Merge pull request #4874 from greenriver/ea/fix-duplicate-file-versio…

…ns-pt Move paper trail to client file
greenriver · Oct 29, 2024 · 8b85529 · 8b85529
2 parents 719fb74 + 41a9056
commit 8b85529
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 53 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -828,7 +828,7 @@ GEM
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
-    rexml (3.3.8)
+    rexml (3.3.9)
     rgeo (2.4.0)
     rgeo-activerecord (7.0.1)
       activerecord (>= 5.0)

diff --git a/app/models/grda_warehouse/client_file.rb b/app/models/grda_warehouse/client_file.rb
@@ -15,6 +15,7 @@ class ClientFile < GrdaWarehouse::File
     CONSENT_FORM_TAG_CACHE_KEY = 'consent_form_tagging_ids/tag_ids'.freeze
 
     mount_uploader :file, FileUploader # This is probably no necessary, but added to be safe
+    has_paper_trail
     acts_as_taggable
 
     belongs_to :client, class_name: 'GrdaWarehouse::Hud::Client'

diff --git a/app/models/grda_warehouse/file.rb b/app/models/grda_warehouse/file.rb
@@ -7,7 +7,6 @@
 module GrdaWarehouse
   class File < GrdaWarehouseBase
     acts_as_paranoid
-    has_paper_trail
     belongs_to :user, optional: true
   end
 end
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
@@ -617,7 +617,7 @@
       "check_name": "Execute",
       "message": "Possible command injection",
       "file": "drivers/hmis/app/models/hmis/form/definition.rb",
-      "line": 359,
+      "line": 365,
       "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
       "code": "`No Definition found for System form #{role}`",
       "render_path": null,
@@ -1048,7 +1048,7 @@
       "check_name": "UnsafeReflection",
       "message": "Unsafe reflection method `constantize` called on model attribute",
       "file": "drivers/hmis/app/models/hmis/form/definition.rb",
-      "line": 414,
+      "line": 420,
       "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
       "code": "{ :SERVICE => ({ :owner_class => \"Hmis::Hud::HmisService\", :permission => :can_edit_enrollments }), :PROJECT => ({ :owner_class => \"Hmis::Hud::Project\", :permission => :can_edit_project_details }), :ORGANIZATION => ({ :owner_class => \"Hmis::Hud::Organization\", :permission => :can_edit_organization }), :CLIENT => ({ :owner_class => \"Hmis::Hud::Client\", :permission => :can_edit_clients }), :FUNDER => ({ :owner_class => \"Hmis::Hud::Funder\", :permission => :can_edit_project_details }), :INVENTORY => ({ :owner_class => \"Hmis::Hud::Inventory\", :permission => :can_edit_project_details }), :PROJECT_COC => ({ :owner_class => \"Hmis::Hud::ProjectCoc\", :permission => :can_edit_project_details }), :HMIS_PARTICIPATION => ({ :owner_class => \"Hmis::Hud::HmisParticipation\", :permission => :can_edit_project_details }), :CE_PARTICIPATION => ({ :owner_class => \"Hmis::Hud::CeParticipation\", :permission => :can_edit_project_details }), :CE_ASSESSMENT => ({ :owner_class => \"Hmis::Hud::Assessment\", :permission => :can_edit_enrollments }), :CE_EVENT => ({ :owner_class => \"Hmis::Hud::Event\", :permission => :can_edit_enrollments }), :CASE_NOTE => ({ :owner_class => \"Hmis::Hud::CustomCaseNote\", :permission => :can_edit_enrollments }), :FILE => ({ :owner_class => \"Hmis::File\", :permission => ([:can_manage_any_client_files, :can_manage_own_client_files]), :authorize => (lambda do\n Hmis::File.authorize_proc.call(entity_base, user)\n end) }), :REFERRAL_REQUEST => ({ :owner_class => \"HmisExternalApis::AcHmis::ReferralRequest\", :permission => :can_manage_incoming_referrals }), :REFERRAL => ({ :owner_class => \"HmisExternalApis::AcHmis::ReferralPosting\", :permission => :can_manage_outgoing_referrals }), :CURRENT_LIVING_SITUATION => ({ :owner_class => \"Hmis::Hud::CurrentLivingSituation\", :permission => :can_edit_enrollments }), :OCCURRENCE_POINT => ({ :owner_class => \"Hmis::Hud::Enrollment\", :permission => :can_edit_enrollments }), :ENROLLMENT => ({ :owner_class => \"Hmis::Hud::Enrollment\", :permission => :can_edit_enrollments }), :NEW_CLIENT_ENROLLMENT => ({ :permission => :can_edit_enrollments, :owner_class => \"Hmis::Hud::Enrollment\" }), :CLIENT_DETAIL => ({ :owner_class => \"Hmis::Hud::Client\", :permission => :can_edit_clients }), :EXTERNAL_FORM => ({ :owner_class => \"HmisExternalApis::ExternalForms::FormSubmission\", :permission => :can_manage_external_form_submissions }) }[role.to_sym][:owner_class].constantize",
