Use safe_attributes for issue watchers assignment.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8197 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2011-12-13 19:50:44 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2011-12-13 19:50:44 +0000
commit: e1f885feda55221ee7fa6add249eb3f930df5a4d (patch)
tree: 1876b39694e850fd2f0f21486455fc9d0cfe819f /app/models/issue.rb
parent: 4c469f9646ce341c461c24a30b6d5c9e0f70adbc (diff)
download: redmine-e1f885feda55221ee7fa6add249eb3f930df5a4d.tar.gz
redmine-e1f885feda55221ee7fa6add249eb3f930df5a4d.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/app/models/issue.rb b/app/models/issue.rb
index 7a580737c..1723d1c08 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -282,6 +282,9 @@ class Issue < ActiveRecord::Base
     'done_ratio',
     :if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? }
 
+  safe_attributes 'watcher_user_ids',
+    :if => lambda {|issue, user| issue.new_record? && user.allowed_to?(:add_issue_watchers, issue.project)} 
+
   safe_attributes 'is_private',
     :if => lambda {|issue, user|
       user.allowed_to?(:set_issues_private, issue.project) ||
@@ -323,7 +326,8 @@ class Issue < ActiveRecord::Base
       end
     end
 
-    self.attributes = attrs
+    # mass-assignment security bypass
+    self.send :attributes=, attrs, false
   end
 
   def done_ratio
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2011-12-13 19:50:44 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2011-12-13 19:50:44 +0000
commit	e1f885feda55221ee7fa6add249eb3f930df5a4d (patch)
tree	1876b39694e850fd2f0f21486455fc9d0cfe819f /app/models/issue.rb
parent	4c469f9646ce341c461c24a30b6d5c9e0f70adbc (diff)
download	redmine-e1f885feda55221ee7fa6add249eb3f930df5a4d.tar.gz redmine-e1f885feda55221ee7fa6add249eb3f930df5a4d.zip