diff --git a/Gemfile b/Gemfile
index 6a46010..c54b0dc 100644
--- a/Gemfile
+++ b/Gemfile
@@ -2,6 +2,7 @@ source 'https://rubygems.org'
#rails gem
gem 'rails', '~> 4.1.0'
+gem 'sanitize'
#assets and templates
gem 'sass-rails', '~> 4.0.2'
diff --git a/app/controllers/admin/authorizations_controller.rb b/app/controllers/admin/authorizations_controller.rb
index e5736a0..8d1c82c 100644
--- a/app/controllers/admin/authorizations_controller.rb
+++ b/app/controllers/admin/authorizations_controller.rb
@@ -10,7 +10,7 @@ class Admin::AuthorizationsController < OrbitAdminController
@objects = @module_app.categories rescue nil
end
elsif @module_apps && @module_app.key == "authorization"
- redirect_to "/admin/authorizations/#{@module_apps.first.key}"
+ redirect_to admin_authorizations_path(@module_apps.first.key)
else
redirect_to :root
end
diff --git a/app/controllers/admin/members_controller.rb b/app/controllers/admin/members_controller.rb
index 48f8293..2a7fde6 100644
--- a/app/controllers/admin/members_controller.rb
+++ b/app/controllers/admin/members_controller.rb
@@ -30,13 +30,13 @@ class Admin::MembersController < OrbitMemberController
render case params[:at]
when 'summary'
- @members=MemberProfile.all.page(page_num).per(12).desc("_id")
+ @members = MemberProfile.all.page(page_num).per(12).desc("_id")
"index_summary"
when 'thumbnail'
- @members=MemberProfile.all.page(page_num).per(36).desc("_id")
+ @members = MemberProfile.all.page(page_num).per(36).desc("_id")
"index_thumbnail"
else
- @members=MemberProfile.all.page(page_num).per(10).desc("_id")
+ @members = MemberProfile.all.page(page_num).per(10).desc("_id")
"index"
end
@@ -204,7 +204,7 @@ class Admin::MembersController < OrbitMemberController
end
def unapproved_members
- @member_query = params[:member_query]
+ @member_query = Sanitize.clean(params[:member_query])
page_num = params[:page] || 1
if !@member_query.blank?
members = MemberProfile.all.any_of({:user_id => /#{@member_query}/i}, {:first_name => /#{@member_query}/i}, {:last_name => /#{@member_query}/i}, {:email => /#{@member_query}/i})
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 1cc8639..cd5d683 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,5 +1,6 @@
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
+ protect_from_forgery
# For APIs, you may want to use :null_session instead.
# protect_from_forgery with: :null_session
before_action :set_locale, :set_mobile_web
diff --git a/app/controllers/orbit_admin_controller.rb b/app/controllers/orbit_admin_controller.rb
index a7b486b..3e2ae71 100644
--- a/app/controllers/orbit_admin_controller.rb
+++ b/app/controllers/orbit_admin_controller.rb
@@ -36,7 +36,8 @@ class OrbitAdminController < ApplicationController
when "link"
@sort = {:out_link=>params[:order]}
else
- @sort = {params[:sort].to_sym=>params[:order]}
+ s = Sanitize.clean(params[:sort]).to_sym
+ @sort = {s=>params[:order]}
end
else
@sort = {:created_at=>'desc'}
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index cf2e9bd..9c4071c 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -14,7 +14,7 @@ class SessionsController < ApplicationController
session[:user_id] = user.id
session[:login_referer] = nil
if params[:referer_url]
- redirect_to params[:referer_url]
+ redirect_to URI.parse(params[:referer_url]).path
else
redirect_to admin_dashboards_path
end
diff --git a/app/models/member_profile.rb b/app/models/member_profile.rb
index bb65998..1e3680b 100644
--- a/app/models/member_profile.rb
+++ b/app/models/member_profile.rb
@@ -45,6 +45,7 @@ class MemberProfile
mount_uploader :avatar, AvatarUploader
paginates_per 10
+
def name
if self.first_name || self.last_name
I18n.locale.eql?(:zh_tw) ? "#{self.last_name} #{self.first_name}" : "#{self.first_name} #{self.last_name}"
diff --git a/app/views/admin/members/_member_for_listing.html.erb b/app/views/admin/members/_member_for_listing.html.erb
index cc5bf64..a492a46 100644
--- a/app/views/admin/members/_member_for_listing.html.erb
+++ b/app/views/admin/members/_member_for_listing.html.erb
@@ -1,4 +1,4 @@
- <% if member_for_listing.present?%>
+ <% if member_for_listing.present? && member_for_listing.user.approved %>
<%
if member_for_listing.sex == 'male'
@member_gender = 'gender-man'
diff --git a/app/views/admin/members/_member_for_summary.html.erb b/app/views/admin/members/_member_for_summary.html.erb
index 54c3b3f..fa1535e 100644
--- a/app/views/admin/members/_member_for_summary.html.erb
+++ b/app/views/admin/members/_member_for_summary.html.erb
@@ -1,3 +1,4 @@
