diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2016-07-16 09:30:09 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2016-07-16 09:30:09 +0000 |
| commit | adde498b33b74598419af06ead4277fe09d1c8e0 (patch) | |
| tree | 377bed2ed8f2e1e99ba412ff233604e4d6a776ea | |
| parent | 3e6b392ddc1e32a352c49f91b8ff7400472b7985 (diff) | |
| download | redmine-adde498b33b74598419af06ead4277fe09d1c8e0.tar.gz redmine-adde498b33b74598419af06ead4277fe09d1c8e0.zip | |
Use safe_attributes.
git-svn-id: http://svn.redmine.org/redmine/trunk@15668 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/controllers/roles_controller.rb | 9 | ||||
| -rw-r--r-- | app/models/role.rb | 13 |
2 files changed, 19 insertions, 3 deletions
diff --git a/app/controllers/roles_controller.rb b/app/controllers/roles_controller.rb index 20d19d8af..a5bb02e0f 100644 --- a/app/controllers/roles_controller.rb +++ b/app/controllers/roles_controller.rb @@ -45,7 +45,8 @@ class RolesController < ApplicationController def new # Prefills the form with 'Non member' role permissions by default - @role = Role.new(params[:role] || {:permissions => Role.non_member.permissions}) + @role = Role.new + @role.safe_attributes = params[:role] || {:permissions => Role.non_member.permissions} if params[:copy].present? && @copy_from = Role.find_by_id(params[:copy]) @role.copy_from(@copy_from) end @@ -53,7 +54,8 @@ class RolesController < ApplicationController end def create - @role = Role.new(params[:role]) + @role = Role.new + @role.safe_attributes = params[:role] if request.post? && @role.save # workflow copy if !params[:copy_workflow_from].blank? && (copy_from = Role.find_by_id(params[:copy_workflow_from])) @@ -71,7 +73,8 @@ class RolesController < ApplicationController end def update - if @role.update_attributes(params[:role]) + @role.safe_attributes = params[:role] + if @role.save respond_to do |format| format.html { flash[:notice] = l(:notice_successful_update) diff --git a/app/models/role.rb b/app/models/role.rb index 86fe73070..a307a51f6 100644 --- a/app/models/role.rb +++ b/app/models/role.rb @@ -16,6 +16,8 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class Role < ActiveRecord::Base + include Redmine::SafeAttributes + # Custom coder for the permissions attribute that should be an # array of symbols. Rails 3 uses Psych which can be *unbelievably* # slow on some platforms (eg. mingw32). @@ -89,6 +91,17 @@ class Role < ActiveRecord::Base :in => TIME_ENTRIES_VISIBILITY_OPTIONS.collect(&:first), :if => lambda {|role| role.respond_to?(:time_entries_visibility) && role.time_entries_visibility_changed?} + safe_attributes 'name', + 'assignable', + 'position', + 'issues_visibility', + 'users_visibility', + 'time_entries_visibility', + 'all_roles_managed', + 'permissions', + 'permissions_all_trackers', + 'permissions_tracker_ids' + # Copies attributes from another role, arg can be an id or a Role def copy_from(arg, options={}) return unless arg.present? |