diff options
| -rw-r--r-- | Gemfile | 3 | ||||
| -rw-r--r-- | Gemfile.lock | 1 | ||||
| -rw-r--r-- | app/controllers/profiles_controller.rb | 15 | ||||
| -rw-r--r-- | app/models/user.rb | 10 | ||||
| -rw-r--r-- | app/views/admin/teams/projects/new.html.haml | 2 | ||||
| -rw-r--r-- | app/views/projects/teams/available.html.haml | 2 | ||||
| -rw-r--r-- | doc/install/installation.md | 18 |
7 files changed, 27 insertions, 24 deletions
@@ -118,6 +118,9 @@ gem "d3_rails", "~> 3.1.4" # underscore-rails gem "underscore-rails", "~> 1.4.4" +# Sanitize user input +gem "sanitize" + group :assets do gem "sass-rails" gem "coffee-rails" diff --git a/Gemfile.lock b/Gemfile.lock index d26f4d8a28f..c26eeede69f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -608,6 +608,7 @@ DEPENDENCIES redcarpet (~> 2.2.2) redis-rails rspec-rails + sanitize sass-rails sdoc seed-fu diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb index 686edd8af80..6fa635d0e36 100644 --- a/app/controllers/profiles_controller.rb +++ b/app/controllers/profiles_controller.rb @@ -17,7 +17,7 @@ class ProfilesController < ApplicationController end def update - if @user.update_attributes(user_attributes) + if @user.update_attributes(params[:user]) flash[:notice] = "Profile was successfully updated" else flash[:alert] = "Failed to update profile" @@ -69,19 +69,6 @@ class ProfilesController < ApplicationController @user = current_user end - def user_attributes - user_attributes = params[:user] - - # Sanitize user input because we dont have strict - # validation for this fields - %w(name skype linkedin twitter bio).each do |attr| - value = user_attributes[attr] - user_attributes[attr] = sanitize(strip_tags(value)) if value.present? - end - - user_attributes - end - def authorize_change_password! return render_404 if @user.ldap_user? end diff --git a/app/models/user.rb b/app/models/user.rb index 6de8d2d4c39..ddbdec8acfc 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -116,7 +116,10 @@ class User < ActiveRecord::Base validate :namespace_uniq, if: ->(user) { user.username_changed? } before_validation :generate_password, on: :create + before_validation :sanitize_attrs + before_save :ensure_authentication_token + alias_attribute :private_token, :authentication_token delegate :path, to: :namespace, allow_nil: true, prefix: true @@ -371,4 +374,11 @@ class User < ActiveRecord::Base def created_by User.find_by_id(created_by_id) if created_by_id end + + def sanitize_attrs + %w(name username skype linkedin twitter bio).each do |attr| + value = self.send(attr) + self.send("#{attr}=", Sanitize.clean(value)) if value.present? + end + end end diff --git a/app/views/admin/teams/projects/new.html.haml b/app/views/admin/teams/projects/new.html.haml index dcb3dbbc433..21bf65f9c3d 100644 --- a/app/views/admin/teams/projects/new.html.haml +++ b/app/views/admin/teams/projects/new.html.haml @@ -8,7 +8,7 @@ .input = select_tag :project_ids, options_from_collection_for_select(@projects , :id, :name_with_namespace), multiple: true, data: {placeholder: 'Select projects'}, class: 'chosen span5' - %h6 Choose greatest user acces for your team in this projects: + %h6 Choose greatest user access for your team in these projects: .clearfix = label_tag :greatest_project_access, "Greatest Access" .input diff --git a/app/views/projects/teams/available.html.haml b/app/views/projects/teams/available.html.haml index 29fe8ed25cd..880a02aeaf5 100644 --- a/app/views/projects/teams/available.html.haml +++ b/app/views/projects/teams/available.html.haml @@ -10,7 +10,7 @@ .padded = label_tag :team_id, "Team" .input= select_tag(:team_id, options_from_collection_for_select(@teams, :id, :name), prompt: "Select team", class: "chosen xxlarge", required: true) - %p.slead Choose greatest user acces in team you want to assign: + %p.slead Choose greatest user access for your team in this project: .padded = label_tag :team_ids, "Permission" .input= select_tag :greatest_project_access, options_for_select(UserTeam.access_roles), {class: "project-access-select chosen span3" } diff --git a/doc/install/installation.md b/doc/install/installation.md index 800e06fdfdf..6cad280acaf 100644 --- a/doc/install/installation.md +++ b/doc/install/installation.md @@ -42,11 +42,13 @@ up-to-date and install it. apt-get install sudo -y **Note:** -Vim is an editor that is used here whenever there are files that need to be -edited by hand. But, you can use any editor you like instead. +During this installation some files will need to be edited manually. +If you are familiar with vim set it as default editor with the commands below. +If you are not familiar with vim please skip this and keep using the default editor. - # Install vim + # Install vim and set as default editor sudo apt-get install -y vim + sudo update-alternatives --set editor /usr/bin/vim.basic Install the required packages: @@ -123,7 +125,7 @@ GitLab Shell is a ssh access and repository management software developed specia # Edit config and replace gitlab_url # with something like 'http://domain.com/' - sudo -u git -H vim config.yml + sudo -u git -H editor config.yml # Do setup sudo -u git -H ./bin/install @@ -162,7 +164,7 @@ You can change `5-3-stable` to `master` if you want the *bleeding edge* version, # Make sure to change "localhost" to the fully-qualified domain name of your # host serving GitLab where necessary - sudo -u git -H vim config/gitlab.yml + sudo -u git -H editor config/gitlab.yml # Make sure GitLab can write to the log/ and tmp/ directories sudo chown -R git log/ @@ -188,7 +190,7 @@ You can change `5-3-stable` to `master` if you want the *bleeding edge* version, # Enable cluster mode if you expect to have a high load instance # Ex. change amount of workers to 3 for 2GB RAM server - sudo -u git -H vim config/puma.rb + sudo -u git -H editor config/puma.rb # Configure Git global settings for git user, useful when editing via web # Edit user.email according to what is set in gitlab.yml @@ -214,7 +216,7 @@ Make sure to edit both `gitlab.yml` and `puma.rb` to match your setup. # Change 'root' to 'gitlab' # Change 'secure password' with the value you have given to $password # You can keep the double quotes around the password - sudo -u git -H vim config/database.yml + sudo -u git -H editor config/database.yml # Make config/database.yml readable to git only sudo -u git -H chmod o-rwx config/database.yml @@ -295,7 +297,7 @@ Make sure to edit the config file to match your setup: # Change YOUR_SERVER_FQDN to the fully-qualified # domain name of your host serving GitLab. - sudo vim /etc/nginx/sites-available/gitlab + sudo editor /etc/nginx/sites-available/gitlab ## Restart |