app/controllers/sandbox_controller.rb
class SandboxController < ApplicationController
skip_authorization_check
layout :set_layout
helper_method(:namespace)
def index
@templates = Dir.glob(Rails.root.join('app', 'views', 'sandbox', '*.html.erb').to_s).map do |filename|
filename = File.basename(filename, File.extname(filename))
filename unless filename.starts_with?('_') || filename == 'index.html'
end.compact
end
def show
if params[:template].index('.') # CVE-2014-0130
render action: "index"
elsif lookup_context.exists?("sandbox/#{params[:template]}")
if params[:template] == "index"
render action: "index"
else
render "sandbox/#{params[:template]}"
end
elsif lookup_context.exists?("sandbox/#{params[:template]}/index")
render "sandbox/#{params[:template]}/index"
else
render action: "index"
end
end
private
def set_layout
if params[:template] && params[:template].split("_").first == "admin"
"admin"
else
"application"
end
end
def namespace
"admin"
end
end