Fix dangerous send exploit

2015-09-01 18:44:50 +05:30 · 2015-09-01 18:44:50 +05:30 · 4b891b3f70
parent 5d3d3a68e7
commit 4b891b3f70
1 changed files with 14 additions and 2 deletions
--- a/app/controllers/ajax/moderation_controller.rb
+++ b/app/controllers/ajax/moderation_controller.rb
@ -174,7 +174,19 @@ class Ajax::ModerationController < ApplicationController
    end

    @checked = status
-    target_user.send("#{params[:type]}=", status)
+    case params[:type].downcase
+      when 'blogger'
+        target_user.blogger = status
+      when 'contributor'
+        target_user.contributor = status
+      when 'translator'
+        target_user.translator = status
+      when 'supporter'
+        target_user.translator = status
+      when 'moderator'
+        target_user.translator = status
+      when 'admin'
+        target_user.translator = status
    target_user.save!

    @message = I18n.t('messages.moderation.privilege.checked', privilege: params[:type])