Revision 2f3839eb
Added by Joseph Magen almost 11 years ago
- ID 2f3839eb9928bd04876c2e1bfe509cd9ed120991
app/controllers/application_controller.rb | ||
---|---|---|
obj = controller_name.singularize
|
||
# determine if we are searching for a numerical id or plain name
|
||
cond = "find_by_" + ((id =~ /^\d+$/ && (id=id.to_i)) ? "id" : "name")
|
||
not_found and return unless eval("@#{obj} = #{obj.camelize}.#{cond}(id)")
|
||
not_found and return unless instance_variable_set("@#{obj}", obj.camelize.constantize.send(cond, id))
|
||
end
|
||
|
||
def notice notice
|
||
... | ... | |
end
|
||
|
||
def process_success hash = {}
|
||
hash[:object] ||= eval("@#{controller_name.singularize}")
|
||
hash[:object] ||= instance_variable_get("@#{controller_name.singularize}")
|
||
hash[:object_name] ||= hash[:object].to_s
|
||
unless hash[:success_msg]
|
||
hash[:success_msg] = case action_name
|
||
... | ... | |
raise Foreman::Exception.new(N_("Unknown action name for success message: %s"), action_name)
|
||
end
|
||
end
|
||
hash[:success_redirect] ||= eval("#{controller_name}_url")
|
||
hash[:success_redirect] ||= send("#{controller_name}_url")
|
||
hash[:json_code] = :created if action_name == "create"
|
||
|
||
return render :json => {:redirect => hash[:success_redirect]} if hash[:redirect_xhr]
|
||
... | ... | |
end
|
||
|
||
def process_error hash = {}
|
||
hash[:object] ||= eval("@#{controller_name.singularize}")
|
||
hash[:object] ||= instance_variable_get("@#{controller_name.singularize}")
|
||
|
||
case action_name
|
||
when "create" then hash[:render] ||= "new"
|
||
when "update" then hash[:render] ||= "edit"
|
||
else
|
||
hash[:redirect] ||= eval("#{controller_name}_url")
|
||
hash[:redirect] ||= send("#{controller_name}_url")
|
||
end
|
||
|
||
hash[:json_code] ||= :unprocessable_entity
|
app/controllers/bookmarks_controller.rb | ||
---|---|---|
|
||
respond_to do |format|
|
||
if @bookmark.save
|
||
format.html { redirect_to(eval(@bookmark.controller+"_path"), :notice => _('Bookmark was successfully created.')) }
|
||
format.html { redirect_to send("#{@bookmark.controller}_path"), :notice => _('Bookmark was successfully created.') }
|
||
else
|
||
format.html { render :action => "new" }
|
||
end
|
app/controllers/unattended_controller.rb | ||
---|---|---|
|
||
def load_template_vars
|
||
# load the os family default variables
|
||
eval "#{@host.os.pxe_type}_attributes"
|
||
send "#{@host.os.pxe_type}_attributes"
|
||
end
|
||
|
||
def jumpstart_attributes
|
app/helpers/application_helper.rb | ||
---|---|---|
end
|
||
|
||
def auto_complete_search(name, val, options = {})
|
||
path = eval("#{controller_name}_path")
|
||
path = send("#{controller_name}_path")
|
||
options.merge!(:class => "autocomplete-input", :'data-url' => "#{path}/auto_complete_#{name}" )
|
||
text_field_tag(name, val, options)
|
||
end
|
||
... | ... | |
end
|
||
|
||
def method_path method
|
||
eval("#{method}_#{controller_name}_path")
|
||
send("#{method}_#{controller_name}_path")
|
||
end
|
||
|
||
def edit_textfield(object, property, options={})
|
app/helpers/audits_helper.rb | ||
---|---|---|
when 'last_login_on'
|
||
change.to_s(:short)
|
||
when /.*_id$/
|
||
model = (eval name.humanize)
|
||
model.find(change).to_label
|
||
name.humanize.constantize.find(change).to_label
|
||
else
|
||
change.to_s
|
||
end.truncate(50)
|
app/helpers/common_parameters_helper.rb | ||
---|---|---|
return true if authorized_for(controller, action)
|
||
|
||
operation = "#{action}_my_#{controller.singularize}".to_sym
|
||
User.current.allowed_to?(operation) and User.current.send(controller).include?(eval("@#{controller.singularize}"))
|
||
User.current.allowed_to?(operation) and User.current.send(controller).include?(instance_variable_get("@#{controller.singularize}"))
|
||
end
|
||
|
||
def parameters_title
|
app/helpers/home_helper.rb | ||
---|---|---|
end
|
||
|
||
def menu(tab, label, path = nil)
|
||
path ||= eval("hash_for_#{tab}_path")
|
||
path ||= send("hash_for_#{tab}_path")
|
||
return '' unless authorized_for(path[:controller], path[:action] )
|
||
content_tag(:li, :class => "menu_tab_#{tab} ") do
|
||
link_to_if_authorized(label, path)
|
||
... | ... | |
def allowed_choices choices, action = "index"
|
||
choices.map do |opt|
|
||
name, kontroller = opt
|
||
url = eval("#{kontroller}_url")
|
||
url = send("#{kontroller}_url")
|
||
authorized_for(kontroller, action) ? [name, url] : nil
|
||
end.compact.sort
|
||
end
|
app/helpers/layout_helper.rb | ||
---|---|---|
end
|
||
|
||
def submit_or_cancel f, overwrite = false, args = { }
|
||
args[:cancel_path] ||= eval "#{controller_name}_path"
|
||
args[:cancel_path] ||= send("#{controller_name}_path")
|
||
content_tag(:div, :class => "form-actions") do
|
||
text = overwrite ? _("Overwrite") : _("Submit")
|
||
options = overwrite ? {:class => "btn btn-danger"} : {:class => "btn btn-primary"}
|
app/models/bookmark.rb | ||
---|---|---|
validates_uniqueness_of :name, :unless => Proc.new{|b| Bookmark.my_bookmarks.where(:name => b.name).empty?}
|
||
validates_presence_of :name, :controller, :query
|
||
validates_format_of :controller, :with => /\A(\S+)\Z/, :message => N_("can't be blank or contain white spaces.")
