From cc30a0423eeeb4ad78fdd68c54f2f2df78899ffe Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 17 Jul 2016 08:09:50 +0000
Subject: [PATCH] Use safe_attributes for issue statuses.

git-svn-id: http://svn.redmine.org/redmine/trunk@15691 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/issue_statuses_controller.rb | 6 ++++--
 app/models/issue_status.rb                   | 7 +++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/controllers/issue_statuses_controller.rb b/app/controllers/issue_statuses_controller.rb
index 8ae945c18..efd2d1c44 100644
--- a/app/controllers/issue_statuses_controller.rb
+++ b/app/controllers/issue_statuses_controller.rb
@@ -35,7 +35,8 @@ class IssueStatusesController < ApplicationController
   end
 
   def create
-    @issue_status = IssueStatus.new(params[:issue_status])
+    @issue_status = IssueStatus.new
+    @issue_status.safe_attributes = params[:issue_status]
     if @issue_status.save
       flash[:notice] = l(:notice_successful_create)
       redirect_to issue_statuses_path
@@ -50,7 +51,8 @@ class IssueStatusesController < ApplicationController
 
   def update
     @issue_status = IssueStatus.find(params[:id])
-    if @issue_status.update_attributes(params[:issue_status])
+    @issue_status.safe_attributes = params[:issue_status]
+    if @issue_status.save
       respond_to do |format|
         format.html {
           flash[:notice] = l(:notice_successful_update)
diff --git a/app/models/issue_status.rb b/app/models/issue_status.rb
index 69f81bf96..bdf096121 100644
--- a/app/models/issue_status.rb
+++ b/app/models/issue_status.rb
@@ -16,6 +16,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class IssueStatus < ActiveRecord::Base
+  include Redmine::SafeAttributes
+
   before_destroy :check_integrity
   has_many :workflows, :class_name => 'WorkflowTransition', :foreign_key => "old_status_id"
   has_many :workflow_transitions_as_new_status, :class_name => 'WorkflowTransition', :foreign_key => "new_status_id"
@@ -33,6 +35,11 @@ class IssueStatus < ActiveRecord::Base
   scope :sorted, lambda { order(:position) }
   scope :named, lambda {|arg| where("LOWER(#{table_name}.name) = LOWER(?)", arg.to_s.strip)}
 
+  safe_attributes 'name',
+    'is_closed',
+    'position',
+    'default_done_ratio'
+
   # Update all the +Issues+ setting their done_ratio to the value of their +IssueStatus+
   def self.update_issue_done_ratios
     if Issue.use_status_for_done_ratio?
-- 
2.39.5