Backported r9136 from trunk.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/1.3-stable@9152 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb
index 932ba7fff84bed960d49b70650c1ee13632e5491..defe581596b38ac3e905f3aebe1d728593742d73 100644 (file)
--- a/app/controllers/timelog_controller.rb
+++ b/app/controllers/timelog_controller.rb
@@ -105,7 +105,7 @@ class TimelogController < ApplicationController
 
   def new
     @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
-    @time_entry.attributes = params[:time_entry]
+    @time_entry.safe_attributes = params[:time_entry]
 
     call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
     render :action => 'edit'
@@ -114,7 +114,7 @@ class TimelogController < ApplicationController
   verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
   def create
     @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
-    @time_entry.attributes = params[:time_entry]
+    @time_entry.safe_attributes = params[:time_entry]
 
     call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
 
@@ -135,14 +135,14 @@ class TimelogController < ApplicationController
   end
 
   def edit
-    @time_entry.attributes = params[:time_entry]
+    @time_entry.safe_attributes = params[:time_entry]
 
     call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
   end
 
   verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
   def update
-    @time_entry.attributes = params[:time_entry]
+    @time_entry.safe_attributes = params[:time_entry]
 
     call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
 
@@ -173,7 +173,7 @@ class TimelogController < ApplicationController
     unsaved_time_entry_ids = []
     @time_entries.each do |time_entry|
       time_entry.reload
-      time_entry.attributes = attributes
+      time_entry.safe_attributes = attributes
       call_hook(:controller_time_entries_bulk_edit_before_save, { :params => params, :time_entry => time_entry })
       unless time_entry.save
         # Keep unsaved time_entry ids to display them in flash error

diff --git a/app/models/time_entry.rb b/app/models/time_entry.rb
index 1afe54829bb03f30bd27f5d63651f9175852b95b..7e2033084a212a8f32a40a7f11868f5c65e846d6 100644 (file)
--- a/app/models/time_entry.rb
+++ b/app/models/time_entry.rb
@@ -16,6 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class TimeEntry < ActiveRecord::Base
+  include Redmine::SafeAttributes
   # could have used polymorphic association
   # project association here allows easy loading of time entries at project level with one database trip
   belongs_to :project
@@ -46,6 +47,8 @@ class TimeEntry < ActiveRecord::Base
     :conditions => Project.allowed_to_condition(args.shift || User.current, :view_time_entries, *args)
   }}
 
+  safe_attributes 'hours', 'comments', 'issue_id', 'activity_id', 'spent_on', 'custom_field_values'
+
   def after_initialize
     if new_record? && self.activity.nil?
       if default_activity = TimeEntryActivity.default