fix for high security bugs in report and plus some other member area fixes

Gemfile

@@ -2,6 +2,7 @@ source 'https://rubygems.org'
 
 #rails gem
 gem 'rails', '~> 4.1.0'
+gem 'sanitize'
 
 #assets and templates
 gem 'sass-rails', '~> 4.0.2'

app/controllers/admin/authorizations_controller.rb

@@ -10,7 +10,7 @@ class Admin::AuthorizationsController < OrbitAdminController
         @objects = @module_app.categories rescue nil
       end
     elsif @module_apps && @module_app.key == "authorization"
-        redirect_to "/admin/authorizations/#{@module_apps.first.key}"
+        redirect_to admin_authorizations_path(@module_apps.first.key)
     else
         redirect_to  :root
     end

app/controllers/admin/members_controller.rb

@@ -30,13 +30,13 @@ class Admin::MembersController < OrbitMemberController
 
       render case params[:at]
         when 'summary'
-          @members=MemberProfile.all.page(page_num).per(12).desc("_id")
+          @members = MemberProfile.all.page(page_num).per(12).desc("_id")
           "index_summary"
         when 'thumbnail'
-          @members=MemberProfile.all.page(page_num).per(36).desc("_id")
+          @members = MemberProfile.all.page(page_num).per(36).desc("_id")
           "index_thumbnail"
         else
-          @members=MemberProfile.all.page(page_num).per(10).desc("_id")
+          @members = MemberProfile.all.page(page_num).per(10).desc("_id")
           "index"
       end
 
@@ -204,7 +204,7 @@ class Admin::MembersController < OrbitMemberController
   end
 
   def unapproved_members
-    @member_query = params[:member_query]
+    @member_query = Sanitize.clean(params[:member_query])
     page_num = params[:page] || 1
     if !@member_query.blank?
       members = MemberProfile.all.any_of({:user_id => /#{@member_query}/i}, {:first_name => /#{@member_query}/i}, {:last_name => /#{@member_query}/i}, {:email => /#{@member_query}/i})

app/controllers/application_controller.rb

@@ -1,5 +1,6 @@
 class ApplicationController < ActionController::Base
   # Prevent CSRF attacks by raising an exception.
+  protect_from_forgery
   # For APIs, you may want to use :null_session instead.
   # protect_from_forgery with: :null_session
   before_action :set_locale, :set_mobile_web

app/controllers/orbit_admin_controller.rb

@@ -36,7 +36,8 @@ class OrbitAdminController < ApplicationController
         when "link"
           @sort = {:out_link=>params[:order]}
         else
-          @sort = {params[:sort].to_sym=>params[:order]}
+          s = Sanitize.clean(params[:sort]).to_sym
+          @sort = {s=>params[:order]}
       end
     else
       @sort = {:created_at=>'desc'}

app/controllers/sessions_controller.rb

@@ -14,7 +14,7 @@ class SessionsController < ApplicationController
         session[:user_id] = user.id
         session[:login_referer] = nil
         if params[:referer_url]
-          redirect_to params[:referer_url]
+          redirect_to URI.parse(params[:referer_url]).path
         else
           redirect_to admin_dashboards_path
         end

app/models/member_profile.rb

@@ -45,6 +45,7 @@ class MemberProfile
   mount_uploader :avatar, AvatarUploader
   paginates_per 10
 
+
   def name
     if self.first_name || self.last_name
       I18n.locale.eql?(:zh_tw) ? "#{self.last_name} #{self.first_name}" : "#{self.first_name} #{self.last_name}"

app/views/admin/members/_member_for_listing.html.erb

@@ -1,4 +1,4 @@
-  <% if member_for_listing.present?%>
+  <% if member_for_listing.present? && member_for_listing.user.approved %>
     <% 
       if member_for_listing.sex == 'male'
         @member_gender = 'gender-man'

app/views/admin/members/_member_for_summary.html.erb

@@ -1,3 +1,4 @@
+<% if member_for_summary.present? && member_for_summary.user.approved %>
   <li id="<%= dom_id member_for_summary %>">
     <div class="member-avatar">
       <% 
@@ -34,5 +35,6 @@
       </ul>
     </div>
   </li>
+  <% end %>
 
