ad995f5a7c
We were getting a warning by CodeQL regarding a possible code injection in the `send(segment)` code. In practice, this wasn't a big deal because the `self.recipients` method is only called in the admin section, meaning only admin users could try to take advantage of the code injection, and because this code is rarely called with an invalid segment due to several conditions in the code checking that the user segment is valid, with the only exception being the `generate_csv` action in the `Admin::EmailsDownloadController`. In any case, now we're checking that the segment is valid before calling the `send` method. Since now we're making sure that the segment is valid in the `recipients` method itself, we can remove this check from methods calling it.
50 lines
1.1 KiB
Ruby
50 lines
1.1 KiB
Ruby
class AdminNotification < ApplicationRecord
|
|
include Notifiable
|
|
|
|
translates :title, touch: true
|
|
translates :body, touch: true
|
|
include Globalizable
|
|
|
|
validates_translation :title, presence: true
|
|
validates_translation :body, presence: true
|
|
validates :segment_recipient, presence: true
|
|
validate :validate_segment_recipient
|
|
|
|
before_validation :complete_link_url
|
|
|
|
def list_of_recipients
|
|
UserSegments.recipients(segment_recipient)
|
|
end
|
|
|
|
def valid_segment_recipient?
|
|
UserSegments.valid_segment?(segment_recipient)
|
|
end
|
|
|
|
def draft?
|
|
sent_at.nil?
|
|
end
|
|
|
|
def list_of_recipients_count
|
|
list_of_recipients&.count || 0
|
|
end
|
|
|
|
def deliver
|
|
list_of_recipients.each { |user| Notification.add(user, self) }
|
|
update!(sent_at: Time.current, recipients_count: list_of_recipients.count)
|
|
end
|
|
|
|
private
|
|
|
|
def validate_segment_recipient
|
|
errors.add(:segment_recipient, :invalid) unless valid_segment_recipient?
|
|
end
|
|
|
|
def complete_link_url
|
|
return if link.blank?
|
|
|
|
unless link =~ /\A(http:\/\/|https:\/\/|\/)/
|
|
self.link = "http://#{link}"
|
|
end
|
|
end
|
|
end
|