Prevent mass-assignment when adding a project member (#10390).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9132 e93f8b46-1217-0410-a6f0-8f06a7374b81

1 files changed, 10 insertions, 8 deletions

diff --git a/app/controllers/members_controller.rb b/app/controllers/members_controller.rb
index 11cbeff32..0665b3726 100644
--- a/app/controllers/members_controller.rb
+++ b/app/controllers/members_controller.rb
@@ -49,16 +49,18 @@ class MembersController < ApplicationController
 
   def create
     members = []
-    if params[:membership] && params[:membership][:user_ids]
-      attrs = params[:membership].dup
-      user_ids = attrs.delete(:user_ids)
-      user_ids.each do |user_id|
-        members << Member.new(attrs.merge(:user_id => user_id))
+    if params[:membership]
+      if params[:membership][:user_ids]
+        attrs = params[:membership].dup
+        user_ids = attrs.delete(:user_ids)
+        user_ids.each do |user_id|
+          members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => user_id)
+        end
+      else
+        members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => params[:membership][:user_id])
       end
-    else
-      members << Member.new(params[:membership])
+      @project.members << members
     end
-    @project.members << members
 
     respond_to do |format|
       if members.present? && members.all? {|m| m.valid? }