From d7a6c09822bc18c01b707d479342af956f754568 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 17 Jul 2016 08:18:26 +0000
Subject: [PATCH] Use safe_attributes for auth sources.

git-svn-id: http://svn.redmine.org/redmine/trunk@15692 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/auth_sources_controller.rb | 17 ++++++++++++-----
 app/models/auth_source.rb                  | 16 ++++++++++++++++
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/app/controllers/auth_sources_controller.rb b/app/controllers/auth_sources_controller.rb
index 6f5e903d6..d6dd58896 100644
--- a/app/controllers/auth_sources_controller.rb
+++ b/app/controllers/auth_sources_controller.rb
@@ -20,6 +20,7 @@ class AuthSourcesController < ApplicationController
   menu_item :ldap_authentication
 
   before_action :require_admin
+  before_action :build_new_auth_source, :only => [:new, :create]
   before_action :find_auth_source, :only => [:edit, :update, :test_connection, :destroy]
   require_sudo_mode :update, :destroy
 
@@ -28,13 +29,9 @@ class AuthSourcesController < ApplicationController
   end
 
   def new
-    klass_name = params[:type] || 'AuthSourceLdap'
-    @auth_source = AuthSource.new_subclass_instance(klass_name, params[:auth_source])
-    render_404 unless @auth_source
   end
 
   def create
-    @auth_source = AuthSource.new_subclass_instance(params[:type], params[:auth_source])
     if @auth_source.save
       flash[:notice] = l(:notice_successful_create)
       redirect_to auth_sources_path
@@ -47,7 +44,8 @@ class AuthSourcesController < ApplicationController
   end
 
   def update
-    if @auth_source.update_attributes(params[:auth_source])
+    @auth_source.safe_attributes = params[:auth_source]
+    if @auth_source.save
       flash[:notice] = l(:notice_successful_update)
       redirect_to auth_sources_path
     else
@@ -89,6 +87,15 @@ class AuthSourcesController < ApplicationController
 
   private
 
+  def build_new_auth_source
+    @auth_source = AuthSource.new_subclass_instance(params[:type] || 'AuthSourceLdap')
+    if @auth_source
+      @auth_source.safe_attributes = params[:auth_source]
+    else
+      render_404
+    end
+  end
+
   def find_auth_source
     @auth_source = AuthSource.find(params[:id])
   rescue ActiveRecord::RecordNotFound
diff --git a/app/models/auth_source.rb b/app/models/auth_source.rb
index 69448d350..bea91bc22 100644
--- a/app/models/auth_source.rb
+++ b/app/models/auth_source.rb
@@ -21,6 +21,7 @@ class AuthSourceException < Exception; end
 class AuthSourceTimeoutException < AuthSourceException; end
 
 class AuthSource < ActiveRecord::Base
+  include Redmine::SafeAttributes
   include Redmine::SubclassFactory
   include Redmine::Ciphering
 
@@ -31,6 +32,21 @@ class AuthSource < ActiveRecord::Base
   validates_length_of :name, :maximum => 60
   attr_protected :id
 
+  safe_attributes 'name',
+    'host',
+    'port',
+    'account',
+    'account_password',
+    'base_dn',
+    'attr_login',
+    'attr_firstname',
+    'attr_lastname',
+    'attr_mail',
+    'onthefly_register',
+    'tls',
+    'filter',
+    'timeout'
+
   def authenticate(login, password)
   end
 
-- 
2.39.5