From a4d7a99c22d9aac89a38c1cb411158777b72bb9d Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 12 Dec 2010 13:19:07 +0000
Subject: [PATCH] Declare safe attributes for User and Projects models.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4492 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/my_controller.rb            |  2 +-
 app/controllers/projects_controller.rb      |  8 +++++---
 app/controllers/users_controller.rb         |  5 +++--
 app/models/project.rb                       | 11 +++++++++++
 app/models/user.rb                          | 17 ++++++++++++++++-
 test/functional/projects_controller_test.rb | 20 ++++++++++++++------
 6 files changed, 50 insertions(+), 13 deletions(-)

diff --git a/app/controllers/my_controller.rb b/app/controllers/my_controller.rb
index 46747b334..e552caa16 100644
--- a/app/controllers/my_controller.rb
+++ b/app/controllers/my_controller.rb
@@ -53,7 +53,7 @@ class MyController < ApplicationController
     @user = User.current
     @pref = @user.pref
     if request.post?
-      @user.attributes = params[:user]
+      @user.safe_attributes = params[:user]
       @user.mail_notification = params[:notification_option] || 'only_my_events'
       @user.pref.attributes = params[:pref]
       @user.pref[:no_self_notified] = (params[:no_self_notified] == '1')
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 1c982ac22..7a4c71217 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -72,7 +72,8 @@ class ProjectsController < ApplicationController
   def create
     @issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
     @trackers = Tracker.all
-    @project = Project.new(params[:project])
+    @project = Project.new
+    @project.safe_attributes = params[:project]
 
     @project.enabled_module_names = params[:enabled_modules] if params[:enabled_modules]
     if validate_parent_id && @project.save
@@ -115,7 +116,8 @@ class ProjectsController < ApplicationController
       end  
     else
       Mailer.with_deliveries(params[:notifications] == '1') do
-        @project = Project.new(params[:project])
+        @project = Project.new
+        @project.safe_attributes = params[:project]
         @project.enabled_module_names = params[:enabled_modules]
         if validate_parent_id && @project.copy(@source_project, :only => params[:only])
           @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
@@ -181,7 +183,7 @@ class ProjectsController < ApplicationController
   end
 
   def update
-    @project.attributes = params[:project]
+    @project.safe_attributes = params[:project]
     if validate_parent_id && @project.save
       @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
       respond_to do |format|
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 69ffcf2c2..07c807ce4 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -97,7 +97,8 @@ class UsersController < ApplicationController
     @notification_options = User::MAIL_NOTIFICATION_OPTIONS
     @notification_option = Setting.default_notification_option
 
-    @user = User.new(params[:user])
+    @user = User.new
+    @user.safe_attributes = params[:user]
     @user.admin = params[:user][:admin] || false
     @user.login = params[:user][:login]
     @user.password, @user.password_confirmation = params[:password], params[:password_confirmation] unless @user.auth_source_id
@@ -155,7 +156,7 @@ class UsersController < ApplicationController
       @user.password, @user.password_confirmation = params[:password], params[:password_confirmation]
     end
     @user.group_ids = params[:user][:group_ids] if params[:user][:group_ids]
-    @user.attributes = params[:user]
+    @user.safe_attributes = params[:user]
     # Was the account actived ? (do it before User#save clears the change)
     was_activated = (@user.status_change == [User::STATUS_REGISTERED, User::STATUS_ACTIVE])
     # TODO: Similar to My#account
diff --git a/app/models/project.rb b/app/models/project.rb
index 99a4a4984..29a750fe2 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -16,6 +16,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class Project < ActiveRecord::Base
+  include Redmine::SafeAttributes
+  
   # Project statuses
   STATUS_ACTIVE     = 1
   STATUS_ARCHIVED   = 9
@@ -520,6 +522,15 @@ class Project < ActiveRecord::Base
   def enabled_module_names
     enabled_modules.collect(&:name)
   end
+  
+  safe_attributes 'name',
+    'description',
+    'homepage',
+    'is_public',
+    'identifier',
+    'custom_field_values',
+    'custom_fields',
+    'tracker_ids'
 
   # Returns an array of projects that are in this project's hierarchy
   #
diff --git a/app/models/user.rb b/app/models/user.rb
index a43631932..b039ba0b3 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -18,7 +18,8 @@
 require "digest/sha1"
 
 class User < Principal
-
+  include Redmine::SafeAttributes
+  
   # Account statuses
   STATUS_ANONYMOUS  = 0
   STATUS_ACTIVE     = 1
@@ -390,6 +391,20 @@ class User < Principal
   def allowed_to_globally?(action, options)
     allowed_to?(action, nil, options.reverse_merge(:global => true))
   end
+
+  safe_attributes 'login',
+    'firstname',
+    'lastname',
+    'mail',
+    'mail_notification',
+    'language',
+    'custom_field_values',
+    'custom_fields',
+    'identity_url'
+  
+  safe_attributes 'status',
+    'auth_source_id',
+    :if => lambda {|user, current_user| current_user.admin?}
   
   # Utility method to help check if a user should be notified about an
   # event.
diff --git a/test/functional/projects_controller_test.rb b/test/functional/projects_controller_test.rb
index 3cd7c3dbf..5392ffb12 100644
--- a/test/functional/projects_controller_test.rb
+++ b/test/functional/projects_controller_test.rb
@@ -144,19 +144,27 @@ class ProjectsControllerTest < ActionController::TestCase
       end
       
       should "create a new project" do
-        post :create, :project => { :name => "blog", 
-                                 :description => "weblog",
-                                 :identifier => "blog",
-                                 :is_public => 1,
-                                 :custom_field_values => { '3' => 'Beta' }
-                                }
+        post :create,
+          :project => {
+            :name => "blog", 
+            :description => "weblog",
+            :homepage => 'http://weblog',
+            :identifier => "blog",
+            :is_public => 1,
+            :custom_field_values => { '3' => 'Beta' },
+            :tracker_ids => ['1', '3']
+          }
         assert_redirected_to '/projects/blog/settings'
         
         project = Project.find_by_name('blog')
         assert_kind_of Project, project
+        assert project.active?
         assert_equal 'weblog', project.description 
+        assert_equal 'http://weblog', project.homepage
         assert_equal true, project.is_public?
         assert_nil project.parent
+        assert_equal 'Beta', project.custom_value_for(3).value
+        assert_equal [1, 3], project.trackers.map(&:id).sort
       end
       
       should "create a new subproject" do
-- 
2.39.5