mirror of
https://github.com/discourse/discourse.git
synced 2024-12-24 01:43:45 +08:00
7b53e610c1
The watch words controller creation function, create_or_update_word(), doesn’t validate the size of the replacement parameter, unlike the word parameter, when creating a replace watched word. So anyone with moderator privileges can create watched words with almost unlimited characters.
41 lines
1.0 KiB
Ruby
41 lines
1.0 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class WatchedWordGroup < ActiveRecord::Base
|
|
validates :action, presence: true
|
|
validate :watched_words_validation
|
|
|
|
has_many :watched_words, dependent: :destroy
|
|
|
|
def watched_words_validation
|
|
watched_words.each { |word| errors.merge!(word.errors) }
|
|
errors.add(:watched_words, :empty) if watched_words.empty?
|
|
end
|
|
|
|
def create_or_update_members(words, params)
|
|
WatchedWordGroup.transaction do
|
|
self.action = WatchedWord.actions[params[:action_key].to_sym]
|
|
|
|
words.each do |word|
|
|
watched_word = WatchedWord.create_or_update_word(params.merge(word: word))
|
|
self.watched_words << watched_word
|
|
end
|
|
|
|
self.save!
|
|
end
|
|
end
|
|
|
|
def action_log_details
|
|
"#{WatchedWord.actions.key(self.action)} → #{watched_words.pluck(:word).join(", ")}"
|
|
end
|
|
end
|
|
|
|
# == Schema Information
|
|
#
|
|
# Table name: watched_word_groups
|
|
#
|
|
# id :bigint not null, primary key
|
|
# action :integer not null
|
|
# created_at :datetime not null
|
|
# updated_at :datetime not null
|
|
#
|