diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2012-03-06 19:50:10 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2012-03-06 19:50:10 +0000 |
| commit | d0356fe935330d2c74130572eae5883358d7f997 (patch) | |
| tree | cff40610e31a5ba97f939cb9ca55e443c3d4220e /app/controllers/news_controller.rb | |
| parent | 286bda14f14d5824975ac46de7c79a8d0181a1e2 (diff) | |
| download | redmine-d0356fe935330d2c74130572eae5883358d7f997.tar.gz redmine-d0356fe935330d2c74130572eae5883358d7f997.zip | |
Prevent mass-assignment when adding/updating a news (#10390).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9134 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/controllers/news_controller.rb')
| -rw-r--r-- | app/controllers/news_controller.rb | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/app/controllers/news_controller.rb b/app/controllers/news_controller.rb index 03a7ba29e..553f80e2f 100644 --- a/app/controllers/news_controller.rb +++ b/app/controllers/news_controller.rb @@ -68,7 +68,7 @@ class NewsController < ApplicationController def create @news = News.new(:project => @project, :author => User.current) - @news.attributes = params[:news] + @news.safe_attributes = params[:news] @news.save_attachments(params[:attachments]) if @news.save render_attachment_warning_if_needed(@news) @@ -83,8 +83,9 @@ class NewsController < ApplicationController end def update + @news.safe_attributes = params[:news] @news.save_attachments(params[:attachments]) - if @news.update_attributes(params[:news]) + if @news.save render_attachment_warning_if_needed(@news) flash[:notice] = l(:notice_successful_update) redirect_to :action => 'show', :id => @news |