From: Jean-Philippe Lang Date: Wed, 7 Mar 2012 18:32:54 +0000 (+0000) Subject: Backported r9136 from trunk. X-Git-Tag: 1.3.2~8 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=5475e0dcc5d3220c45510f0d7f957987f525363c;p=redmine.git Backported r9136 from trunk. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/1.3-stable@9152 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb index 932ba7fff..defe58159 100644 --- a/app/controllers/timelog_controller.rb +++ b/app/controllers/timelog_controller.rb @@ -105,7 +105,7 @@ class TimelogController < ApplicationController def new @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today) - @time_entry.attributes = params[:time_entry] + @time_entry.safe_attributes = params[:time_entry] call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry }) render :action => 'edit' @@ -114,7 +114,7 @@ class TimelogController < ApplicationController verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed } def create @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today) - @time_entry.attributes = params[:time_entry] + @time_entry.safe_attributes = params[:time_entry] call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry }) @@ -135,14 +135,14 @@ class TimelogController < ApplicationController end def edit - @time_entry.attributes = params[:time_entry] + @time_entry.safe_attributes = params[:time_entry] call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry }) end verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed } def update - @time_entry.attributes = params[:time_entry] + @time_entry.safe_attributes = params[:time_entry] call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry }) @@ -173,7 +173,7 @@ class TimelogController < ApplicationController unsaved_time_entry_ids = [] @time_entries.each do |time_entry| time_entry.reload - time_entry.attributes = attributes + time_entry.safe_attributes = attributes call_hook(:controller_time_entries_bulk_edit_before_save, { :params => params, :time_entry => time_entry }) unless time_entry.save # Keep unsaved time_entry ids to display them in flash error diff --git a/app/models/time_entry.rb b/app/models/time_entry.rb index 1afe54829..7e2033084 100644 --- a/app/models/time_entry.rb +++ b/app/models/time_entry.rb @@ -16,6 +16,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class TimeEntry < ActiveRecord::Base + include Redmine::SafeAttributes # could have used polymorphic association # project association here allows easy loading of time entries at project level with one database trip belongs_to :project @@ -46,6 +47,8 @@ class TimeEntry < ActiveRecord::Base :conditions => Project.allowed_to_condition(args.shift || User.current, :view_time_entries, *args) }} + safe_attributes 'hours', 'comments', 'issue_id', 'activity_id', 'spent_on', 'custom_field_values' + def after_initialize if new_record? && self.activity.nil? if default_activity = TimeEntryActivity.default