Use strong params for CustomFieldEnumeration.

git-svn-id: http://svn.redmine.org/redmine/trunk@16603 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/custom_field_enumerations_controller.rb b/app/controllers/custom_field_enumerations_controller.rb
index f20269b31f16fbb6626d8e571438fe1858518eb8..5ec5162b1c11d968dc0d0f90c4f2634724ae8b4b 100644 (file)
--- a/app/controllers/custom_field_enumerations_controller.rb
+++ b/app/controllers/custom_field_enumerations_controller.rb
@@ -31,7 +31,7 @@ class CustomFieldEnumerationsController < ApplicationController
 
   def create
     @value = @custom_field.enumerations.build
-    @value.safe_attributes = params[:custom_field_enumeration]
+    @value.attributes = enumeration_params
     @value.save
     respond_to do |format|
       format.html { redirect_to custom_field_enumerations_path(@custom_field) }
@@ -40,9 +40,7 @@ class CustomFieldEnumerationsController < ApplicationController
   end
 
   def update_each
-    saved = CustomFieldEnumeration.update_each(@custom_field, params[:custom_field_enumerations]) do |enumeration, enumeration_attributes|
-      enumeration.safe_attributes = enumeration_attributes
-    end
+    saved = CustomFieldEnumeration.update_each(@custom_field, update_each_params)
     if saved
       flash[:notice] = l(:notice_successful_update)
     end
@@ -73,4 +71,14 @@ class CustomFieldEnumerationsController < ApplicationController
   rescue ActiveRecord::RecordNotFound
     render_404
   end
+
+  def enumeration_params
+    params.require(:custom_field_enumeration).permit(:name, :active, :position)
+  end
+
+  def update_each_params
+    # params.require(:custom_field_enumerations).permit(:name, :active, :position) does not work here with param like this:
+    # "custom_field_enumerations":{"0":{"name": ...}, "1":{"name...}}
+    params.permit(:custom_field_enumerations => [:name, :active, :position]).require(:custom_field_enumerations)
+  end
 end

diff --git a/app/models/custom_field_enumeration.rb b/app/models/custom_field_enumeration.rb
index 6cc9daae92521a86db09a6f354f43e273fcd88b2..ea2ee47f3b9393f37ad676eb9971269f88a84ad8 100644 (file)
--- a/app/models/custom_field_enumeration.rb
+++ b/app/models/custom_field_enumeration.rb
@@ -16,10 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class CustomFieldEnumeration < ActiveRecord::Base
-  include Redmine::SafeAttributes
-
   belongs_to :custom_field
-  attr_accessible :name, :active, :position
 
   validates_presence_of :name, :position, :custom_field_id
   validates_length_of :name, :maximum => 60
@@ -28,10 +25,6 @@ class CustomFieldEnumeration < ActiveRecord::Base
 
   scope :active, lambda { where(:active => true) }
 
-  safe_attributes 'name',
-    'active',
-    'position'
-
   def to_s
     name.to_s
   end
@@ -57,7 +50,6 @@ class CustomFieldEnumeration < ActiveRecord::Base
   end
 
   def self.update_each(custom_field, attributes)
-    return unless attributes.is_a?(Hash)
     transaction do
       attributes.each do |enumeration_id, enumeration_attributes|
         enumeration = custom_field.enumerations.find_by_id(enumeration_id)

diff --git a/test/functional/custom_field_enumerations_controller_test.rb b/test/functional/custom_field_enumerations_controller_test.rb
index 913517ae1e830f8bf21da0af35deb90556dcab90..3670af28803d9f4b0270e83aaeec66f404a5d027 100644 (file)
--- a/test/functional/custom_field_enumerations_controller_test.rb
+++ b/test/functional/custom_field_enumerations_controller_test.rb
@@ -75,12 +75,12 @@ class CustomFieldEnumerationsControllerTest < Redmine::ControllerTest
     put :update_each, :params => {
         :custom_field_id => @field.id,
         :custom_field_enumerations => {
-          @bar.id => {
+          @bar.id.to_s => {
             :position => "1",
             :name => "Baz",
             :active => "1"
           },    
-                @foo.id => {
+          @foo.id.to_s => {
             :position => "2",
             :name => "Foo",
             :active => "0"