+<% if member_for_summary.present? && member_for_summary.user.approved %>
<li id="<%= dom_id member_for_summary %>">
<div class="member-avatar">
<%
@@ -34,5 +35,6 @@
</ul>
</div>
</li>
+ <% end %>
diff --git a/app/views/admin/members/_member_for_thumbnail.html.erb b/app/views/admin/members/_member_for_thumbnail.html.erb
index 08b20bf..89cc3b0 100644
--- a/app/views/admin/members/_member_for_thumbnail.html.erb
+++ b/app/views/admin/members/_member_for_thumbnail.html.erb
@@ -1,3 +1,4 @@
+<% if member_for_thumbnail.present? && member_for_thumbnail.user.approved %>
<%
if member_for_thumbnail.sex == 'male'
@user_sex = 'gender-man'
@@ -18,4 +19,5 @@
<%= image_tag(member_for_thumbnail.avatar) %>
</div>
<h4 class="member-name text-center"><%= link_to (member_for_thumbnail.name != (member_for_thumbnail.email) ? member_for_thumbnail.name : member_for_thumbnail.id),admin_member_path(member_for_thumbnail) %></h4>
- </li>
\ No newline at end of file
+ </li>
+<% end %>
\ No newline at end of file
diff --git a/app/views/admin/members/_unapproved_members_list.html.erb b/app/views/admin/members/_unapproved_members_list.html.erb
index 04fc077..90345aa 100644
--- a/app/views/admin/members/_unapproved_members_list.html.erb
+++ b/app/views/admin/members/_unapproved_members_list.html.erb
@@ -1,4 +1,4 @@
- <% if unapproved_members_list.member_profile.present?%>
+ <% if (unapproved_members_list.member_profile rescue false) && unapproved_members_list.member_profile.present?%>
<%
if unapproved_members_list.member_profile.sex == 'male'
@member_gender = 'gender-man'
@@ -23,7 +23,7 @@
<ul class="nav nav-pills">
<%= content_tag(:li, link_to(t(:edit),edit_admin_member_path(unapproved_members_list.member_profile))) if current_user.is_admin? %>
<%= content_tag(:li, link_to(t("users.accept_member"),admin_member_accept_member_path(unapproved_members_list))) %>
- <%= content_tag(:li, link_to(t(:delete_),admin_member_path(unapproved_members_list.member_profile, :at=>params[:at]), :confirm => t(:sure?), :method => :delete, :class=>"text-error", :remote => true)) if current_user.is_admin? %>
+ <%= content_tag(:li, link_to(t(:delete_),admin_member_path(unapproved_members_list.member_profile.id, :at=>params[:at]), :confirm => t(:sure?), :method => :delete, :class=>"text-error", :remote => true)) if current_user.is_admin? %>
</ul>
</div>
</td>
diff --git a/app/views/admin/members/unapproved_members.html.erb b/app/views/admin/members/unapproved_members.html.erb
index 9d47b24..3c39f14 100644
--- a/app/views/admin/members/unapproved_members.html.erb
+++ b/app/views/admin/members/unapproved_members.html.erb
@@ -2,7 +2,8 @@
<div class="searchClear pull-left" style="clear: left;">
<form action="" method="get">
- <%= text_field_tag 'member_query',( params[:member_query] ? params[:member_query] : '' ), {:id=>'filter-input', :class => "search-query input-medium", :placeholder => 'Search'} %>
+ <% mq = Sanitize.clean(params[:member_query]) %>
+ <%= text_field_tag 'member_query',( mq ? mq : '' ), {:id=>'filter-input', :class => "search-query input-medium", :placeholder => 'Search'} %>
</form>
</div>
<% end %>
diff --git a/config/environment.rb b/config/environment.rb
index 0f4624c..bdb525d 100644
--- a/config/environment.rb
+++ b/config/environment.rb
@@ -3,6 +3,8 @@ require File.expand_path('../application', __FILE__)
# Initialize the Rails application.
Orbit::Application.initialize!
+Orbit::Application.config.secret_key_base = 'acc6ffc5a7d360c9cf2a7bdb4ddf9a897942ec6767413a5c0324a0fa8b86197a96298288a66bd46d8770d8b6edf509aad65716961c2c364ce006b475e6cfd418'
+
if Site.count == 0
site = Site.new
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index 17572ab..f8da8bc 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -9,4 +9,3 @@
# Make sure your secret_key_base is kept private
# if you're sharing your code publicly.
-Orbit::Application.config.secret_key_base = 'acc6ffc5a7d360c9cf2a7bdb4ddf9a897942ec6767413a5c0324a0fa8b86197a96298288a66bd46d8770d8b6edf509aad65716961c2c364ce006b475e6cfd418'
diff --git a/lib/orbit_core_lib.rb b/lib/orbit_core_lib.rb
index 28c05d6..cc53914 100644
--- a/lib/orbit_core_lib.rb
+++ b/lib/orbit_core_lib.rb
@@ -56,7 +56,12 @@ module OrbitCoreLib
@module_app ||= ModuleApp.find_by(key: @app_title) rescue nil
end
@module_authorized_users ||= Authorization.module_authorized_users(@module_app.id).pluck(:user_id) rescue nil
- authenticate_user
+
+ if current_user.nil?
+ redirect_to new_session_path
+ return
+ end
+
if !@module_app.nil?
check_user_can_use
else