summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2012-03-06 19:46:59 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2012-03-06 19:46:59 +0000
commit286bda14f14d5824975ac46de7c79a8d0181a1e2 (patch)
treee4ccfacebd2ddfef25368ed87051df129677036e
parent2c6ad7525aa77c5c52cbcecb39e8654be11b9f75 (diff)
downloadredmine-286bda14f14d5824975ac46de7c79a8d0181a1e2.tar.gz
redmine-286bda14f14d5824975ac46de7c79a8d0181a1e2.zip
Prevent mass-assignment when adding/updating a forum message (#10390).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9133 e93f8b46-1217-0410-a6f0-8f06a7374b81
-rw-r--r--app/controllers/messages_controller.rb17
-rw-r--r--app/models/message.rb7
2 files changed, 13 insertions, 11 deletions
diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index 6260cd1da..a8ef03f34 100644
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -50,13 +50,10 @@ class MessagesController < ApplicationController
# Create a new topic
def new
- @message = Message.new(params[:message])
+ @message = Message.new
@message.author = User.current
@message.board = @board
- if params[:message] && User.current.allowed_to?(:edit_messages, @project)
- @message.locked = params[:message]['locked']
- @message.sticky = params[:message]['sticky']
- end
+ @message.safe_attributes = params[:message]
if request.post?
@message.save_attachments(params[:attachments])
if @message.save
@@ -69,9 +66,10 @@ class MessagesController < ApplicationController
# Reply to a topic
def reply
- @reply = Message.new(params[:reply])
+ @reply = Message.new
@reply.author = User.current
@reply.board = @board
+ @reply.safe_attributes = params[:reply]
@topic.children << @reply
if !@reply.new_record?
call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply})
@@ -84,11 +82,8 @@ class MessagesController < ApplicationController
# Edit a message
def edit
(render_403; return false) unless @message.editable_by?(User.current)
- if params[:message]
- @message.locked = params[:message]['locked']
- @message.sticky = params[:message]['sticky']
- end
- if request.post? && @message.update_attributes(params[:message])
+ @message.safe_attributes = params[:message]
+ if request.post? && @message.save
attachments = Attachment.attach_files(@message, params[:attachments])
render_attachment_warning_if_needed(@message)
flash[:notice] = l(:notice_successful_update)
diff --git a/app/models/message.rb b/app/models/message.rb
index 3866a3a04..5721cb571 100644
--- a/app/models/message.rb
+++ b/app/models/message.rb
@@ -16,6 +16,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class Message < ActiveRecord::Base
+ include Redmine::SafeAttributes
belongs_to :board
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC"
@@ -48,6 +49,12 @@ class Message < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => {:board => :project},
:conditions => Project.allowed_to_condition(args.shift || User.current, :view_messages, *args) } }
+ safe_attributes 'subject', 'content'
+ safe_attributes 'locked', 'sticky',
+ :if => lambda {|message, user|
+ user.allowed_to?(:edit_messages, message.project)
+ }
+
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_messages, project)
end