diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2010-12-12 13:11:53 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2010-12-12 13:11:53 +0000 |
| commit | 3409333522a76ade39db41124df596b2b95eccc0 (patch) | |
| tree | b1d471fd77ea8fe94d0a9b1ec930e1969e82cd6c /app | |
| parent | 8407db985475efb8e5892b8fa325be01e125ff3f (diff) | |
| download | redmine-3409333522a76ade39db41124df596b2b95eccc0.tar.gz redmine-3409333522a76ade39db41124df596b2b95eccc0.zip | |
Makes issue safe_attributes extensible (#6000).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4491 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/issue.rb | 59 |
1 files changed, 27 insertions, 32 deletions
diff --git a/app/models/issue.rb b/app/models/issue.rb index 1cd1b92f0..abea0b839 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -16,6 +16,8 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class Issue < ActiveRecord::Base + include Redmine::SafeAttributes + belongs_to :project belongs_to :tracker belongs_to :status, :class_name => 'IssueStatus', :foreign_key => 'status_id' @@ -214,31 +216,29 @@ class Issue < ActiveRecord::Base write_attribute :estimated_hours, (h.is_a?(String) ? h.to_hours : h) end - SAFE_ATTRIBUTES = %w( - tracker_id - status_id - parent_issue_id - category_id - assigned_to_id - priority_id - fixed_version_id - subject - description - start_date - due_date - done_ratio - estimated_hours - custom_field_values - custom_fields - lock_version - ) unless const_defined?(:SAFE_ATTRIBUTES) - - SAFE_ATTRIBUTES_ON_TRANSITION = %w( - status_id - assigned_to_id - fixed_version_id - done_ratio - ) unless const_defined?(:SAFE_ATTRIBUTES_ON_TRANSITION) + safe_attributes 'tracker_id', + 'status_id', + 'parent_issue_id', + 'category_id', + 'assigned_to_id', + 'priority_id', + 'fixed_version_id', + 'subject', + 'description', + 'start_date', + 'due_date', + 'done_ratio', + 'estimated_hours', + 'custom_field_values', + 'custom_fields', + 'lock_version', + :if => lambda {|issue, user| issue.new_record? || user.allowed_to?(:edit_issues, issue.project) } + + safe_attributes 'status_id', + 'assigned_to_id', + 'fixed_version_id', + 'done_ratio', + :if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? } # Safely sets attributes # Should be called from controllers instead of #attributes= @@ -249,13 +249,8 @@ class Issue < ActiveRecord::Base return unless attrs.is_a?(Hash) # User can change issue attributes only if he has :edit permission or if a workflow transition is allowed - if new_record? || user.allowed_to?(:edit_issues, project) - attrs = attrs.reject {|k,v| !SAFE_ATTRIBUTES.include?(k)} - elsif new_statuses_allowed_to(user).any? - attrs = attrs.reject {|k,v| !SAFE_ATTRIBUTES_ON_TRANSITION.include?(k)} - else - return - end + attrs = delete_unsafe_attributes(attrs, user) + return if attrs.empty? # Tracker must be set before since new_statuses_allowed_to depends on it. if t = attrs.delete('tracker_id') |