Parameters should be whitelisted for mass assignment Open
params.require(:assignment_form).permit!- Read upRead up
- Exclude checks
Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.
Example:
User.new(params[:user])Unfortunately, if there is a user field called admin which controls administrator access, now any user can make themselves an administrator.
attr_accessible and attr_protected can be used to limit mass assignment. However, Brakeman will warn unless attr_accessible is used, or mass assignment is completely disabled.
There are two different mass assignment warnings which can arise. The first is when mass assignment actually occurs, such as the example above. This results in a warning like
Unprotected mass assignment near line 61: User.new(params[:user])The other warning is raised whenever a model is found which does not use attr_accessible. This produces generic warnings like
Mass assignment is not restricted using attr_accessiblewith a list of affected models.
In Rails 3.1 and newer, mass assignment can easily be disabled:
config.active_record.whitelist_attributes = trueUnfortunately, it can also easily be bypassed:
User.new(params[:user], :without_protection => true)Brakeman will warn on uses of without_protection.
Assignment Branch Condition size for create is too high. [56.37/15] Open
def create
@assignment_form = AssignmentForm.new(assignment_form_params)
if params[:button]
if @assignment_form.save
@assignment_form.create_assignment_node- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Class AssignmentsController has 36 methods (exceeds 20 allowed). Consider refactoring. Open
class AssignmentsController < ApplicationController
include AssignmentHelper
autocomplete :user, :name
before_action :authorize
Assignment Branch Condition size for delete is too high. [40.64/15] Open
def delete
begin
assignment_form = AssignmentForm.create_form_object(params[:id])
user = session[:user]
# Issue 1017 - allow instructor to delete assignment created by TA.- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Assignment Branch Condition size for edit_params_setting is too high. [36.67/15] Open
def edit_params_setting
@assignment = Assignment.find(params[:id])
@num_submissions_round = @assignment.find_due_dates('submission').nil? ? 0 : @assignment.find_due_dates('submission').count
@num_reviews_round = @assignment.find_due_dates('review').nil? ? 0 : @assignment.find_due_dates('review').count
- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Assignment Branch Condition size for assignment_form_key_nonexist_case_handler is too high. [34.25/15] Open
def assignment_form_key_nonexist_case_handler
@assignment = Assignment.find(params[:id])
@assignment.course_id = params[:course_id]
if @assignment.save- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
File assignments_controller.rb has 326 lines of code (exceeds 250 allowed). Consider refactoring. Open
class AssignmentsController < ApplicationController
include AssignmentHelper
autocomplete :user, :name
before_action :authorize
Assignment Branch Condition size for edit is too high. [29.58/15] Open
def edit
ExpertizaLogger.error LoggerMessage.new(controller_name, session[:user].name, "Timezone not specified", request) if current_user.timezonepref.nil?
flash.now[:error] = "You have not specified your preferred timezone yet. Please do this before you set up the deadlines." if current_user.timezonepref.nil?
edit_params_setting
assignment_form_assignment_staggered_deadline?- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Assignment Branch Condition size for handle_rubrics_not_assigned_case is too high. [29.22/15] Open
def handle_rubrics_not_assigned_case
if !empty_rubrics_list.empty? && request.original_fullpath == "/assignments/#{@assignment_form.assignment.id}/edit"
rubrics_needed = needed_rubrics(empty_rubrics_list)
ExpertizaLogger.error LoggerMessage.new(controller_name, session[:user].name, "Rubrics missing for #{@assignment_form.assignment.name}.", request)
if flash.now[:error] != "Failed to save the assignment: [\"Total weight of rubrics should add up to either 0 or 100%\"]"- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Assignment Branch Condition size for action_allowed? is too high. [25.51/15] Open
def action_allowed?
if %w[edit update list_submissions].include? params[:action]
assignment = Assignment.find(params[:id])
(%w[Super-Administrator Administrator].include? current_role_name) ||
(assignment.instructor_id == current_user.try(:id)) ||- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Assignment Branch Condition size for retrieve_assignment_form is too high. [22.23/15] Open
def retrieve_assignment_form
@assignment_form = AssignmentForm.create_form_object(params[:id])
@assignment_form.assignment.instructor ||= current_user
params[:assignment_form][:assignment_questionnaire].reject! do |q|
q[:questionnaire_id].empty?- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Assignment Branch Condition size for copy is too high. [19.42/15] Open
def copy
@user = current_user
session[:copy_flag] = true
# check new assignment submission directory and old assignment submission directory
old_assign = Assignment.find(params[:id])- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Assignment Branch Condition size for update_feedback_assignment_form_attributes is too high. [19.34/15] Open
def update_feedback_assignment_form_attributes
if params[:set_pressed][:bool] == 'false'
flash[:error] = "There has been some submissions for the rounds of reviews that you're trying to reduce. You can only increase the round of review."
else
if @assignment_form.update_attributes(assignment_form_params, current_user)- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Assignment Branch Condition size for empty_rubrics_list is too high. [18.47/15] Open
def empty_rubrics_list
rubrics_list = %w[ReviewQuestionnaire
MetareviewQuestionnaire AuthorFeedbackQuestionnaire
TeammateReviewQuestionnaire BookmarkRatingQuestionnaire]
@assignment_questionnaires.each do |aq|- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Method create has 33 lines of code (exceeds 25 allowed). Consider refactoring. Open
def create
@assignment_form = AssignmentForm.new(assignment_form_params)
if params[:button]
if @assignment_form.save
@assignment_form.create_assignment_nodeMethod create has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring. Open
def create
@assignment_form = AssignmentForm.new(assignment_form_params)
if params[:button]
if @assignment_form.save
@assignment_form.create_assignment_node- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method empty_rubrics_list has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring. Open
def empty_rubrics_list
rubrics_list = %w[ReviewQuestionnaire
MetareviewQuestionnaire AuthorFeedbackQuestionnaire
TeammateReviewQuestionnaire BookmarkRatingQuestionnaire]
@assignment_questionnaires.each do |aq|- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Use a guard clause instead of wrapping the code inside a conditional expression. Open
if current_user.timezonepref.nil?- Read upRead up
- Exclude checks
Use a guard clause instead of wrapping the code inside a conditional expression
Example:
# bad
def test
if something
work
end
end
# good
def test
return unless something
work
end
# also good
def test
work if something
end
# bad
if something
raise 'exception'
else
ok
end
# good
raise 'exception' if something
okLine is too long. [180/160] Open
flash[:error] = "We strongly suggest that instructors specify their preferred timezone to guarantee the correct display time. For now we assume you are in " + parent_timezone- Exclude checks
Use a guard clause instead of wrapping the code inside a conditional expression. Open
if !empty_rubrics_list.empty? && request.original_fullpath == "/assignments/#{@assignment_form.assignment.id}/edit"- Read upRead up
- Exclude checks
Use a guard clause instead of wrapping the code inside a conditional expression
Example:
# bad
def test
if something
work
end
end
# good
def test
return unless something
work
end
# also good
def test
work if something
end
# bad
if something
raise 'exception'
else
ok
end
# good
raise 'exception' if something
okConvert if nested inside else to elsif. Open
if @assignment_form.update_attributes(assignment_form_params, current_user)- Read upRead up
- Exclude checks
If the else branch of a conditional consists solely of an if node,
it can be combined with the else to become an elsif.
This helps to keep the nesting level from getting too deep.
Example:
# bad
if condition_a
action_a
else
if condition_b
action_b
else
action_c
end
end
# good
if condition_a
action_a
elsif condition_b
action_b
else
action_c
end