diff options
author | Marius Balteanu <marius.balteanu@zitec.com> | 2021-10-05 16:46:03 +0000 |
---|---|---|
committer | Marius Balteanu <marius.balteanu@zitec.com> | 2021-10-05 16:46:03 +0000 |
commit | 04e27aa1616f78381fab69b2b72ba5874e4cc557 (patch) | |
tree | e2c51700b0309938b100a2ca111c7404c4cb9370 /app/controllers | |
parent | a0ef175ffea45cf929d422909b564e235c43b149 (diff) | |
download | redmine-04e27aa1616f78381fab69b2b72ba5874e4cc557.tar.gz redmine-04e27aa1616f78381fab69b2b72ba5874e4cc557.zip |
Enforce stricter class filtering in WatchersController (35463).
Patch by Holger Just.
git-svn-id: http://svn.redmine.org/redmine/trunk@21235 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/watchers_controller.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb index 61681b894..79b809516 100644 --- a/app/controllers/watchers_controller.rb +++ b/app/controllers/watchers_controller.rb @@ -158,7 +158,9 @@ class WatchersController < ApplicationController rescue nil end - return unless klass && klass.respond_to?('watched_by') + return unless klass && Class === klass # rubocop:disable Style/CaseEquality + return unless klass < ActiveRecord::Base + return unless klass < Redmine::Acts::Watchable::InstanceMethods scope = klass.where(:id => Array.wrap(params[:object_id])) if klass.reflect_on_association(:project) |