Use safe_attributes in GroupsController.

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Fri, 1 Jun 2012 19:06:16 +0000 (19:06 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Fri, 1 Jun 2012 19:06:16 +0000 (19:06 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Fri, 1 Jun 2012 19:06:16 +0000 (19:06 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Fri, 1 Jun 2012 19:06:16 +0000 (19:06 +0000)
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb

index 4b05d02ef7748844f229c01e4b168541b7d27e39..834c27ec1b867214f2efbef0cdfb2c74fe6d9ca7 100644 (file)
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -63,7 +63,8 @@ class GroupsController < ApplicationController
    # POST /groups
    # POST /groups.xml
    def create
-    @group = Group.new(params[:group])
+    @group = Group.new
+    @group.safe_attributes = params[:group]
  
      respond_to do |format|
        if @group.save
@@ -83,9 +84,10 @@ class GroupsController < ApplicationController
    # PUT /groups/1.xml
    def update
      @group = Group.find(params[:id])
+    @group.safe_attributes = params[:group]
  
      respond_to do |format|
-      if @group.update_attributes(params[:group])
+      if @group.save
          flash[:notice] = l(:notice_successful_update)
          format.html { redirect_to(groups_path) }
          format.xml  { head :ok }
diff --git a/app/models/group.rb b/app/models/group.rb

index 80c97c3ac97c8df226c04ba656b9278d0a970d9a..a269c5c162f765cbf99260fcc93fb63be77a5d3a 100644 (file)
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -16,6 +16,8 @@
  # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  
  class Group < Principal
+  include Redmine::SafeAttributes
+
    has_and_belongs_to_many :users, :after_add => :user_added,
                                    :after_remove => :user_removed
  
@@ -27,6 +29,11 @@ class Group < Principal
  
    before_destroy :remove_references_before_destroy
  
+  safe_attributes 'name',
+    'custom_field_values',
+    'custom_fields',
+    :if => lambda {|group, user| user.admin?}
+
    def to_s
      lastname.to_s
    end
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Fri, 1 Jun 2012 19:06:16 +0000 (19:06 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Fri, 1 Jun 2012 19:06:16 +0000 (19:06 +0000)
app/controllers/groups_controller.rb		patch \| blob \| history
app/models/group.rb		patch \| blob \| history