diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2016-07-17 07:15:25 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2016-07-17 07:15:25 +0000 |
| commit | 316eae078cc43cea468e0397ca35fbf8eced8da0 (patch) | |
| tree | 129992397cd85e7879d28d16f4aae18470c7ecc4 | |
| parent | 43d8ab8288e1d1f561d3fc530472ddb0042db5fe (diff) | |
| download | redmine-316eae078cc43cea468e0397ca35fbf8eced8da0.tar.gz redmine-316eae078cc43cea468e0397ca35fbf8eced8da0.zip | |
Use safe_attributes for custom fields.
git-svn-id: http://svn.redmine.org/redmine/trunk@15689 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/controllers/custom_fields_controller.rb | 7 | ||||
| -rw-r--r-- | app/models/custom_field.rb | 25 | ||||
| -rw-r--r-- | app/models/issue_custom_field.rb | 3 |
3 files changed, 32 insertions, 3 deletions
diff --git a/app/controllers/custom_fields_controller.rb b/app/controllers/custom_fields_controller.rb index 230df1853..57cb73142 100644 --- a/app/controllers/custom_fields_controller.rb +++ b/app/controllers/custom_fields_controller.rb @@ -53,7 +53,8 @@ class CustomFieldsController < ApplicationController end def update - if @custom_field.update_attributes(params[:custom_field]) + @custom_field.safe_attributes = params[:custom_field] + if @custom_field.save call_hook(:controller_custom_fields_edit_after_save, :params => params, :custom_field => @custom_field) respond_to do |format| format.html { @@ -82,9 +83,11 @@ class CustomFieldsController < ApplicationController private def build_new_custom_field - @custom_field = CustomField.new_subclass_instance(params[:type], params[:custom_field]) + @custom_field = CustomField.new_subclass_instance(params[:type]) if @custom_field.nil? render :action => 'select_type' + else + @custom_field.safe_attributes = params[:custom_field] end end diff --git a/app/models/custom_field.rb b/app/models/custom_field.rb index 370ce7090..cd217e766 100644 --- a/app/models/custom_field.rb +++ b/app/models/custom_field.rb @@ -16,6 +16,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class CustomField < ActiveRecord::Base + include Redmine::SafeAttributes include Redmine::SubclassFactory has_many :enumerations, @@ -61,11 +62,33 @@ class CustomField < ActiveRecord::Base where(:visible => true) end } - def visible_by?(project, user=User.current) visible? || user.admin? end + safe_attributes 'name', + 'field_format', + 'possible_values', + 'regexp', + 'min_lnegth', + 'max_length', + 'is_required', + 'is_for_all', + 'is_filter', + 'position', + 'searchable', + 'default_value', + 'editable', + 'visible', + 'multiple', + 'description', + 'role_ids', + 'url_pattern', + 'text_formatting', + 'edit_tag_style', + 'user_role', + 'version_status' + def format @format ||= Redmine::FieldFormat.find(field_format) end diff --git a/app/models/issue_custom_field.rb b/app/models/issue_custom_field.rb index 0c679896d..ad2d504e1 100644 --- a/app/models/issue_custom_field.rb +++ b/app/models/issue_custom_field.rb @@ -20,6 +20,9 @@ class IssueCustomField < CustomField has_and_belongs_to_many :trackers, :join_table => "#{table_name_prefix}custom_fields_trackers#{table_name_suffix}", :foreign_key => "custom_field_id" has_many :issues, :through => :issue_custom_values + safe_attributes 'project_ids', + 'tracker_ids' + def type_name :label_issue_plural end |