Enforce stricter class filtering in WatchersController (35463).

Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@21235 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 11:37:14 +00:00 · 2021-10-05 16:46:03 +00:00 · 2021-10-05 16:46:03 +00:00 · 04e27aa161
commit 04e27aa161
parent a0ef175ffe
1 changed files with 3 additions and 1 deletions
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@ -158,7 +158,9 @@ class WatchersController < ApplicationController
      rescue
        nil
      end
-    return unless klass && klass.respond_to?('watched_by')
+    return unless klass && Class === klass # rubocop:disable Style/CaseEquality
+    return unless klass < ActiveRecord::Base
+    return unless klass < Redmine::Acts::Watchable::InstanceMethods

    scope = klass.where(:id => Array.wrap(params[:object_id]))
    if klass.reflect_on_association(:project)