Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid removing other proposals map locations #5109

Merged
merged 2 commits into from
Apr 28, 2023
Merged

Avoid removing other proposals map locations #5109

merged 2 commits into from
Apr 28, 2023

Conversation

javierm
Copy link
Member

@javierm javierm commented Apr 27, 2023

Background

It was possible to remove a map location from a different proposal (even one created by a different author) by modifying the hidden id parameter in the form.

Objectives

  • Make sure users can't remove the map location for other proposals when editing their own proposal

@javierm javierm added Bug security Pull requests that address a security vulnerability labels Apr 27, 2023
@javierm javierm self-assigned this Apr 27, 2023
@javierm javierm added this to Reviewing in Consul Democracy Apr 27, 2023
@taitus taitus self-assigned this Apr 28, 2023
@javierm javierm force-pushed the fix_removing_different_map_location branch 2 times, most recently from 17e1a43 to b2f69d8 Compare April 28, 2023 14:59
@javierm
Avoid removing other proposals map locations
65ed778 
It was possible to remove a map location from a different proposal (even
one created by a different author) by modifying the hidden `id`
parameter in the form.

So we're making sure the map location we destroy is the one associated
to the proposal we're updating.

Since we're now using the `@proposal` instance variable in the
`destroy_map_location_association` method, we're calling that method
after loading the resource with cancancan.
@javierm javierm force-pushed the fix_removing_different_map_location branch from b2f69d8 to 65ed778 Compare April 28, 2023 15:12
@javierm
Rename map_location variable containing parameters
6105de3 
When it was named `map_location`, I constantly thought it was an object
instead of a hash.
Consul Democracy automation moved this from Reviewing to Testing Apr 28, 2023
@javierm javierm merged commit 2f8717a into master Apr 28, 2023
Consul Democracy automation moved this from Testing to Release 2.0.0 Apr 28, 2023
@javierm javierm deleted the fix_removing_different_map_location branch April 28, 2023 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taitus taitus taitus approved these changes

Assignees

@taitus taitus

@javierm javierm

Labels
Bug security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@javierm @taitus