Use strong params for CustomFieldEnumeration.

git-svn-id: http://svn.redmine.org/redmine/trunk@16603 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2017-06-03 08:43:04 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2017-06-03 08:43:04 +0000
commit: 6ca3e4f75fa1efafccf928e06f1bd8fd2045c93c (patch)
tree: 941f14eb5803489c030d3b9622fef446f8938122 /app
parent: b923a54b2d1a2e51fe56222b7a551522621a4079 (diff)
download: redmine-6ca3e4f75fa1efafccf928e06f1bd8fd2045c93c.tar.gz
redmine-6ca3e4f75fa1efafccf928e06f1bd8fd2045c93c.zip
2 files changed, 12 insertions, 12 deletions
diff --git a/app/controllers/custom_field_enumerations_controller.rb b/app/controllers/custom_field_enumerations_controller.rb
index f20269b31..5ec5162b1 100644
--- a/app/controllers/custom_field_enumerations_controller.rb
+++ b/app/controllers/custom_field_enumerations_controller.rb
@@ -31,7 +31,7 @@ class CustomFieldEnumerationsController < ApplicationController
 
   def create
     @value = @custom_field.enumerations.build
-    @value.safe_attributes = params[:custom_field_enumeration]
+    @value.attributes = enumeration_params
     @value.save
     respond_to do |format|
       format.html { redirect_to custom_field_enumerations_path(@custom_field) }
@@ -40,9 +40,7 @@ class CustomFieldEnumerationsController < ApplicationController
   end
 
   def update_each
-    saved = CustomFieldEnumeration.update_each(@custom_field, params[:custom_field_enumerations]) do |enumeration, enumeration_attributes|
-      enumeration.safe_attributes = enumeration_attributes
-    end
+    saved = CustomFieldEnumeration.update_each(@custom_field, update_each_params)
     if saved
       flash[:notice] = l(:notice_successful_update)
     end
@@ -73,4 +71,14 @@ class CustomFieldEnumerationsController < ApplicationController
   rescue ActiveRecord::RecordNotFound
     render_404
   end
+
+  def enumeration_params
+    params.require(:custom_field_enumeration).permit(:name, :active, :position)
+  end
+
+  def update_each_params
+    # params.require(:custom_field_enumerations).permit(:name, :active, :position) does not work here with param like this:
+    # "custom_field_enumerations":{"0":{"name": ...}, "1":{"name...}}
+    params.permit(:custom_field_enumerations => [:name, :active, :position]).require(:custom_field_enumerations)
+  end
 end
diff --git a/app/models/custom_field_enumeration.rb b/app/models/custom_field_enumeration.rb
index 6cc9daae9..ea2ee47f3 100644
--- a/app/models/custom_field_enumeration.rb
+++ b/app/models/custom_field_enumeration.rb
@@ -16,10 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class CustomFieldEnumeration < ActiveRecord::Base
-  include Redmine::SafeAttributes
-
   belongs_to :custom_field
-  attr_accessible :name, :active, :position
 
   validates_presence_of :name, :position, :custom_field_id
   validates_length_of :name, :maximum => 60
@@ -28,10 +25,6 @@ class CustomFieldEnumeration < ActiveRecord::Base
 
   scope :active, lambda { where(:active => true) }
 
-  safe_attributes 'name',
-    'active',
-    'position'
-
   def to_s
     name.to_s
   end
@@ -57,7 +50,6 @@ class CustomFieldEnumeration < ActiveRecord::Base
   end
 
   def self.update_each(custom_field, attributes)
-    return unless attributes.is_a?(Hash)
     transaction do
       attributes.each do |enumeration_id, enumeration_attributes|
         enumeration = custom_field.enumerations.find_by_id(enumeration_id)
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2017-06-03 08:43:04 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2017-06-03 08:43:04 +0000
commit	6ca3e4f75fa1efafccf928e06f1bd8fd2045c93c (patch)
tree	941f14eb5803489c030d3b9622fef446f8938122 /app
parent	b923a54b2d1a2e51fe56222b7a551522621a4079 (diff)
download	redmine-6ca3e4f75fa1efafccf928e06f1bd8fd2045c93c.tar.gz redmine-6ca3e4f75fa1efafccf928e06f1bd8fd2045c93c.zip