|
||
validates :controller, :inclusion => {
|
||
:in => ["dashboard"] + ActiveRecord::Base.connection.tables.map(&:to_s),
|
||
:message => _("%{value} is not a valid controller") }
|
||
default_scope lambda { order(:name) }
|
||
before_validation :set_default_user
|
||
|
app/views/bookmarks/_list.html.erb | ||
---|---|---|
<% if bookmarks.any? -%>
|
||
<ul class='dropdown-menu'>
|
||
<% bookmarks.each do |bookmark| -%>
|
||
<li><%= link_to_if_authorized bookmark.name, eval("hash_for_#{bookmark.controller}_path").merge(:search => bookmark.query) %></li>
|
||
<li><%= link_to_if_authorized bookmark.name, send("hash_for_#{bookmark.controller}_path").merge(:search => bookmark.query) %></li>
|
||
<% end -%>
|
||
</ul>
|
||
<% end -%>
|
app/views/common/_puppetclasses_or_envs_changed.html.erb | ||
---|---|---|
<% title _("Changed environments and puppet classes") -%>
|
||
<%= form_tag eval("obsolete_and_new_#{controller_name}_path") do -%>
|
||
<%= form_tag send("obsolete_and_new_#{controller_name}_path") do -%>
|
||
<fieldset>
|
||
<legend><%= _("Accept these environment changes found in puppet?") %> </legend>
|
||
<table class="table table-striped">
|
||
... | ... | |
</table>
|
||
</fieldset>
|
||
<div>
|
||
<%= link_to _("Cancel"), eval("#{controller_name}_path"), :class => "btn" %>
|
||
<%= link_to _("Cancel"), send("#{controller_name}_path"), :class => "btn" %>
|
||
<%= submit_tag _("Update"), :class => "btn btn-primary" %>
|
||
</div>
|
||
<% end -%>
|
app/views/common/_searchbar.erb | ||
---|---|---|
<%= form_tag eval("#{controller_name}_path"), :method => "get", :class=>"form-inline form-search row-fluid" do %>
|
||
<%= form_tag send("#{controller_name}_path"), :method => "get", :class=>"form-inline form-search row-fluid" do %>
|
||
<div class="btn-toolbar btn-toolbar-condensed">
|
||
<div class="btn-group span12">
|
||
<div class="span9">
|
||
... | ... | |
<ul class="dropdown-menu pull-right">
|
||
<% bookmarks = Bookmark.my_bookmarks.controller(controller_name) %>
|
||
<% bookmarks.each do |bookmark| -%>
|
||
<li><%= link_to_if_authorized bookmark.name, eval("hash_for_#{bookmark.controller}_path").merge(:search => bookmark.query) %></li>
|
||
<li><%= link_to_if_authorized bookmark.name, send("hash_for_#{bookmark.controller}_path").merge(:search => bookmark.query) %></li>
|
||
<% end -%>
|
||
<li class="divider"></li>
|
||
<li><%= link_to_function _('Bookmark this search'), "$('#bookmarks-modal').modal();",
|
lib/foreman/controller/host_details.rb | ||
---|---|---|
def assign_parameter name, root = ""
|
||
taxonomy_scope
|
||
Taxonomy.as_taxonomy @organization, @location do
|
||
if params["#{name}_id"].to_i > 0 and eval("@#{name} = #{name.classify}.find(params['#{name}_id'])")
|
||
item = eval("@#{controller_name.singularize} || #{controller_name.classify}.new(params[:#{controller_name.singularize}])")
|
||
if params["#{name}_id"].to_i > 0 and instance_variable_set("@#{name}",name.classify.constantize.find(params["#{name}_id"]))
|
||
item = instance_variable_get("@#{controller_name.singularize}") || controller_name.classify.constantize.new(params[controller_name.singularize])
|
||
render :partial => root + name, :locals => { :item => item }
|
||
else
|
||
head(:not_found)
|
||
... | ... | |
# @host = Host.new params[:host]
|
||
def item_object
|
||
name = item_name
|
||
eval("@#{name} = #{name.classify}.new params[:#{name}]")
|
||
instance_variable_set("@#{name}", name.classify.constantize.new(params[name.to_sym]))
|
||
end
|
||
|
||
def taxonomy_scope
|
test/unit/bookmark_test.rb | ||
---|---|---|
end
|
||
end
|
||
|
||
test "validation fails when invalid controller name stored" do
|
||
b = Bookmark.create :name => "controller_test", :controller => "hosts", :query => "foo=bar", :public => true
|
||
assert b.valid?
|
||
b.controller = "foo bar"
|
||
assert_not b.valid?
|
||
end
|
||
|
||
private
|
||
|
||
def enable_login &block
|
Also available in: Unified diff
fixes #2631 - fix remote code execution via controller name (CVE-2013-2121)
(cherry picked from commit ef4b97d177c58c9532730d53dca0517bc869a0ce)
Conflicts:
app/views/common/_puppetclasses_or_envs_changed.html.erb