From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sat, 16 Jul 2016 09:34:45 +0000 (+0000)
Subject: Use safe_attributes.
X-Git-Tag: 3.4.0~794
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=dca56a0350c38bc78cae294800d928b11d625f66;p=redmine.git

Use safe_attributes.

git-svn-id: http://svn.redmine.org/redmine/trunk@15669 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/controllers/trackers_controller.rb b/app/controllers/trackers_controller.rb
index 49856e352..72dbdaf7c 100644
--- a/app/controllers/trackers_controller.rb
+++ b/app/controllers/trackers_controller.rb
@@ -31,13 +31,15 @@ class TrackersController < ApplicationController
   end
 
   def new
-    @tracker ||= Tracker.new(params[:tracker])
+    @tracker ||= Tracker.new
+    @tracker.safe_attributes = params[:tracker]
     @trackers = Tracker.sorted.to_a
     @projects = Project.all
   end
 
   def create
-    @tracker = Tracker.new(params[:tracker])
+    @tracker = Tracker.new
+    @tracker.safe_attributes = params[:tracker]
     if @tracker.save
       # workflow copy
       if !params[:copy_workflow_from].blank? && (copy_from = Tracker.find_by_id(params[:copy_workflow_from]))
@@ -58,7 +60,8 @@ class TrackersController < ApplicationController
 
   def update
     @tracker = Tracker.find(params[:id])
-    if @tracker.update_attributes(params[:tracker])
+    @tracker.safe_attributes = params[:tracker]
+    if @tracker.save
       respond_to do |format|
         format.html {
           flash[:notice] = l(:notice_successful_update)
diff --git a/app/models/tracker.rb b/app/models/tracker.rb
index 41db78804..2dcbaed04 100644
--- a/app/models/tracker.rb
+++ b/app/models/tracker.rb
@@ -16,6 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class Tracker < ActiveRecord::Base
+  include Redmine::SafeAttributes
 
   CORE_FIELDS_UNDISABLABLE = %w(project_id tracker_id subject description priority_id is_private).freeze
   # Fields that can be disabled
@@ -69,6 +70,14 @@ class Tracker < ActiveRecord::Base
     joins(:projects).where(condition).distinct
   }
 
+  safe_attributes 'name',
+    'default_status_id',
+    'is_in_roadmap',
+    'core_fields',
+    'position',
+    'custom_field_ids',
+    'project_ids'
+
   def to_s; name end
 
   def <=>(tracker)