Limit quick search possible classes and improve params check for reports and activities [SCI-11260] (#8034)

2025-09-13 08:34:49 +08:00 · 2024-11-12 16:37:42 +01:00 · 2024-11-12 16:37:42 +01:00 · 2d70773cda
commit 2d70773cda
parent 19aa77f14a
5 changed files with 38 additions and 3 deletions
--- a/app/controllers/global_activities_controller.rb
+++ b/app/controllers/global_activities_controller.rb
@ -151,7 +151,25 @@ class GlobalActivitiesController < ApplicationController
  end
  def activity_filter_params
-    params.permit(:name, filter: {})
+    params.permit(
      :name,
      filter: [
        :to_date,
        :from_date,
        { types: [] },
        { subjects: {
          'Report' => [],
          'Project' => [],
          'MyModule' => [],
          'Protocol' => [],
          'Experiment' => [],
          'RepositoryRow' => [],
          'RepositoryBase' => []
        } },
        { users: [] },
        { teams: [] }
      ]
    )
  end
  def activity_filters
--- a/app/controllers/reports_controller.rb
+++ b/app/controllers/reports_controller.rb
@ -361,7 +361,7 @@ class ReportsController < ApplicationController
  def report_params
    params.require(:report)
-          .permit(:name, :description, :grouped_by, :report_contents, settings: {})
+          .permit(:name, :description, :grouped_by, :report_contents, settings: permit_report_settings_structure(Report::DEFAULT_SETTINGS))
  end
  def search_params
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@ -145,7 +145,10 @@ class SearchController < ApplicationController
  def quick
    results = if params[:filter].present?
-                object_quick_search(params[:filter].singularize)
+                class_name = params[:filter].singularize
                return render_422(t('general.invalid_params')) unless Constants::QUICK_SEARCH_SEARCHABLE_OBJECTS.include?(class_name)
                object_quick_search(class_name)
              else
                Constants::QUICK_SEARCH_SEARCHABLE_OBJECTS.filter_map do |object|
                  next if object == 'label_template' && !LabelTemplate.enabled?
--- a/app/helpers/reports_helper.rb
+++ b/app/helpers/reports_helper.rb
@ -106,4 +106,17 @@ module ReportsHelper
      experiment_element.experiment.description
    end
  end
  def permit_report_settings_structure(settings_definition)
    settings_definition.each_with_object([]) do |(key, value), permitted|
      permitted << case value
                   when Hash
                     { key => permit_report_settings_structure(value) }
                   when Array
                     { key => [] }
                   else
                     key
                   end
    end
  end
 end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -4305,6 +4305,7 @@ en:
    comment_placeholder: "Your Message"
    comment_placeholder_new: "Add new comment…"
    archived: "Archived"
    invalid_params: "Invalid params"
    sort:
      title: "Sorting"
      new_html: "Started last"