diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2010-01-12 20:17:20 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2010-01-12 20:17:20 +0000 |
| commit | 0a05cc2a378033b4a1049089b7c0f0865b8f9d1e (patch) | |
| tree | d3363c8a1f146dc1ed452fcae5685aece8f705d7 /app/models | |
| parent | ff77fb6aa9f1fc74960e86c11d2c5f38d6cdfabd (diff) | |
| download | redmine-0a05cc2a378033b4a1049089b7c0f0865b8f9d1e.tar.gz redmine-0a05cc2a378033b4a1049089b7c0f0865b8f9d1e.zip | |
Set a white list of issue attributes that can be mass-assigned from controllers.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3308 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/models')
| -rw-r--r-- | app/models/issue.rb | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/app/models/issue.rb b/app/models/issue.rb index f4ebb2936..2780fd4c5 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -165,6 +165,32 @@ class Issue < ActiveRecord::Base write_attribute :estimated_hours, (h.is_a?(String) ? h.to_hours : h) end + SAFE_ATTRIBUTES = %w( + tracker_id + status_id + category_id + assigned_to_id + priority_id + fixed_version_id + subject + description + start_date + due_date + done_ratio + estimated_hours + custom_field_values + ) unless const_defined?(:SAFE_ATTRIBUTES) + + # Safely sets attributes + # Should be called from controllers instead of #attributes= + # attr_accessible is too rough because we still want things like + # Issue.new(:project => foo) to work + # TODO: move workflow/permission checks from controllers to here + def safe_attributes=(attrs, user=User.current) + return if attrs.nil? + self.attributes = attrs.reject {|k,v| !SAFE_ATTRIBUTES.include?(k)} + end + def done_ratio if Issue.use_status_for_done_ratio? && status && status.default_done_ratio? status.default_done_ratio |