extracted MonAvisEmbedValidator

This commit is contained in:
clemkeirua 2019-07-17 17:13:08 +02:00 committed by Pierre de La Morinerie
parent 91d10c0cf7
commit ee8a1092e4
2 changed files with 10 additions and 10 deletions

View file

@ -71,16 +71,7 @@ class Procedure < ApplicationRecord
validates :duree_conservation_dossiers_hors_ds, allow_nil: false, numericality: { only_integer: true, greater_than_or_equal_to: 0 }, if: :durees_conservation_required
validates :duree_conservation_dossiers_dans_ds, allow_nil: true, numericality: { only_integer: true, greater_than_or_equal_to: 1, less_than_or_equal_to: MAX_DUREE_CONSERVATION }, unless: :durees_conservation_required
validates :duree_conservation_dossiers_hors_ds, allow_nil: true, numericality: { only_integer: true, greater_than_or_equal_to: 0 }, unless: :durees_conservation_required
class MonavisValidator < ActiveModel::Validator
def validate(record)
r = Regexp.new('<a href="https://monavis.numerique.gouv.fr/Demarches/\d+.*key=[[:alnum:]]+.*">\s*<img src="https://monavis.numerique.gouv.fr/monavis-static/bouton-blanc|bleu.png" alt="Je donne mon avis" title="Je donne mon avis sur cette démarche" />\s*</a>', Regexp::MULTILINE)
if record.monavis_embed.present? && !r.match?(record.monavis_embed)
record.errors[:base] << "Le code fourni ne correspond pas au format des codes Monavis reconnus par la plateforme."
end
end
end
validates_with MonavisValidator
validates_with MonAvisEmbedValidator
before_save :update_juridique_required
before_save :update_durees_conservation_required
before_create :ensure_path_exists

View file

@ -0,0 +1,9 @@
class MonAvisEmbedValidator < ActiveModel::Validator
def validate(record)
# We need to ensure the embed code is not any random string in order to avoid injections
r = Regexp.new('<a href="https://monavis.numerique.gouv.fr/Demarches/\d+.*key=[[:alnum:]]+.*">\s*<img src="https://monavis.numerique.gouv.fr/monavis-static/bouton-blanc|bleu.png" alt="Je donne mon avis" title="Je donne mon avis sur cette démarche" />\s*</a>', Regexp::MULTILINE)
if record.monavis_embed.present? && !r.match?(record.monavis_embed)
record.errors[:base] << "Le code fourni ne correspond pas au format des codes MonAvis reconnus par la plateforme."
end
end
end