Use safe_attributes for issue watchers assignment.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8197 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 7 insertions, 7 deletions

diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index 3ce25a134..353a3b977 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -312,12 +312,8 @@ private
       return false
     end
     @issue.start_date ||= Date.today if Setting.default_issue_start_date_to_creation_date?
-    if params[:issue].is_a?(Hash)
-      @issue.safe_attributes = params[:issue]
-      if User.current.allowed_to?(:add_issue_watchers, @project) && @issue.new_record?
-        @issue.watcher_user_ids = params[:issue]['watcher_user_ids']
-      end
-    end
+    @issue.safe_attributes = params[:issue]
+
     @priorities = IssuePriority.active
     @allowed_statuses = @issue.new_statuses_allowed_to(User.current, true)
   end
diff --git a/app/models/issue.rb b/app/models/issue.rb
index 7a580737c..1723d1c08 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -282,6 +282,9 @@ class Issue < ActiveRecord::Base
     'done_ratio',
     :if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? }
 
+  safe_attributes 'watcher_user_ids',
+    :if => lambda {|issue, user| issue.new_record? && user.allowed_to?(:add_issue_watchers, issue.project)} 
+
   safe_attributes 'is_private',
     :if => lambda {|issue, user|
       user.allowed_to?(:set_issues_private, issue.project) ||
@@ -323,7 +326,8 @@ class Issue < ActiveRecord::Base
       end
     end
 
-    self.attributes = attrs
+    # mass-assignment security bypass
+    self.send :attributes=, attrs, false
   end
 
   def done_ratio