consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoid a brakeman warning in related contents

Browse Source 
Although it wasn't a real security concern because we were only calling
a `find_by` method based on the user input, it's a good practice to
avoid using constants based on user parameters.

Since we don't use the `find_by` method anymore but we still need to
check the associated record exists, we're changing the validations in
the `RelatedContent` model to do exactly that.
This commit is contained in:
Javi Martín
2021-06-23 04:26:07 +02:00
parent 8f20ee1a33
commit 48dc72cea9
4 changed files with 32 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/models/related_content.rb
View File

@@ -6,15 +6,11 @@ class RelatedContent < ApplicationRecord
include ActsAsParanoidAliases
belongs_to :author, class_name: "User"
belongs_to :parent_relationable, polymorphic: true, touch: true
belongs_to :child_relationable, polymorphic: true, touch: true
belongs_to :parent_relationable, polymorphic: true, optional: false, touch: true
belongs_to :child_relationable, polymorphic: true, optional: false, touch: true
has_one :opposite_related_content, class_name: self.name, foreign_key: :related_content_id
has_many :related_content_scores
validates :parent_relationable_id, presence: true
validates :parent_relationable_type, presence: true
validates :child_relationable_id, presence: true
validates :child_relationable_type, presence: true
validates :parent_relationable_id, uniqueness: { scope: [:parent_relationable_type, :child_relationable_id, :child_relationable_type] }
validate :different_parent_and_child