From: Jean-Philippe Lang Date: Sun, 17 Jul 2016 06:43:12 +0000 (+0000) Subject: Use safe_attributes for user preferences. X-Git-Tag: 3.4.0~775 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=43d8ab8288e1d1f561d3fc530472ddb0042db5fe;p=redmine.git Use safe_attributes for user preferences. git-svn-id: http://svn.redmine.org/redmine/trunk@15688 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index 9f4aff85e..0dc1e9811 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -123,7 +123,7 @@ class AccountController < ApplicationController user_params = params[:user] || {} @user = User.new @user.safe_attributes = user_params - @user.pref.attributes = params[:pref] if params[:pref] + @user.pref.safe_attributes = params[:pref] @user.admin = false @user.register if session[:auth_source_registration] diff --git a/app/controllers/my_controller.rb b/app/controllers/my_controller.rb index 6597fb245..73ac2222c 100644 --- a/app/controllers/my_controller.rb +++ b/app/controllers/my_controller.rb @@ -56,8 +56,8 @@ class MyController < ApplicationController @user = User.current @pref = @user.pref if request.post? - @user.safe_attributes = params[:user] if params[:user] - @user.pref.attributes = params[:pref] if params[:pref] + @user.safe_attributes = params[:user] + @user.pref.safe_attributes = params[:pref] if @user.save @user.pref.save set_language_if_valid @user.language diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index f9632fe6b..bf8152b99 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -90,7 +90,7 @@ class UsersController < ApplicationController @user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option, :admin => false) @user.safe_attributes = params[:user] @user.password, @user.password_confirmation = params[:user][:password], params[:user][:password_confirmation] unless @user.auth_source_id - @user.pref.attributes = params[:pref] if params[:pref] + @user.pref.safe_attributes = params[:pref] if @user.save Mailer.account_information(@user, @user.password).deliver if params[:send_information] diff --git a/app/models/user_preference.rb b/app/models/user_preference.rb index 0fdbfb508..52d120c74 100644 --- a/app/models/user_preference.rb +++ b/app/models/user_preference.rb @@ -16,6 +16,8 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class UserPreference < ActiveRecord::Base + include Redmine::SafeAttributes + belongs_to :user serialize :others @@ -23,6 +25,12 @@ class UserPreference < ActiveRecord::Base before_save :set_others_hash + safe_attributes 'hide_mail', + 'time_zone', + 'comments_sorting', + 'warn_on_leaving_unsaved', + 'no_self_notified' + def initialize(attributes=nil, *args) super if new_record? && !(attributes && attributes.key?(:hide_mail))