From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Thu, 21 Jul 2016 17:56:26 +0000 (+0000)
Subject: Set preferences with #safe_attributes=.
X-Git-Tag: 3.4.0~751
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=fcec4d0975aef9c49cd5962441481ec258535bd5;p=redmine.git

Set preferences with #safe_attributes=.

git-svn-id: http://svn.redmine.org/redmine/trunk@15728 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index bf8152b99..51f6af6bb 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -132,7 +132,7 @@ class UsersController < ApplicationController
     # Was the account actived ? (do it before User#save clears the change)
     was_activated = (@user.status_change == [User::STATUS_REGISTERED, User::STATUS_ACTIVE])
     # TODO: Similar to My#account
-    @user.pref.attributes = params[:pref] if params[:pref]
+    @user.pref.safe_attributes = params[:pref]
 
     if @user.save
       @user.pref.save