From 316eae078cc43cea468e0397ca35fbf8eced8da0 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 17 Jul 2016 07:15:25 +0000
Subject: [PATCH] Use safe_attributes for custom fields.

git-svn-id: http://svn.redmine.org/redmine/trunk@15689 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/custom_fields_controller.rb |  7 ++++--
 app/models/custom_field.rb                  | 25 ++++++++++++++++++++-
 app/models/issue_custom_field.rb            |  3 +++
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/app/controllers/custom_fields_controller.rb b/app/controllers/custom_fields_controller.rb
index 230df1853..57cb73142 100644
--- a/app/controllers/custom_fields_controller.rb
+++ b/app/controllers/custom_fields_controller.rb
@@ -53,7 +53,8 @@ class CustomFieldsController < ApplicationController
   end
 
   def update
-    if @custom_field.update_attributes(params[:custom_field])
+    @custom_field.safe_attributes = params[:custom_field]
+    if @custom_field.save
       call_hook(:controller_custom_fields_edit_after_save, :params => params, :custom_field => @custom_field)
       respond_to do |format|
         format.html {
@@ -82,9 +83,11 @@ class CustomFieldsController < ApplicationController
   private
 
   def build_new_custom_field
-    @custom_field = CustomField.new_subclass_instance(params[:type], params[:custom_field])
+    @custom_field = CustomField.new_subclass_instance(params[:type])
     if @custom_field.nil?
       render :action => 'select_type'
+    else
+      @custom_field.safe_attributes = params[:custom_field]
     end
   end
 
diff --git a/app/models/custom_field.rb b/app/models/custom_field.rb
index 370ce7090..cd217e766 100644
--- a/app/models/custom_field.rb
+++ b/app/models/custom_field.rb
@@ -16,6 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class CustomField < ActiveRecord::Base
+  include Redmine::SafeAttributes
   include Redmine::SubclassFactory
 
   has_many :enumerations,
@@ -61,11 +62,33 @@ class CustomField < ActiveRecord::Base
       where(:visible => true)
     end
   }
-
   def visible_by?(project, user=User.current)
     visible? || user.admin?
   end
 
+  safe_attributes 'name',
+    'field_format',
+    'possible_values',
+    'regexp',
+    'min_lnegth',
+    'max_length',
+    'is_required',
+    'is_for_all',
+    'is_filter',
+    'position',
+    'searchable',
+    'default_value',
+    'editable',
+    'visible',
+    'multiple',
+    'description',
+    'role_ids',
+    'url_pattern',
+    'text_formatting',
+    'edit_tag_style',
+    'user_role',
+    'version_status'
+
   def format
     @format ||= Redmine::FieldFormat.find(field_format)
   end
diff --git a/app/models/issue_custom_field.rb b/app/models/issue_custom_field.rb
index 0c679896d..ad2d504e1 100644
--- a/app/models/issue_custom_field.rb
+++ b/app/models/issue_custom_field.rb
@@ -20,6 +20,9 @@ class IssueCustomField < CustomField
   has_and_belongs_to_many :trackers, :join_table => "#{table_name_prefix}custom_fields_trackers#{table_name_suffix}", :foreign_key => "custom_field_id"
   has_many :issues, :through => :issue_custom_values
 
+  safe_attributes 'project_ids',
+    'tracker_ids'
+
   def type_name
     :label_issue_plural
   end
-- 
2.39.5