From 4b891b3f70d9ef8bb223aad92273caf721098884 Mon Sep 17 00:00:00 2001
From: Yuki <aaron.ahmed.eve@gmail.com>
Date: Tue, 1 Sep 2015 18:44:50 +0530
Subject: [PATCH] Fix dangerous send exploit

---
 app/controllers/ajax/moderation_controller.rb | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/app/controllers/ajax/moderation_controller.rb b/app/controllers/ajax/moderation_controller.rb
index 636c1650..81576bf4 100644
--- a/app/controllers/ajax/moderation_controller.rb
+++ b/app/controllers/ajax/moderation_controller.rb
@@ -5,7 +5,7 @@ class Ajax::ModerationController < ApplicationController
     @success = false
     render partial: "ajax/shared/status"
   end
-  
+
   def vote
     params.require :id
     params.require :upvote
@@ -174,7 +174,19 @@ class Ajax::ModerationController < ApplicationController
     end
 
     @checked = status
-    target_user.send("#{params[:type]}=", status)
+    case params[:type].downcase
+      when 'blogger'
+        target_user.blogger = status
+      when 'contributor'
+        target_user.contributor = status
+      when 'translator'
+        target_user.translator = status
+      when 'supporter'
+        target_user.translator = status
+      when 'moderator'
+        target_user.translator = status
+      when 'admin'
+        target_user.translator = status
     target_user.save!
 
     @message = I18n.t('messages.moderation.privilege.checked', privilege: params[:type])