summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--app/controllers/my_controller.rb2
-rw-r--r--app/controllers/projects_controller.rb8
-rw-r--r--app/controllers/users_controller.rb5
-rw-r--r--app/models/project.rb11
-rw-r--r--app/models/user.rb17
-rw-r--r--test/functional/projects_controller_test.rb20
6 files changed, 50 insertions, 13 deletions
diff --git a/app/controllers/my_controller.rb b/app/controllers/my_controller.rb
index 46747b334..e552caa16 100644
--- a/app/controllers/my_controller.rb
+++ b/app/controllers/my_controller.rb
@@ -53,7 +53,7 @@ class MyController < ApplicationController
@user = User.current
@pref = @user.pref
if request.post?
- @user.attributes = params[:user]
+ @user.safe_attributes = params[:user]
@user.mail_notification = params[:notification_option] || 'only_my_events'
@user.pref.attributes = params[:pref]
@user.pref[:no_self_notified] = (params[:no_self_notified] == '1')
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 1c982ac22..7a4c71217 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -72,7 +72,8 @@ class ProjectsController < ApplicationController
def create
@issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
@trackers = Tracker.all
- @project = Project.new(params[:project])
+ @project = Project.new
+ @project.safe_attributes = params[:project]
@project.enabled_module_names = params[:enabled_modules] if params[:enabled_modules]
if validate_parent_id && @project.save
@@ -115,7 +116,8 @@ class ProjectsController < ApplicationController
end
else
Mailer.with_deliveries(params[:notifications] == '1') do
- @project = Project.new(params[:project])
+ @project = Project.new
+ @project.safe_attributes = params[:project]
@project.enabled_module_names = params[:enabled_modules]
if validate_parent_id && @project.copy(@source_project, :only => params[:only])
@project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
@@ -181,7 +183,7 @@ class ProjectsController < ApplicationController
end
def update
- @project.attributes = params[:project]
+ @project.safe_attributes = params[:project]
if validate_parent_id && @project.save
@project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
respond_to do |format|
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 69ffcf2c2..07c807ce4 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -97,7 +97,8 @@ class UsersController < ApplicationController
@notification_options = User::MAIL_NOTIFICATION_OPTIONS
@notification_option = Setting.default_notification_option
- @user = User.new(params[:user])
+ @user = User.new
+ @user.safe_attributes = params[:user]
@user.admin = params[:user][:admin] || false
@user.login = params[:user][:login]
@user.password, @user.password_confirmation = params[:password], params[:password_confirmation] unless @user.auth_source_id
@@ -155,7 +156,7 @@ class UsersController < ApplicationController
@user.password, @user.password_confirmation = params[:password], params[:password_confirmation]
end
@user.group_ids = params[:user][:group_ids] if params[:user][:group_ids]
- @user.attributes = params[:user]
+ @user.safe_attributes = params[:user]
# Was the account actived ? (do it before User#save clears the change)
was_activated = (@user.status_change == [User::STATUS_REGISTERED, User::STATUS_ACTIVE])
# TODO: Similar to My#account
diff --git a/app/models/project.rb b/app/models/project.rb
index 99a4a4984..29a750fe2 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -16,6 +16,8 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class Project < ActiveRecord::Base
+ include Redmine::SafeAttributes
+
# Project statuses
STATUS_ACTIVE = 1
STATUS_ARCHIVED = 9
@@ -520,6 +522,15 @@ class Project < ActiveRecord::Base
def enabled_module_names
enabled_modules.collect(&:name)
end
+
+ safe_attributes 'name',
+ 'description',
+ 'homepage',
+ 'is_public',
+ 'identifier',
+ 'custom_field_values',
+ 'custom_fields',
+ 'tracker_ids'
# Returns an array of projects that are in this project's hierarchy
#
diff --git a/app/models/user.rb b/app/models/user.rb
index a43631932..b039ba0b3 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -18,7 +18,8 @@
require "digest/sha1"
class User < Principal
-
+ include Redmine::SafeAttributes
+
# Account statuses
STATUS_ANONYMOUS = 0
STATUS_ACTIVE = 1
@@ -390,6 +391,20 @@ class User < Principal
def allowed_to_globally?(action, options)
allowed_to?(action, nil, options.reverse_merge(:global => true))
end
+
+ safe_attributes 'login',
+ 'firstname',
+ 'lastname',
+ 'mail',
+ 'mail_notification',
+ 'language',
+ 'custom_field_values',
+ 'custom_fields',
+ 'identity_url'
+
+ safe_attributes 'status',
+ 'auth_source_id',
+ :if => lambda {|user, current_user| current_user.admin?}
# Utility method to help check if a user should be notified about an
# event.
diff --git a/test/functional/projects_controller_test.rb b/test/functional/projects_controller_test.rb
index 3cd7c3dbf..5392ffb12 100644
--- a/test/functional/projects_controller_test.rb
+++ b/test/functional/projects_controller_test.rb
@@ -144,19 +144,27 @@ class ProjectsControllerTest < ActionController::TestCase
end
should "create a new project" do
- post :create, :project => { :name => "blog",
- :description => "weblog",
- :identifier => "blog",
- :is_public => 1,
- :custom_field_values => { '3' => 'Beta' }
- }
+ post :create,
+ :project => {
+ :name => "blog",
+ :description => "weblog",
+ :homepage => 'http://weblog',
+ :identifier => "blog",
+ :is_public => 1,
+ :custom_field_values => { '3' => 'Beta' },
+ :tracker_ids => ['1', '3']
+ }
assert_redirected_to '/projects/blog/settings'
project = Project.find_by_name('blog')
assert_kind_of Project, project
+ assert project.active?
assert_equal 'weblog', project.description
+ assert_equal 'http://weblog', project.homepage
assert_equal true, project.is_public?
assert_nil project.parent
+ assert_equal 'Beta', project.custom_value_for(3).value
+ assert_equal [1, 3], project.trackers.map(&:id).sort
end
should "create a new subproject" do