cancan icon indicating copy to clipboard operation
cancan copied to clipboard

Published 20 hours ago verified publisher icon ryanb

Fix id_param in shallow routes

Open francocatena opened this issue 11 years ago • 8 comments

This fix the id_param method to return a nil when the params hash returns nil, and the string of the value otherwise. It fixed the Issue #861.

francocatena avatar May 08 '13 21:05 francocatena

+1

ismaelisuani avatar May 09 '13 13:05 ismaelisuani

+5

I forked and committed my suggested fix, but can't seem to send a pull request to you @francocatena.

james2m avatar May 30 '13 00:05 james2m

@james2m Thanks for the suggestion, but this actually does the same that the code I try to fix (And the code with the orginal security problem). If @params[@options[:id_params]] returns nil this method returns an empty string (the problem I try to fix) and if @params[parent? ? "#{name}_id" : 'id'] returns other than a string or nil this method does not convert it (the security issue).

francocatena avatar May 30 '13 12:05 francocatena

Claro. This is still a +5 for your patch.

james2m avatar May 30 '13 13:05 james2m

I'm seeing this issue as well with Rails 4, mongoid 4, and cancan 1.6.10. The patch above fixes this issue for me as well. @ryanb any reason to not merge this?

jfine avatar Jul 15 '13 19:07 jfine

:+1: for merging this

JustinAiken avatar Oct 02 '13 22:10 JustinAiken

Any update on this?

mark-d-holmberg avatar Nov 21 '13 18:11 mark-d-holmberg

:+1: to merge

jeremyf avatar Nov 21 '13 18:11 jeremyf