Added new vulnerabilites, removed old comments.

2018-08-22 16:26:24 +01:00 · 2018-08-22 16:26:24 +01:00 · 0c3307d3ad
parent e586386904
commit 0c3307d3ad
8 changed files with 15 additions and 9 deletions
--- a/app/assets/javascripts/grades.coffee
+++ b/app/assets/javascripts/grades.coffee
@ -1,3 +1,14 @@
 # Place all the behaviors and hooks related to the matching controller here.
 # All this logic will automatically be available in application.js.
 # You can use CoffeeScript in this file: http://coffeescript.org/
+
+match = undefined
+pl     = /\+/g  # Regex for replacing addition symbol with a space
+search = /([^&=]+)=?([^&]*)/g
+decode = (s) -> decodeURIComponent(s.replace(pl, " "))
+query  = window.location.search.substring(1)
+
+window.urlParams = {}
+while (match = search.exec(query))
+   urlParams[decode(match[1])] = decode(match[2])
+$ -> $("p[data-search-info]").html("You searched for lecturer: " + window.urlParams["lecturer"])
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -4,8 +4,7 @@ class ApplicationController < ActionController::Base

 private
  def kick_out
-    flash[:error] = "You do not have access to this site."
-    redirect_to root_url
+    raise ActionController::RoutingError.new('Not Found')
  end

  def logged_in_as_student
--- a/app/controllers/grades_controller.rb
+++ b/app/controllers/grades_controller.rb
@ -19,7 +19,6 @@ class GradesController < ApplicationController
      render :index_lecturer
    elsif logged_in_as_student
      if params[:lecturer]
-        #FIX: @grades = Grade.joins(lecture: :lecturer).where("grades.student_id = #{current_user.id.to_s} AND users.login LIKE ?", "%#{params[:lecturer]}%")
        @grades = Grade.joins(lecture: :lecturer).where("grades.student_id = #{current_user.id.to_s} AND users.login LIKE '%#{params[:lecturer]}%'")
      else
        @grades = Grade.where(:student_id => current_user.id)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -32,9 +32,6 @@ class UsersController < ApplicationController
      end
    elsif logged_in_as_lecturer
      @user = User.new(users_params)
-      # FIX: do not allow creation of lecturers or admins
-      # FIX: if not params[:role] == "student"
-      # FIX:   kick_out
      if @user.save
        flash[:success] = "Account registered!"
        redirect_to root_path
--- a/app/views/grades/index_admin.html.erb
+++ b/app/views/grades/index_admin.html.erb
@ -15,7 +15,6 @@
      <td><%= grade.student.login %></td>
      <td><%= grade.grade %></td>
      <td>
-      <!-- FIX: remove html_safe -->
      <% if grade.comment %>
        <%= grade.comment.html_safe %>
      <% end %>
--- a/app/views/grades/index_lecturer.html.erb
+++ b/app/views/grades/index_lecturer.html.erb
@ -15,7 +15,6 @@
      <td><%= grade.student.login %></td>
      <td><%= grade.grade %></td>
      <td>
-      <!-- FIX: remove html_safe -->
      <% if grade.comment %>
        <%= grade.comment.html_safe %>
      <% end %>
--- a/app/views/grades/index_student.html.erb
+++ b/app/views/grades/index_student.html.erb
@ -1,3 +1,5 @@
+<p data-search-info></p>
+
 <table class="w3-table w3-striped w3-bordered" style="margin: auto">
  <tr>
    <th>Lecturer</th>
@ -12,7 +14,6 @@
      <td><%= grade.lecture.name %></td>
      <td><%= grade.grade %></td>
      <td>
-      <!-- FIX: remove html_safe -->
      <% if grade.comment %>
        <%= grade.comment.html_safe %>
      <% end %>
--- a/config/initializers/noheaders.rb
+++ b/config/initializers/noheaders.rb
@ -0,0 +1 @@
+Rails.application.config.action_dispatch.default_headers.clear
				`@ -0,0 +1 @@`
				`Rails.application.config.action_dispatch.default_headers.clear`