diff --git a/.travis.yml b/.travis.yml index 30a831b6..e65b8389 100644 --- a/.travis.yml +++ b/.travis.yml @@ -18,4 +18,4 @@ before_script: - nvm use stable - (cd app/assets/javascripts && npm install) script: - - bundle exec rspec && (cd app/assets/javascripts && npm test) + - bundle exec rspec && (cd app/assets/javascripts && npm test) && bundle exec brakeman -q -z diff --git a/Gemfile b/Gemfile index 07159461..5840a752 100644 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' ruby '2.1.3' -gem 'rails', '4.2.4' +gem 'rails' gem 'active_model_serializers', '~> 0.8.1' gem 'aws-sdk', '< 2.0' @@ -49,6 +49,7 @@ group :test do gem 'rspec-rails' gem 'shoulda-matchers' gem 'simplecov', require: false + gem 'brakeman', require: false end group :development, :test do diff --git a/Gemfile.lock b/Gemfile.lock index c1cf8409..f62a561a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,38 +1,38 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (4.2.4) - actionpack (= 4.2.4) - actionview (= 4.2.4) - activejob (= 4.2.4) + actionmailer (4.2.6) + actionpack (= 4.2.6) + actionview (= 4.2.6) + activejob (= 4.2.6) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 1.0, >= 1.0.5) - actionpack (4.2.4) - actionview (= 4.2.4) - activesupport (= 4.2.4) + actionpack (4.2.6) + actionview (= 4.2.6) + activesupport (= 4.2.6) rack (~> 1.6) rack-test (~> 0.6.2) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (4.2.4) - activesupport (= 4.2.4) + actionview (4.2.6) + activesupport (= 4.2.6) builder (~> 3.1) erubis (~> 2.7.0) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) active_model_serializers (0.8.3) activemodel (>= 3.0) - activejob (4.2.4) - activesupport (= 4.2.4) + activejob (4.2.6) + activesupport (= 4.2.6) globalid (>= 0.3.0) - activemodel (4.2.4) - activesupport (= 4.2.4) + activemodel (4.2.6) + activesupport (= 4.2.6) builder (~> 3.1) - activerecord (4.2.4) - activemodel (= 4.2.4) - activesupport (= 4.2.4) + activerecord (4.2.6) + activemodel (= 4.2.6) + activesupport (= 4.2.6) arel (~> 6.0) - activesupport (4.2.4) + activesupport (4.2.6) i18n (~> 0.7) json (~> 1.7, >= 1.7.7) minitest (~> 5.1) @@ -55,8 +55,9 @@ GEM rack (>= 0.9.0) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) + brakeman (3.3.2) builder (3.2.2) - byebug (8.2.2) + byebug (9.0.5) climate_control (0.0.3) activesupport (>= 3.0) cocaine (0.5.8) @@ -69,19 +70,18 @@ GEM coffee-script-source execjs coffee-script-source (1.10.0) - concurrent-ruby (1.0.1) + concurrent-ruby (1.0.2) debug_inspector (0.0.2) delayed_job (4.0.6) activesupport (>= 3.0, < 5.0) delayed_job_active_record (4.0.3) activerecord (>= 3.0, < 5.0) delayed_job (>= 3.0, < 4.1) - devise (3.5.6) + devise (4.1.1) bcrypt (~> 3.0) orm_adapter (~> 0.1) - railties (>= 3.2.6, < 5) + railties (>= 4.1.0, < 5.1) responders - thread_safe (~> 0.1) warden (~> 1.2.3) diff-lcs (1.2.5) docile (1.1.5) @@ -95,14 +95,14 @@ GEM exception_notification (4.1.4) actionmailer (~> 4.0) activesupport (~> 4.0) - execjs (2.6.0) + execjs (2.7.0) ezcrypto (0.7.2) - factory_girl (4.5.0) + factory_girl (4.7.0) activesupport (>= 3.0.0) - factory_girl_rails (4.6.0) - factory_girl (~> 4.5.0) + factory_girl_rails (4.7.0) + factory_girl (~> 4.7.0) railties (>= 3.0.0) - formtastic (3.1.3) + formtastic (3.1.4) actionpack (>= 3.2.13) formula (1.1.1) rails (> 3.0.0) @@ -112,7 +112,7 @@ GEM json (~> 1.8) multi_xml (>= 0.5.2) i18n (0.7.0) - jbuilder (2.4.1) + jbuilder (2.5.0) activesupport (>= 3.0.0, < 5.1) multi_json (~> 1.2) jquery-rails (4.1.1) @@ -122,9 +122,9 @@ GEM jquery-ui-rails (5.0.5) railties (>= 3.2.16) json (1.8.3) - json-schema (2.6.1) + json-schema (2.6.2) addressable (~> 2.3.8) - kaminari (0.16.3) + kaminari (0.17.0) actionpack (>= 3.0.0) activesupport (>= 3.0.0) loofah (2.0.3) @@ -132,53 +132,55 @@ GEM mail (2.6.4) mime-types (>= 1.16, < 4) method_source (0.8.2) - mime-types (3.0) + mime-types (3.1) mime-types-data (~> 3.2015) - mime-types-data (3.2016.0221) + mime-types-data (3.2016.0521) mimemagic (0.3.0) - mini_portile2 (2.0.0) - minitest (5.8.4) - multi_json (1.11.2) + mini_portile2 (2.1.0) + minitest (5.9.0) + multi_json (1.12.1) multi_xml (0.5.5) - nokogiri (1.6.7.2) - mini_portile2 (~> 2.0.0.rc2) + nokogiri (1.6.8) + mini_portile2 (~> 2.1.0) + pkg-config (~> 1.1.7) oauth (0.5.1) orm_adapter (0.5.0) - paperclip (4.3.5) + paperclip (4.3.6) activemodel (>= 3.2.0) activesupport (>= 3.2.0) cocaine (~> 0.5.5) mime-types mimemagic (= 0.3.0) pg (0.18.4) + pkg-config (1.1.7) pry (0.10.3) coderay (~> 1.1.0) method_source (~> 0.8.1) slop (~> 3.4) - pry-byebug (3.3.0) - byebug (~> 8.0) + pry-byebug (3.4.0) + byebug (~> 9.0) pry (~> 0.10) pry-rails (0.3.4) pry (>= 0.9.10) pundit (1.1.0) activesupport (>= 3.0.0) - pundit_extra (0.1.1) + pundit_extra (0.2.0) quiet_assets (1.1.0) railties (>= 3.1, < 5.0) rack (1.6.4) rack-cors (0.4.0) rack-test (0.6.3) rack (>= 1.0) - rails (4.2.4) - actionmailer (= 4.2.4) - actionpack (= 4.2.4) - actionview (= 4.2.4) - activejob (= 4.2.4) - activemodel (= 4.2.4) - activerecord (= 4.2.4) - activesupport (= 4.2.4) + rails (4.2.6) + actionmailer (= 4.2.6) + actionpack (= 4.2.6) + actionview (= 4.2.6) + activejob (= 4.2.6) + activemodel (= 4.2.6) + activerecord (= 4.2.6) + activesupport (= 4.2.6) bundler (>= 1.3.0, < 2.0) - railties (= 4.2.4) + railties (= 4.2.6) sprockets-rails rails-deprecated_sanitizer (1.0.3) activesupport (>= 4.2.0.alpha) @@ -194,15 +196,15 @@ GEM rails_serve_static_assets rails_stdout_logging rails_serve_static_assets (0.0.5) - rails_stdout_logging (0.0.4) - railties (4.2.4) - actionpack (= 4.2.4) - activesupport (= 4.2.4) + rails_stdout_logging (0.0.5) + railties (4.2.6) + actionpack (= 4.2.6) + activesupport (= 4.2.6) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) - rake (11.1.1) - redis (3.2.2) - responders (2.1.1) + rake (11.2.2) + redis (3.3.0) + responders (2.2.0) railties (>= 4.2.0, < 5.1) rspec-core (3.4.4) rspec-support (~> 3.4.0) @@ -221,7 +223,7 @@ GEM rspec-mocks (~> 3.4.0) rspec-support (~> 3.4.0) rspec-support (3.4.1) - sass (3.4.21) + sass (3.4.22) sass-rails (5.0.4) railties (>= 4.0.0, < 5.0) sass (~> 3.1) @@ -237,9 +239,9 @@ GEM simplecov-html (0.10.0) slack-notifier (1.5.1) slop (3.6.0) - snorlax (0.1.5) + snorlax (0.1.6) rails (> 4.1) - sprockets (3.5.2) + sprockets (3.6.0) concurrent-ruby (~> 1.0) rack (> 1, < 3) sprockets-rails (3.0.4) @@ -248,13 +250,12 @@ GEM sprockets (>= 3.0.0) thor (0.19.1) thread_safe (0.3.5) - tilt (2.0.2) + tilt (2.0.5) tunemygc (1.0.65) tzinfo (1.2.2) thread_safe (~> 0.1) - uglifier (2.7.2) - execjs (>= 0.3.0) - json (>= 1.8.0) + uglifier (3.0.0) + execjs (>= 0.3.0, < 3) uservoice-ruby (0.0.11) ezcrypto (>= 0.7.2) json (>= 1.7.5) @@ -271,6 +272,7 @@ DEPENDENCIES best_in_place better_errors binding_of_caller + brakeman coffee-rails delayed_job (~> 4.0.2) delayed_job_active_record (~> 4.0.1) @@ -296,7 +298,7 @@ DEPENDENCIES pundit_extra quiet_assets rack-cors - rails (= 4.2.4) + rails rails3-jquery-autocomplete rails_12factor redis diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 5db7d62a..7b2a48b2 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -3,7 +3,7 @@ class ApplicationController < ActionController::Base include Pundit include PunditExtra rescue_from Pundit::NotAuthorizedError, with: :handle_unauthorized - protect_from_forgery + protect_from_forgery(with: :exception) before_action :get_invite_link after_action :allow_embedding