# POST /groups
# POST /groups.xml
def create
- @group = Group.new(params[:group])
+ @group = Group.new
+ @group.safe_attributes = params[:group]
respond_to do |format|
if @group.save
# PUT /groups/1.xml
def update
@group = Group.find(params[:id])
+ @group.safe_attributes = params[:group]
respond_to do |format|
- if @group.update_attributes(params[:group])
+ if @group.save
flash[:notice] = l(:notice_successful_update)
format.html { redirect_to(groups_path) }
format.xml { head :ok }
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class Group < Principal
+ include Redmine::SafeAttributes
+
has_and_belongs_to_many :users, :after_add => :user_added,
:after_remove => :user_removed
before_destroy :remove_references_before_destroy
+ safe_attributes 'name',
+ 'custom_field_values',
+ 'custom_fields',
+ :if => lambda {|group, user| user.admin?}
+
def to_s
lastname.to_s
end