Use safe_attributes for issue watchers assignment.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8197 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index 3ce25a1348ce4cd8af22c2d40633594bd29c8073..353a3b977d9d9860b3e0766372771314ac6916a6 100644 (file)
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -312,12 +312,8 @@ private
       return false
     end
     @issue.start_date ||= Date.today if Setting.default_issue_start_date_to_creation_date?
-    if params[:issue].is_a?(Hash)
-      @issue.safe_attributes = params[:issue]
-      if User.current.allowed_to?(:add_issue_watchers, @project) && @issue.new_record?
-        @issue.watcher_user_ids = params[:issue]['watcher_user_ids']
-      end
-    end
+    @issue.safe_attributes = params[:issue]
+
     @priorities = IssuePriority.active
     @allowed_statuses = @issue.new_statuses_allowed_to(User.current, true)
   end

diff --git a/app/models/issue.rb b/app/models/issue.rb
index 7a580737c3ed86b63d91c5e464ccc4c764beb530..1723d1c0807f7696f92f4bd6cbac470e4cf8d4a1 100644 (file)
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -282,6 +282,9 @@ class Issue < ActiveRecord::Base
     'done_ratio',
     :if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? }
 
+  safe_attributes 'watcher_user_ids',
+    :if => lambda {|issue, user| issue.new_record? && user.allowed_to?(:add_issue_watchers, issue.project)} 
+
   safe_attributes 'is_private',
     :if => lambda {|issue, user|
       user.allowed_to?(:set_issues_private, issue.project) ||
@@ -323,7 +326,8 @@ class Issue < ActiveRecord::Base
       end
     end
 
-    self.attributes = attrs
+    # mass-assignment security bypass
+    self.send :attributes=, attrs, false
   end
 
   def done_ratio