discourse/app/controllers/user_actions_controller.rb
Loïc Guitaut e871865a61 FIX: Sanitize parameters provided to user actions
Currently, providing things like `filter[%24acunetix]=1` to
`UserActionsController#index` will throw an exception because instead of
getting a string as expected, we get a hash instead.

This patch simply uses `#permit` from strong parameters properly: first
we apply it on the whole parameters, this way it filters the keys we’re
interested in. By doing this, if the value is a hash for example, the
whole key/value pair will be ignored completely.
2022-02-23 15:46:40 +01:00

46 lines
1.4 KiB
Ruby

# frozen_string_literal: true
class UserActionsController < ApplicationController
def index
user_actions_params.require(:username)
user = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
offset = [0, user_actions_params[:offset].to_i].max
action_types = (user_actions_params[:filter] || "").split(",").map(&:to_i)
limit = user_actions_params.fetch(:limit, 30).to_i
raise Discourse::NotFound unless guardian.can_see_profile?(user)
raise Discourse::NotFound unless guardian.can_see_user_actions?(user, action_types)
opts = {
user_id: user.id,
user: user,
offset: offset,
limit: limit,
action_types: action_types,
guardian: guardian,
ignore_private_messages: params[:filter].blank?,
acting_username: params[:acting_username]
}
stream = UserAction.stream(opts).to_a
render_serialized(stream, UserActionSerializer, root: 'user_actions')
end
def show
params.require(:id)
render_serialized(UserAction.stream_item(params[:id], guardian), UserActionSerializer)
end
def private_messages
# DO NOT REMOVE
# TODO should preload messages to avoid extra http req
end
private
def user_actions_params
@user_actions_params ||= params.permit(:username, :filter, :offset, :acting_username, :limit)
end
end