From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Tue, 5 Oct 2021 16:46:03 +0000 (+0000)
Subject: Enforce stricter class filtering in WatchersController (35463).
X-Git-Tag: 5.0.0~225
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=04e27aa1616f78381fab69b2b72ba5874e4cc557;p=redmine.git

Enforce stricter class filtering in WatchersController (35463).

Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@21235 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb
index 61681b894..79b809516 100644
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@@ -158,7 +158,9 @@ class WatchersController < ApplicationController
       rescue
         nil
       end
-    return unless klass && klass.respond_to?('watched_by')
+    return unless klass && Class === klass # rubocop:disable Style/CaseEquality
+    return unless klass < ActiveRecord::Base
+    return unless klass < Redmine::Acts::Watchable::InstanceMethods
 
     scope = klass.where(:id => Array.wrap(params[:object_id]))
     if klass.reflect_on_association(:project)