Rails security issue - ruby-on-rails

I have a rails 4 app on heroku, users can choose an option from a drop down menu ( course name) then click post, and the post will appear on the index page. Someone was able to create a post with an option that was not in the drop down menu at all, how is this possible? What can I do about it?

First, the problem. It's very easy to recreate it using chrome developer. Here's the steps on recreating the error
Using chrome developer tool, find and inspect the dropdown
Right click on it and choose Edit as html
Add a new value to the dropdown
Select the new value and press create
Now the solution:
I will just add a validation that checks weather the value passed in is part of the options in the dropdown
http://edgeguides.rubyonrails.org/active_record_validations.html#inclusion

Put your options of drop-down menu to private method and permit only those values under your controller. No need to provide attr_accessible under your model if you are writing over there.

Related

VS 2019 - quick action menu items missing

I have two Win10 PC, both with the same installation VS2019 Enterpsrise(Version 16.11.15). Almost the same extensions. But in one VS installation, quick action menu and it's options look like on the picture below.
add missing param nodes
make method synchronous
etc.
The other installation is missing every single item above "Change signature.." item.
What am I missing? Can someone help me with this? I'm the most interested in "Add missing param nodes".
I've tried to find over what could be the extension that is incorporating this feature but with no luck.
As we can see in the first screenshot that CS1573 means have no matching param tag in the XML comment.
So you should generate an XML file that contains the documentation comments.
You can refer to the following step to enable this option:
Go to project>Properties>Build>Output
select Generate a file containing API documentation
Now you can check the quick action menu, you will see “Add missing param nodes” in it.

Can not edit foreign key field in Django admin and pop-up form is not really popping up

I am using Django-suit for admin panel. My 'user' model has 'address' and 'contact' fields as foreign key. When trying to change the user's info, the address and contact fields has change/edit and add new options beside them. But the change/edit option remains disabled (see image).
Besides, when I click on add new icon, a new form window is supposed to pop-up. But instead it take me to the form in same browser tab. Any insight for solving this problem?
After getting question from #Efi MK, I tried once again to dig into the problem, and found my mistake with the help from this post (Django admin add related object doesn't open popup window?).
The main project was previously implemented using Django-1.6. I was extending the project by adding some new features using Django-1.11. The problem is, the static files I was using for Django-admin, were from previous version. The 'collectstatic' command didn't replace those files from previous version which has same name as new version. Unfortunately, I didn't notice that.
I deleted whole 'static' folder, ran 'collectstatic' again, and both of the problems mentioned in the question were solved. Thanks, Efi for asking :)

TFS-2015 limiting user list

After upgrading to TFS 2015 we are seeing all users in the collection being displayed as options for the Assigned To fields of a Work Item.
In 2013 we had set an ALLOWEDVALUES rule set to [project]\Contributors. It would restrict the list in the drop down to only the values in that group.
Now the drop down shows everyone and only complains if you try to select a user from the complete list that is NOT in the contributors groups.
How do we get the old behavior back?
In many organization, the work item type is shared across many teams. The old dropdown was long and was cluttered with people you would never assign a work item to. We heard a lot of requests to make assigning to people a much better experience.
We have changed the work item control to a MRU control so people you care about most show up immediately. And there is a "search more" option to find people which are not in the MRU yet.
We are aware that it is not possible anymore to restrict the list with the rules you define on the work item. It was an explicit design decision, and the rule is still enforced on save as you indicate.
Ewald Hofman - TFS Program Manager
You can follow below steps:
Creat a collection level group. Team Explorer-->Team Project Collection Settings-->Group Membership-->New-->Group name: MyTeam--> Double-click [your collection]\MyTem-->select Windows User or Group-->Add-->add users
Create a "Issue" work item type. Tool-->Process Editor-->Work Item Types-->Open WIT from server-->Copy an existing work item type and change the name as "issue".
In Field tab, double-click Assigned To-->Rules-->New-->ALLOWEDVALUES-->in ALLOWEDVALUES window, click New-->in List Item Edit window, enter [Project]\MyTeam-->OK, then save this work item type.
For test:
4. Create a new "issue" item, in Assigned To drop down list, you can only see the users you add in MyTeam.

Cannot update custom field description

I'm using JIRA 4.1.2. I have a page layout created using Jelly, but now that the app is in production I need to manually change a field description (can't run the script again).
The documentation says to go to Field Configurations -> Configure -> Edit, enter the text and hit update. I do that but nothing changes. HOWEVER, for a field that was created outside of Jelly, using the standard JIRA UI, an update works.
What gives? None of my jelly-created fields will update.
Thanks for any help!
Check which field configuration is being used for a specific issue.

Welcome Page Add to Favorites

I am using Delphi 2010. Has the functionality on the Welcome Page to Add to Favorites been eliminated? I still have Manage Favorites, but it only adds Edit and Delete options. Maybe there is a new way to add to favorites now. I missed it.
Just click on the link marked "Make me a Favorite":
It is named Make me a Favorite now

Resources