @project)
       render_error t("error.key.not_whitelisted")
       return
     else

app/controllers/tags_controller.rb

@@ -8,7 +8,8 @@ def index
   end
 
   def create
-    @tag = @key.tags.build(tag_params)
+    @tag = @key.tags.build
+    @tag.safe_attributes = tag_params
     if @tag.save
       redirect_to project_key_tags_path(@project, @key), notice: 'Tag was successfully created.'
     else

app/models/vault/key.rb

@@ -3,9 +3,13 @@ module Vault
   require 'iconv'
 
   class Vault::Key < ActiveRecord::Base
+    include Redmine::SafeAttributes
+
     belongs_to :project
     has_and_belongs_to_many :tags, join_table: 'keys_vault_tags'
 
+    safe_attributes 'project_id', 'name', 'body', 'login', 'type', 'file', 'url', 'comment', 'whitelist'
+
     def tags=(tags_string)
       tag_objects = Vault::Tag.create_from_string(tags_string)
       self.tags.clear
@@ -66,13 +70,17 @@ def self.import(file)
     end
 
     def whitelisted?(user, project)
-      return true if user.current.admin or !user.current.allowed_to?(:whitelist_keys, project)
-      self.whitelist.split(",").each do |id|
-        return true if User.in_group(id).where(:id => user.current.id).count == 1
+      return true if user.admin || !user.allowed_to?(:whitelist_keys, project)
+
+      whitelist_ids = self.whitelist.split(',')
+      return true if whitelist_ids.include?(user.id.to_s)
+
+      whitelist_ids.each do |id|
+        return true if User.in_group(id).where(id: user.id).any?
       end
-      return self.whitelist.split(",").include?(user.current.id.to_s)
-    end
 
+      false
+    end
   end
 
   class Vault::KeysVaultTags < ActiveRecord::Base

app/models/vault/tag.rb

@@ -1,8 +1,12 @@
 module Vault
   class Tag < ActiveRecord::Base
+    include Redmine::SafeAttributes
+
     self.table_name = 'vault_tags'
     has_and_belongs_to_many :keys, join_table: 'keys_vault_tags'
 
+    safe_attributes 'name', 'color'
+
     validates :name, presence: true, uniqueness: true
     validates :color, presence: true
 

config/locales/ru.yml

@@ -11,7 +11,7 @@ ru:
 
   activerecord:
     models:
-      password: "Ключь"
+      password: "Ключ"
       sftp: "SFTP"
 
   backups: