diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2016-07-14 11:56:39 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2016-07-14 11:56:39 +0000 |
| commit | c55dd52b07387b63767b586c2b3d8263b32f1dad (patch) | |
| tree | adcc09a294d00b2c7dd2ab7cd1d779973da17739 | |
| parent | 26c5459de7a525ec4427b33f9c80b7f0c531db78 (diff) | |
| download | redmine-c55dd52b07387b63767b586c2b3d8263b32f1dad.tar.gz redmine-c55dd52b07387b63767b586c2b3d8263b32f1dad.zip | |
Handle admin and login with safe_attributes.
git-svn-id: http://svn.redmine.org/redmine/trunk@15663 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/controllers/account_controller.rb | 1 | ||||
| -rw-r--r-- | app/controllers/users_controller.rb | 6 | ||||
| -rw-r--r-- | app/models/user.rb | 7 |
3 files changed, 7 insertions, 7 deletions
diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index 1191accfd..9f4aff85e 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -137,7 +137,6 @@ class AccountController < ApplicationController redirect_to my_account_path end else - @user.login = params[:user][:login] unless user_params[:identity_url].present? && user_params[:password].blank? && user_params[:password_confirmation].blank? @user.password, @user.password_confirmation = user_params[:password], user_params[:password_confirmation] end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 03458ba47..f9632fe6b 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -87,10 +87,8 @@ class UsersController < ApplicationController end def create - @user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option) + @user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option, :admin => false) @user.safe_attributes = params[:user] - @user.admin = params[:user][:admin] || false - @user.login = params[:user][:login] @user.password, @user.password_confirmation = params[:user][:password], params[:user][:password_confirmation] unless @user.auth_source_id @user.pref.attributes = params[:pref] if params[:pref] @@ -127,8 +125,6 @@ class UsersController < ApplicationController end def update - @user.admin = params[:user][:admin] if params[:user][:admin] - @user.login = params[:user][:login] if params[:user][:login] if params[:user][:password].present? && (@user.auth_source_id.nil? || params[:user][:auth_source_id].blank?) @user.password, @user.password_confirmation = params[:user][:password], params[:user][:password_confirmation] end diff --git a/app/models/user.rb b/app/models/user.rb index a9b2be54d..1a6b621c0 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -100,7 +100,7 @@ class User < Principal attr_accessor :remote_ip # Prevents unauthorized assignments - attr_protected :login, :admin, :password, :password_confirmation, :hashed_password + attr_protected :password, :password_confirmation, :hashed_password LOGIN_LENGTH_LIMIT = 60 MAIL_LENGTH_LIMIT = 60 @@ -696,10 +696,15 @@ class User < Principal 'custom_fields', 'identity_url' + safe_attributes 'login', + :if => lambda {|user, current_user| user.new_record?} + safe_attributes 'status', 'auth_source_id', 'generate_password', 'must_change_passwd', + 'login', + 'admin', :if => lambda {|user, current_user| current_user.admin?} safe_attributes 'group_ids', |