 

app/views/admin/members/_member_for_thumbnail.html.erb

@@ -1,3 +1,4 @@
+<% if member_for_thumbnail.present? && member_for_thumbnail.user.approved %>
   <% 
   if member_for_thumbnail.sex == 'male'
     @user_sex = 'gender-man'
@@ -18,4 +19,5 @@
       <%= image_tag(member_for_thumbnail.avatar) %>
     </div>
     <h4 class="member-name text-center"><%= link_to (member_for_thumbnail.name != (member_for_thumbnail.email) ? member_for_thumbnail.name : member_for_thumbnail.id),admin_member_path(member_for_thumbnail) %></h4>
-  </li>
+  </li>
+<% end %>

app/views/admin/members/_unapproved_members_list.html.erb

@@ -1,4 +1,4 @@
-  <% if unapproved_members_list.member_profile.present?%>
+  <% if  (unapproved_members_list.member_profile rescue false) && unapproved_members_list.member_profile.present?%>
     <% 
       if unapproved_members_list.member_profile.sex == 'male'
         @member_gender = 'gender-man'
@@ -23,7 +23,7 @@
           <ul class="nav nav-pills">
             <%= content_tag(:li, link_to(t(:edit),edit_admin_member_path(unapproved_members_list.member_profile))) if current_user.is_admin? %>
             <%= content_tag(:li, link_to(t("users.accept_member"),admin_member_accept_member_path(unapproved_members_list))) %>
-            <%= content_tag(:li, link_to(t(:delete_),admin_member_path(unapproved_members_list.member_profile, :at=>params[:at]), :confirm => t(:sure?), :method => :delete, :class=>"text-error", :remote => true)) if current_user.is_admin? %>
+            <%= content_tag(:li, link_to(t(:delete_),admin_member_path(unapproved_members_list.member_profile.id, :at=>params[:at]), :confirm => t(:sure?), :method => :delete, :class=>"text-error", :remote => true)) if current_user.is_admin? %>
           </ul>
         </div>
       </td>

app/views/admin/members/unapproved_members.html.erb

@@ -2,7 +2,8 @@
 
   <div class="searchClear pull-left" style="clear: left;">
     <form action="" method="get">
-      <%= text_field_tag 'member_query',( params[:member_query] ? params[:member_query] : '' ), {:id=>'filter-input', :class => "search-query input-medium", :placeholder => 'Search'} %>
+    <% mq = Sanitize.clean(params[:member_query]) %>
+      <%= text_field_tag 'member_query',( mq ? mq : '' ), {:id=>'filter-input', :class => "search-query input-medium", :placeholder => 'Search'} %>
     </form>
   </div>  
 <% end %>

config/environment.rb

@@ -3,6 +3,8 @@ require File.expand_path('../application', __FILE__)
 
 # Initialize the Rails application.
 Orbit::Application.initialize!
+Orbit::Application.config.secret_key_base = 'acc6ffc5a7d360c9cf2a7bdb4ddf9a897942ec6767413a5c0324a0fa8b86197a96298288a66bd46d8770d8b6edf509aad65716961c2c364ce006b475e6cfd418'
+
 
 if Site.count == 0
   site = Site.new

config/initializers/secret_token.rb

@@ -9,4 +9,3 @@
 
 # Make sure your secret_key_base is kept private
 # if you're sharing your code publicly.
-Orbit::Application.config.secret_key_base = 'acc6ffc5a7d360c9cf2a7bdb4ddf9a897942ec6767413a5c0324a0fa8b86197a96298288a66bd46d8770d8b6edf509aad65716961c2c364ce006b475e6cfd418'

lib/orbit_core_lib.rb

@@ -56,7 +56,12 @@ module  OrbitCoreLib
           @module_app ||= ModuleApp.find_by(key: @app_title) rescue nil
         end
         @module_authorized_users ||= Authorization.module_authorized_users(@module_app.id).pluck(:user_id) rescue nil
-        authenticate_user
+        
+        if current_user.nil?
+          redirect_to new_session_path 
+          return
+        end
+        
         if !@module_app.nil?
           check_user_can_use
         else