Merged r9129 from trunk.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/1.3-stable@9146 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 230af5caf54639e9966b2a60686202ee7e2a944e..a9e7a605e94a78e086cb8d37f359693ec7a9339a 100644 (file)
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -7,7 +7,8 @@ class CommentsController < ApplicationController
 
   verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
   def create
-    @comment = Comment.new(params[:comment])
+    @comment = Comment.new
+    @comment.safe_attributes = params[:comment]
     @comment.author = User.current
     if @news.comments << @comment
       flash[:notice] = l(:label_comment_added)

diff --git a/app/models/comment.rb b/app/models/comment.rb
index 701f0344e651380e3fb8d2a6537bf31b20261b6d..4b7e098f12f08e0af42f14958c003c482238f6ec 100644 (file)
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -16,8 +16,11 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class Comment < ActiveRecord::Base
+  include Redmine::SafeAttributes
   belongs_to :commented, :polymorphic => true, :counter_cache => true
   belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
 
   validates_presence_of :commented, :author, :comments
+
+  safe_attributes 'comments'
 end