git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8197 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/1.4.0
@@ -312,12 +312,8 @@ private | |||
return false | |||
end | |||
@issue.start_date ||= Date.today if Setting.default_issue_start_date_to_creation_date? | |||
if params[:issue].is_a?(Hash) | |||
@issue.safe_attributes = params[:issue] | |||
if User.current.allowed_to?(:add_issue_watchers, @project) && @issue.new_record? | |||
@issue.watcher_user_ids = params[:issue]['watcher_user_ids'] | |||
end | |||
end | |||
@issue.safe_attributes = params[:issue] | |||
@priorities = IssuePriority.active | |||
@allowed_statuses = @issue.new_statuses_allowed_to(User.current, true) | |||
end |
@@ -282,6 +282,9 @@ class Issue < ActiveRecord::Base | |||
'done_ratio', | |||
:if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? } | |||
safe_attributes 'watcher_user_ids', | |||
:if => lambda {|issue, user| issue.new_record? && user.allowed_to?(:add_issue_watchers, issue.project)} | |||
safe_attributes 'is_private', | |||
:if => lambda {|issue, user| | |||
user.allowed_to?(:set_issues_private, issue.project) || | |||
@@ -323,7 +326,8 @@ class Issue < ActiveRecord::Base | |||
end | |||
end | |||
self.attributes = attrs | |||
# mass-assignment security bypass | |||
self.send :attributes=, attrs, false | |||
end | |||
def done_ratio |