From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sat, 12 Mar 2016 13:09:23 +0000 (+0000)
Subject: Verify assigned_to_id when assigning safe_attributes (#22127).
X-Git-Tag: 3.3.0~206
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=9473a373a50dca54ad0400f5ea4a4273a3a17851;p=redmine.git

Verify assigned_to_id when assigning safe_attributes (#22127).

Patch by Jan Schulz-Hofen.

git-svn-id: http://svn.redmine.org/redmine/trunk@15223 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/models/issue.rb b/app/models/issue.rb
index 8282e091b..867ff85da 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -495,6 +495,17 @@ class Issue < ActiveRecord::Base
     if new_record? && !statuses_allowed.include?(status)
       self.status = statuses_allowed.first || default_status
     end
+    if (u = attrs.delete('assigned_to_id')) && safe_attribute?('assigned_to_id')
+      if u.blank?
+        self.assigned_to_id = nil
+      else
+        u = u.to_i
+        if assignable_users.any?{|assignable_user| assignable_user.id == u}
+          self.assigned_to_id = u
+        end
+      end
+    end
+
 
     attrs = delete_unsafe_attributes(attrs, user)
     return if attrs.empty?
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index 52d5c2013..1ed30e59b 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -790,6 +790,40 @@ class IssueTest < ActiveSupport::TestCase
     assert_nil issue.custom_field_value(cf2)
   end
 
+  def test_safe_attributes_should_ignore_unassignable_assignee
+    issue = Issue.new(:project_id => 1, :tracker_id => 1, :author_id => 3,
+                      :status_id => 1, :priority => IssuePriority.all.first,
+                      :subject => 'test_create')
+    assert issue.valid?
+
+    # locked user, not allowed
+    issue.safe_attributes=({'assigned_to_id' => '5'})
+    assert_nil issue.assigned_to_id
+    # no member
+    issue.safe_attributes=({'assigned_to_id' => '1'})
+    assert_nil issue.assigned_to_id
+    # user 2 is ok
+    issue.safe_attributes=({'assigned_to_id' => '2'})
+    assert_equal 2, issue.assigned_to_id
+    assert issue.save
+
+    issue.reload
+    assert_equal 2, issue.assigned_to_id
+    issue.safe_attributes=({'assigned_to_id' => '5'})
+    assert_equal 2, issue.assigned_to_id
+    issue.safe_attributes=({'assigned_to_id' => '1'})
+    assert_equal 2, issue.assigned_to_id
+    # user 3 is also ok
+    issue.safe_attributes=({'assigned_to_id' => '3'})
+    assert_equal 3, issue.assigned_to_id
+    assert issue.save
+
+    # removal of assignee
+    issue.safe_attributes=({'assigned_to_id' => ''})
+    assert_nil issue.assigned_to_id
+    assert issue.save
+  end
+
   def test_editable_custom_field_values_should_return_non_readonly_custom_values
     cf1 = IssueCustomField.create!(:name => 'Writable field', :field_format => 'string',
                                    :is_for_all => true, :tracker_ids => [1, 2])