consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
b7a99a262e38c17b58c470312f3da1ed959a9cfc
nairobi/app/models/budget.rb
Javi Martín 7bf4e4d611 Sanitize descriptions in the views 
Sanitizing descriptions before saving a record has a few drawbacks:

1. It makes the application rely on data being safe in the database. If
somehow dangerous data enters the database, the application will be
vulnerable to XSS attacks
2. It makes the code complicated
3. It isn't backwards compatible; if we decide to disallow a certain
HTML tag in the future, we'd need to sanitize existing data.

On the other hand, sanitizing the data in the view means we don't need
to triple-check dangerous HTML has already been stripped when we see the
method `auto_link_already_sanitized_html`, since now every time we use
it we sanitize the text in the same line we call this method.

We could also sanitize the data twice, both when saving to the database
and when displaying values in the view. However, doing so wouldn't make
the application safer, since we sanitize text introduced through
textarea fields but we don't sanitize text introduced through input
fields.

Finally, we could also overwrite the `description` method so it
sanitizes the text. But we're already introducing Globalize which
overwrites that method, and overwriting it again is a bit too confusing
in my humble opinion. It can also lead to hard-to-debug behaviour.
2019-10-21 21:32:02 +02:00

223 lines
5.1 KiB
Ruby
Raw Blame History

class Budget < ApplicationRecord
include Measurable
include Sluggable
include StatsVersionable
include Reportable
translates :name, touch: true
include Globalizable
class Translation
validate :name_uniqueness_by_budget
def name_uniqueness_by_budget
if Budget.joins(:translations)
.where(name: name)
.where.not("budget_translations.budget_id": budget_id).any?
errors.add(:name, I18n.t("errors.messages.taken"))
end
end
end
CURRENCY_SYMBOLS = %w[€ $ £ ¥].freeze
validates_translation :name, presence: true
validates :phase, inclusion: { in: Budget::Phase::PHASE_KINDS }
validates :currency_symbol, presence: true
validates :slug, presence: true, format: /\A[a-z0-9\-_]+\z/
has_many :investments, dependent: :destroy
has_many :ballots, dependent: :destroy
has_many :groups, dependent: :destroy
has_many :headings, through: :groups
has_many :lines, through: :ballots, class_name: "Budget::Ballot::Line"
has_many :phases, class_name: "Budget::Phase"
has_many :budget_trackers
has_many :trackers, through: :budget_trackers
has_many :budget_administrators
has_many :administrators, through: :budget_administrators
has_many :budget_valuators
has_many :valuators, through: :budget_valuators
has_one :poll
after_create :generate_phases
scope :drafting, -> { where(phase: "drafting") }
scope :informing, -> { where(phase: "informing") }
scope :accepting, -> { where(phase: "accepting") }
scope :reviewing, -> { where(phase: "reviewing") }
scope :selecting, -> { where(phase: "selecting") }
scope :valuating, -> { where(phase: "valuating") }
scope :publishing_prices, -> { where(phase: "publishing_prices") }
scope :balloting, -> { where(phase: "balloting") }
scope :reviewing_ballots, -> { where(phase: "reviewing_ballots") }
scope :finished, -> { where(phase: "finished") }
scope :open, -> { where.not(phase: "finished") }
def self.current
where.not(phase: "drafting").order(:created_at).last
end
def current_phase
phases.send(phase)
end
def published_phases
phases.published.order(:id)
end
def description
description_for_phase(phase)
end
def description_for_phase(phase)
if phases.exists? && phases.send(phase).description.present?
phases.send(phase).description
else
send("description_#{phase}")
end
end
def self.title_max_length
80
end
def drafting?
phase == "drafting"
end
def informing?
phase == "informing"
end
def accepting?
phase == "accepting"
end
def reviewing?
phase == "reviewing"
end
def selecting?
phase == "selecting"
end
def valuating?
phase == "valuating"
end
def publishing_prices?
phase == "publishing_prices"
end
def balloting?
phase == "balloting"
end
def reviewing_ballots?
phase == "reviewing_ballots"
end
def finished?
phase == "finished"
end
def published_prices?
Budget::Phase::PUBLISHED_PRICES_PHASES.include?(phase)
end
def valuating_or_later?
current_phase&.valuating_or_later?
end
def publishing_prices_or_later?
current_phase&.publishing_prices_or_later?
end
def balloting_process?
balloting? || reviewing_ballots?
end
def balloting_or_later?
current_phase&.balloting_or_later?
end
def heading_price(heading)
heading_ids.include?(heading.id) ? heading.price : -1
end
def translated_phase
I18n.t "budgets.phase.#{phase}"
end
def formatted_amount(amount)
ActionController::Base.helpers.number_to_currency(amount,
precision: 0,
locale: I18n.locale,
unit: currency_symbol)
end
def formatted_heading_price(heading)
formatted_amount(heading_price(heading))
end
def formatted_heading_amount_spent(heading)
formatted_amount(amount_spent(heading))
end
def investments_orders
case phase
when "accepting", "reviewing"
%w[random]
when "publishing_prices", "balloting", "reviewing_ballots"
%w[random price]
when "finished"
%w[random]
else
%w[random confidence_score]
end
end
def email_selected
investments.selected.order(:id).each do |investment|
Mailer.budget_investment_selected(investment).deliver_later
end
end
def email_unselected
investments.unselected.order(:id).each do |investment|
Mailer.budget_investment_unselected(investment).deliver_later
end
end
def has_winning_investments?
investments.winners.any?
end
def milestone_tags
investments.winners.map(&:milestone_tag_list).flatten.uniq.sort
end
private
def generate_phases
Budget::Phase::PHASE_KINDS.each do |phase|
Budget::Phase.create(
budget: self,
kind: phase,
prev_phase: phases&.last,
starts_at: phases&.last&.ends_at || Date.current,
ends_at: (phases&.last&.ends_at || Date.current) + 1.month
)
end
end
def generate_slug?
slug.nil? || drafting?
end
end
Reference in New Issue View Git Blame Copy Permalink