       "render_path": null,
@@ -1163,7 +1163,7 @@
       "check_name": "SQL",
       "message": "Possible SQL injection",
       "file": "lib/rds_sql_server/rds.rb",
-      "line": 243,
+      "line": 244,
       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
       "code": "SqlServerBootstrapModel.connection.execute(\"if not exists(select * from sys.databases where name = '#{database}')\\n  select 0;\\nelse\\n  select 1;\\n\")",
       "render_path": null,
@@ -1225,6 +1225,29 @@
       ],
       "note": ""
     },
+    {
+      "warning_type": "Redirect",
+      "warning_code": 18,
+      "fingerprint": "704745811a99d55eb2c8459caa8cd2a8e34486b3b6f1f77f51ce64252262220f",
+      "check_name": "Redirect",
+      "message": "Possible unprotected redirect",
+      "file": "app/controllers/user_training_controller.rb",
+      "line": 56,
+      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
+      "code": "redirect_to(Talentlms::Facade.new(current_user).course_url(course.config, course.courseid, (clients_url or root_url), logout_talentlms_url), :allow_other_host => true)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "UserTrainingController",
+        "method": "index"
+      },
+      "user_input": "Talentlms::Facade.new(current_user).course_url(course.config, course.courseid, (clients_url or root_url), logout_talentlms_url)",
+      "confidence": "Weak",
+      "cwe_id": [
+        601
+      ],
+      "note": ""
+    },
     {
       "warning_type": "Cross-Site Scripting",
       "warning_code": 2,
@@ -1305,29 +1328,6 @@
       ],
       "note": ""
     },
-    {
-      "warning_type": "Command Injection",
-      "warning_code": 14,
-      "fingerprint": "781aac46e7b1378f886f2b9f429b4b36766b82a3ce2c8453f8be825781ea49b5",
-      "check_name": "Execute",
-      "message": "Possible command injection",
-      "file": "app/models/glacier/runner.rb",
-      "line": 37,
-      "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
-      "code": "system(\"psql -d postgres --username=#{db_user} --no-password --host=#{(provided_db_host or db_host)} -c 'create database #{database_name}'\")",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Glacier::Runner",
-        "method": "restore_database!"
-      },
-      "user_input": "db_user",
-      "confidence": "Medium",
-      "cwe_id": [
-        77
-      ],
-      "note": ""
-    },
     {
       "warning_type": "Cross-Site Scripting",
       "warning_code": 2,
@@ -2171,29 +2171,6 @@
       ],
       "note": ""
     },
-    {
-      "warning_type": "Redirect",
-      "warning_code": 18,
-      "fingerprint": "bd9f8cdc95ec9905f13a5cf6a7c5d3c477b24d145188564f6a93c2df51d089b7",
-      "check_name": "Redirect",
-      "message": "Possible unprotected redirect",
-      "file": "app/controllers/user_training_controller.rb",
-      "line": 41,
-      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
-      "code": "redirect_to(Talentlms::Facade.new.course_url(current_user, Talentlms::Config.first.courseid, (clients_url or root_url), logout_talentlms_url), :allow_other_host => true)",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "UserTrainingController",
-        "method": "index"
-      },
-      "user_input": "Talentlms::Facade.new.course_url(current_user, Talentlms::Config.first.courseid, (clients_url or root_url), logout_talentlms_url)",
-      "confidence": "Weak",
-      "cwe_id": [
-        601
-      ],
-      "note": ""
-    },
     {
       "warning_type": "Command Injection",
       "warning_code": 14,
@@ -2521,7 +2498,7 @@
       "check_name": "SQL",
       "message": "Possible SQL injection",
       "file": "lib/rds_sql_server/rds.rb",
-      "line": 257,
+      "line": 258,
       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
       "code": "SqlServerBootstrapModel.connection.execute(\"if not exists(select * from sys.databases where name = '#{database}')\\n  create database #{database}\\n\")",
       "render_path": null,
@@ -2860,6 +2837,6 @@
       "note": ""
     }
   ],
-  "updated": "2024-10-08 21:18:41 +0000",
+  "updated": "2024-10-29 12:24:27 +0000",
   "brakeman_version": "6.2.1"
 }