forked from mccabe615/ruby-metaprogramming-sec-issues
-
Notifications
You must be signed in to change notification settings - Fork 0
/
OpenMindDynamicLookupCode.rb
70 lines (62 loc) · 2.08 KB
/
OpenMindDynamicLookupCode.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
## FROM https://github.com/spob/openmind/blob/master/app/controllers/lookup_codes_controller.rb#L35
class LookupCodesController < ApplicationController
before_filter :login_required
access_control :DEFAULT => 'sysadmin'
def index
@types = [
["Enterprise Type", "EnterpriseType"],
["Forum Group", "ForumGroup"],
["Release Status", "ReleaseStatus"],
["Release Dependency Group", "ReleaseDependencyGroup"],
["Custom Field", "CustomField"]
]
@lookup_codes = LookupCode.list params[:page], current_user.row_limit
end
# GETs should be safe (see http://www.w3.org/2001/tag/doc/whenToUseGet.html)
verify :method => :post, :only => [:create ],
:redirect_to => { :action => :index }
verify :method => :put, :only => [ :update ],
:redirect_to => { :action => :index }
verify :method => :delete, :only => [ :destroy ],
:redirect_to => { :action => :index }
def show
@lookup_code = LookupCode.find(params[:id])
end
def create
if params[:lookup_code][:code_type].blank?
flash[:error] = "Please select a Lookup Type"
index
render :action => 'index'
return
end
command = "#{params[:lookup_code][:code_type]}.new(params[:lookup_code])"
# print command
@lookup_code = eval command
if @lookup_code.save
flash[:notice] = "LookupCode #{@lookup_code.short_name} was successfully created."
redirect_to lookup_codes_path
else
index
render :action => 'index'
end
end
def edit
@lookup_code = LookupCode.find(params[:id])
end
def update
@lookup_code = LookupCode.find(params[:id])
if @lookup_code.update_attributes(params[:lookup_code])
flash[:notice] = "LookupCode '#{@lookup_code.short_name}' was successfully updated."
redirect_to lookup_codes_path
else
render :action => 'edit'
end
end
def destroy
lookup_code = LookupCode.find(params[:id])
short_name = lookup_code.short_name
lookup_code.destroy
flash[:notice] = "LookupCode was #{short_name} successfully deleted."
redirect_to lookup_codes_path
end
end