Commit ad20bb05 authored by Dennis Schubert's avatar Dennis Schubert
Browse files

Fix include_root_in_json misuse 

since it is no longer exposed for instances, our post_presenter failed
hard.
parent 72fe5a79

Changelog.md

+3 −0
Original line number Diff line number Diff line 
# 0.5.6.3



Fix evil regression caused by Active Model no longer exposing

`include_root_in_json` in instances.



# 0.5.6.2



* Fix [CVE-2016-0751](https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc) - Possible Object Leak and Denial of Service attack in Action Pack

app/models/post.rb

+2 −0
Original line number Diff line number Diff line
@@ -3,6 +3,8 @@ 
#   the COPYRIGHT file.



class Post < ActiveRecord::Base

  self.include_root_in_json = false



  include ApplicationHelper



  include Diaspora::Federated::Shareable

app/presenters/post_presenter.rb

+0 −1
Original line number Diff line number Diff line
@@ -9,7 +9,6 @@ class PostPresenter < BasePresenter 
  end



  def as_json(_options={})

    @post.include_root_in_json = false

    @post.as_json(only: directly_retrieved_attributes).merge(non_directly_retrieved_attributes)

  end