Declare safe attributes for User and Projects models.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4492 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 27 insertions, 1 deletions

diff --git a/app/models/project.rb b/app/models/project.rb
index 99a4a4984..29a750fe2 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -16,6 +16,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class Project < ActiveRecord::Base
+  include Redmine::SafeAttributes
+  
   # Project statuses
   STATUS_ACTIVE     = 1
   STATUS_ARCHIVED   = 9
@@ -520,6 +522,15 @@ class Project < ActiveRecord::Base
   def enabled_module_names
     enabled_modules.collect(&:name)
   end
+  
+  safe_attributes 'name',
+    'description',
+    'homepage',
+    'is_public',
+    'identifier',
+    'custom_field_values',
+    'custom_fields',
+    'tracker_ids'
 
   # Returns an array of projects that are in this project's hierarchy
   #
diff --git a/app/models/user.rb b/app/models/user.rb
index a43631932..b039ba0b3 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -18,7 +18,8 @@
 require "digest/sha1"
 
 class User < Principal
-
+  include Redmine::SafeAttributes
+  
   # Account statuses
   STATUS_ANONYMOUS  = 0
   STATUS_ACTIVE     = 1
@@ -390,6 +391,20 @@ class User < Principal
   def allowed_to_globally?(action, options)
     allowed_to?(action, nil, options.reverse_merge(:global => true))
   end
+
+  safe_attributes 'login',
+    'firstname',
+    'lastname',
+    'mail',
+    'mail_notification',
+    'language',
+    'custom_field_values',
+    'custom_fields',
+    'identity_url'
+  
+  safe_attributes 'status',
+    'auth_source_id',
+    :if => lambda {|user, current_user| current_user.admin?}
   
   # Utility method to help check if a user should be notified about an
   # event.