Files
fizzy/app/models/user/accessor.rb
T
Jeremy Daer 9f6a4f1cc6 Fix unauthorized column reordering
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.

References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00

19 lines
679 B
Ruby

module User::Accessor
extend ActiveSupport::Concern
included do
has_many :accesses, dependent: :destroy
has_many :boards, through: :accesses
has_many :accessible_columns, through: :boards, source: :columns
has_many :accessible_cards, through: :boards, source: :cards
has_many :accessible_comments, through: :accessible_cards, source: :comments
after_create_commit :grant_access_to_boards, unless: :system?
end
private
def grant_access_to_boards
Access.insert_all account.boards.all_access.pluck(:id).collect { |board_id| { id: ActiveRecord::Type::Uuid.generate, board_id: board_id, user_id: id, account_id: account.id } }
end
end