end
def new
- @tracker ||= Tracker.new(params[:tracker])
+ @tracker ||= Tracker.new
+ @tracker.safe_attributes = params[:tracker]
@trackers = Tracker.sorted.to_a
@projects = Project.all
end
def create
- @tracker = Tracker.new(params[:tracker])
+ @tracker = Tracker.new
+ @tracker.safe_attributes = params[:tracker]
if @tracker.save
# workflow copy
if !params[:copy_workflow_from].blank? && (copy_from = Tracker.find_by_id(params[:copy_workflow_from]))
def update
@tracker = Tracker.find(params[:id])
- if @tracker.update_attributes(params[:tracker])
+ @tracker.safe_attributes = params[:tracker]
+ if @tracker.save
respond_to do |format|
format.html {
flash[:notice] = l(:notice_successful_update)
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class Tracker < ActiveRecord::Base
+ include Redmine::SafeAttributes
CORE_FIELDS_UNDISABLABLE = %w(project_id tracker_id subject description priority_id is_private).freeze
# Fields that can be disabled
joins(:projects).where(condition).distinct
}
+ safe_attributes 'name',
+ 'default_status_id',
+ 'is_in_roadmap',
+ 'core_fields',
+ 'position',
+ 'custom_field_ids',
+ 'project_ids'
+
def to_s; name end
def <=>(tracker)