From 4b6045d70059e4f8592c5c01ea500d3ffb09d7b2 Mon Sep 17 00:00:00 2001 From: Simon Brandhof Date: Fri, 24 May 2013 17:25:36 +0200 Subject: [PATCH] Use verify_post_request in controllers instead of Rails filter --- .../WEB-INF/app/controllers/action_plans_controller.rb | 4 +++- .../app/controllers/admin_dashboards_controller.rb | 5 ++++- .../webapp/WEB-INF/app/controllers/backup_controller.rb | 3 +-- .../WEB-INF/app/controllers/bulk_deletion_controller.rb | 2 +- .../WEB-INF/app/controllers/dashboard_controller.rb | 5 ++++- .../WEB-INF/app/controllers/dashboards_controller.rb | 8 +++++++- .../WEB-INF/app/controllers/manual_measures_controller.rb | 3 ++- .../WEB-INF/app/controllers/manual_rules_controller.rb | 2 +- 8 files changed, 23 insertions(+), 9 deletions(-) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/action_plans_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/action_plans_controller.rb index 7b93155ccaa..579e250b930 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/action_plans_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/action_plans_controller.rb @@ -22,7 +22,6 @@ class ActionPlansController < ApplicationController SECTION=Navigation::SECTION_RESOURCE before_filter :load_resource - verify :method => :post, :only => [:save, :delete, :change_status], :redirect_to => {:action => :index} def index load_action_plans() @@ -35,6 +34,7 @@ class ActionPlansController < ApplicationController end def save + verify_post_request options = {'project' => @resource.key, 'name' => params[:name], 'description' => params[:description], 'deadLine' => params[:deadline]} exiting_action_plan = find_by_key(params[:plan_key]) unless params[:plan_key].blank? @@ -55,11 +55,13 @@ class ActionPlansController < ApplicationController end def delete + verify_post_request Internal.issues.deleteActionPlan(params[:plan_key]) redirect_to :action => 'index', :id => @resource.id end def change_status + verify_post_request action_plan = find_by_key(params[:plan_key]) if action_plan if action_plan.status == 'OPEN' diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/admin_dashboards_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/admin_dashboards_controller.rb index 05267949337..61a2749feb9 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/admin_dashboards_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/admin_dashboards_controller.rb @@ -21,7 +21,6 @@ class AdminDashboardsController < ApplicationController SECTION=Navigation::SECTION_CONFIGURATION - verify :method => :post, :only => [:up, :down, :remove, :add], :redirect_to => {:action => :index} before_filter :admin_required before_filter :load_default_dashboards @@ -32,16 +31,19 @@ class AdminDashboardsController < ApplicationController end def down + verify_post_request position(+1) redirect_to :action => 'index' end def up + verify_post_request position(-1) redirect_to :action => 'index' end def add + verify_post_request dashboard=Dashboard.find(params[:id]) if dashboard and dashboard.shared? last_index = @actives.max_by(&:order_index).order_index @@ -54,6 +56,7 @@ class AdminDashboardsController < ApplicationController end def remove + verify_post_request if @actives.size<=1 flash[:error]='At least one dashboard must be defined as default.' else diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/backup_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/backup_controller.rb index cae0fc3ab26..7d71472cfa2 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/backup_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/backup_controller.rb @@ -22,10 +22,8 @@ class BackupController < ApplicationController SECTION=Navigation::SECTION_CONFIGURATION before_filter :admin_required - verify :method => :post, :only => [:import], :redirect_to => { :action => :index } def index - end def export @@ -35,6 +33,7 @@ class BackupController < ApplicationController end def import + verify_post_request file=params[:file] xml=read_file(file) if xml && !xml.empty? diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/bulk_deletion_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/bulk_deletion_controller.rb index a2362c887b7..21efff30418 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/bulk_deletion_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/bulk_deletion_controller.rb @@ -22,7 +22,6 @@ class BulkDeletionController < ApplicationController SECTION=Navigation::SECTION_CONFIGURATION before_filter :admin_required - verify :method => :post, :only => [:delete_resources], :redirect_to => { :action => :index } def index if pending_mass_deletion? @@ -79,6 +78,7 @@ class BulkDeletionController < ApplicationController end def delete_resources + verify_post_request resource_to_delete = params[:resources] || [] resource_to_delete = params[:all_resources].split(',') if params[:all_resources] && !params[:all_resources].blank? diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb index 0dae16e0384..8e9232a1e39 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb @@ -21,7 +21,6 @@ class DashboardController < ApplicationController SECTION=Navigation::SECTION_RESOURCE - verify :method => :post, :only => [:set_layout, :add_widget, :set_dashboard, :save_widget], :redirect_to => {:action => :index} before_filter :login_required, :except => [:index] def index @@ -48,6 +47,7 @@ class DashboardController < ApplicationController end def set_layout + verify_post_request dashboard=Dashboard.find(params[:did]) if dashboard.editable_by?(current_user) dashboard.column_layout=params[:layout] @@ -62,6 +62,7 @@ class DashboardController < ApplicationController end def set_dashboard + verify_post_request load_dashboard() dashboardstate=params[:dashboardstate] @@ -87,6 +88,7 @@ class DashboardController < ApplicationController end def add_widget + verify_post_request dashboard=Dashboard.find(params[:did]) widget_id=nil if dashboard.editable_by?(current_user) @@ -109,6 +111,7 @@ class DashboardController < ApplicationController end def save_widget + verify_post_request widget=Widget.find(params[:wid]) #TODO check owner of dashboard Widget.transaction do diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb index 6748a292c5c..52474be0159 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb @@ -21,7 +21,6 @@ class DashboardsController < ApplicationController SECTION=Navigation::SECTION_RESOURCE - verify :method => :post, :only => [:create, :update, :delete, :up, :down, :follow, :unfollow], :redirect_to => {:action => :index} before_filter :login_required def index @@ -47,6 +46,7 @@ class DashboardsController < ApplicationController end def create + verify_post_request @dashboard=Dashboard.new() @dashboard.user_id=current_user.id load_dashboard_from_params(@dashboard) @@ -79,6 +79,7 @@ class DashboardsController < ApplicationController end def update + verify_post_request dashboard=Dashboard.find(params[:id]) if dashboard.editable_by?(current_user) load_dashboard_from_params(dashboard) @@ -92,6 +93,7 @@ class DashboardsController < ApplicationController end def delete + verify_post_request dashboard=Dashboard.find(params[:id]) access_denied unless dashboard.editable_by?(current_user) @@ -106,14 +108,17 @@ class DashboardsController < ApplicationController end def down + verify_post_request position(+1) end def up + verify_post_request position(-1) end def follow + verify_post_request dashboard=Dashboard.find(params[:id]) add_default_dashboards_if_first_user_dashboard(dashboard.global?) @@ -129,6 +134,7 @@ class DashboardsController < ApplicationController end def unfollow + verify_post_request dashboard=Dashboard.find(params[:id]) add_default_dashboards_if_first_user_dashboard(dashboard.global?) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb index ab5fd5abfd0..3408c4aa8e9 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb @@ -21,7 +21,6 @@ class ManualMeasuresController < ApplicationController SECTION=Navigation::SECTION_RESOURCE before_filter :init_resource_for_admin_role - verify :method => :post, :only => [:save, :delete], :redirect_to => {:action => :index} helper MetricsHelper def index @@ -39,6 +38,7 @@ class ManualMeasuresController < ApplicationController end def save + verify_post_request @metric=Metric.by_key(params[:metric]) @measure=ManualMeasure.find(:first, :conditions => ['resource_id=? and metric_id=?', @resource.id, @metric.id]) if @measure.nil? @@ -60,6 +60,7 @@ class ManualMeasuresController < ApplicationController end def delete + verify_post_request metric=Metric.by_key(params[:metric]) ManualMeasure.destroy_all(['resource_id=? and metric_id=?', @resource.id, metric.id]) redirect_to :action => 'index', :id => params[:id], :metric => params[:metric] diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_rules_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_rules_controller.rb index c818adb06c2..1a009ae313c 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_rules_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_rules_controller.rb @@ -20,7 +20,6 @@ class ManualRulesController < ApplicationController before_filter :admin_required - verify :method => :post, :only => [:create], :redirect_to => {:action => :index} verify :method => :delete, :only => [:delete], :redirect_to => {:action => :index} SECTION=Navigation::SECTION_CONFIGURATION @@ -39,6 +38,7 @@ class ManualRulesController < ApplicationController end def create + verify_post_request access_denied unless is_admin? begin if params[:id].to_i>0 -- 2.39.5