Fixing unsafe use of Thread.current variable :current_user

author: Angus MacArthur <amacarthur@blackberry.com> 2013-10-04 23:11:50 +0400
committer: Angus MacArthur <amacarthur@blackberry.com> 2013-10-16 09:20:53 +0400
commit: aefe2e952f33267ce38fb9270400f4f6f194d37b (patch)
tree: 3546807c2b7942585a41cfb1163dc5e6a69e40e0 /lib/api/milestones.rb
parent: a8eb525e72f6883a07539af9429ccd41dbc8698b (diff)
1 files changed, 19 insertions, 15 deletions
diff --git a/lib/api/milestones.rb b/lib/api/milestones.rb
index aee12e7dc40..f7e63b23093 100644
--- a/lib/api/milestones.rb
+++ b/lib/api/milestones.rb
@@ -40,15 +40,17 @@ module API
       # Example Request:
       #   POST /projects/:id/milestones
       post ":id/milestones" do
-        authorize! :admin_milestone, user_project
-        required_attributes! [:title]
+        set_current_user_for_thread do
+          authorize! :admin_milestone, user_project
+          required_attributes! [:title]
 
-        attrs = attributes_for_keys [:title, :description, :due_date]
-        @milestone = user_project.milestones.new attrs
-        if @milestone.save
-          present @milestone, with: Entities::Milestone
-        else
-          not_found!
+          attrs = attributes_for_keys [:title, :description, :due_date]
+          @milestone = user_project.milestones.new attrs
+          if @milestone.save
+            present @milestone, with: Entities::Milestone
+          else
+            not_found!
+          end
         end
       end
 
@@ -64,14 +66,16 @@ module API
       # Example Request:
       #   PUT /projects/:id/milestones/:milestone_id
       put ":id/milestones/:milestone_id" do
-        authorize! :admin_milestone, user_project
+        set_current_user_for_thread do
+          authorize! :admin_milestone, user_project
 
-        @milestone = user_project.milestones.find(params[:milestone_id])
-        attrs = attributes_for_keys [:title, :description, :due_date, :state_event]
-        if @milestone.update_attributes attrs
-          present @milestone, with: Entities::Milestone
-        else
-          not_found!
+          @milestone = user_project.milestones.find(params[:milestone_id])
+          attrs = attributes_for_keys [:title, :description, :due_date, :state_event]
+          if @milestone.update_attributes attrs
+            present @milestone, with: Entities::Milestone
+          else
+            not_found!
+          end
         end
       end
     end
author	Angus MacArthur <amacarthur@blackberry.com>	2013-10-04 23:11:50 +0400
committer	Angus MacArthur <amacarthur@blackberry.com>	2013-10-16 09:20:53 +0400
commit	aefe2e952f33267ce38fb9270400f4f6f194d37b (patch)
tree	3546807c2b7942585a41cfb1163dc5e6a69e40e0 /lib/api/milestones.rb
parent	a8eb525e72f6883a07539af9429ccd41dbc8698b (diff)