diff options
| -rw-r--r-- | app/controllers/comments_controller.rb | 3 | ||||
| -rw-r--r-- | app/models/comment.rb | 3 |
2 files changed, 5 insertions, 1 deletions
diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb index 3a27b973a..ca9aa1a86 100644 --- a/app/controllers/comments_controller.rb +++ b/app/controllers/comments_controller.rb @@ -25,7 +25,8 @@ class CommentsController < ApplicationController def create raise Unauthorized unless @news.commentable? - @comment = Comment.new(params[:comment]) + @comment = Comment.new + @comment.safe_attributes = params[:comment] @comment.author = User.current if @news.comments << @comment flash[:notice] = l(:label_comment_added) diff --git a/app/models/comment.rb b/app/models/comment.rb index 701f0344e..4b7e098f1 100644 --- a/app/models/comment.rb +++ b/app/models/comment.rb @@ -16,8 +16,11 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class Comment < ActiveRecord::Base + include Redmine::SafeAttributes belongs_to :commented, :polymorphic => true, :counter_cache => true belongs_to :author, :class_name => 'User', :foreign_key => 'author_id' validates_presence_of :commented, :author, :comments + + safe_attributes 'comments' end |