Declare safe attributes for User and Projects models.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4492 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2010-12-12 13:19:07 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2010-12-12 13:19:07 +0000
commit: a4d7a99c22d9aac89a38c1cb411158777b72bb9d (patch)
tree: 12a6f4f752208ca050a899b0599d290d85c2f87f /app/models/user.rb
parent: 3409333522a76ade39db41124df596b2b95eccc0 (diff)
download: redmine-a4d7a99c22d9aac89a38c1cb411158777b72bb9d.tar.gz
redmine-a4d7a99c22d9aac89a38c1cb411158777b72bb9d.zip
1 files changed, 16 insertions, 1 deletions
diff --git a/app/models/user.rb b/app/models/user.rb
index a43631932..b039ba0b3 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -18,7 +18,8 @@
 require "digest/sha1"
 
 class User < Principal
-
+  include Redmine::SafeAttributes
+  
   # Account statuses
   STATUS_ANONYMOUS  = 0
   STATUS_ACTIVE     = 1
@@ -390,6 +391,20 @@ class User < Principal
   def allowed_to_globally?(action, options)
     allowed_to?(action, nil, options.reverse_merge(:global => true))
   end
+
+  safe_attributes 'login',
+    'firstname',
+    'lastname',
+    'mail',
+    'mail_notification',
+    'language',
+    'custom_field_values',
+    'custom_fields',
+    'identity_url'
+  
+  safe_attributes 'status',
+    'auth_source_id',
+    :if => lambda {|user, current_user| current_user.admin?}
   
   # Utility method to help check if a user should be notified about an
   # event.
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2010-12-12 13:19:07 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2010-12-12 13:19:07 +0000
commit	a4d7a99c22d9aac89a38c1cb411158777b72bb9d (patch)
tree	12a6f4f752208ca050a899b0599d290d85c2f87f /app/models/user.rb
parent	3409333522a76ade39db41124df596b2b95eccc0 (diff)
download	redmine-a4d7a99c22d9aac89a38c1cb411158777b72bb9d.tar.gz redmine-a4d7a99c22d9aac89a38c1cb411158777b72bb9d.zip