From b3663ee5c4bf093234d90ef81ea788d9433914ee Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sat, 16 Jan 2016 08:56:30 +0000
Subject: Warning "Can't mass-assign protected attributes for IssueRelation:
 issue_to_id" (#21695).

git-svn-id: http://svn.redmine.org/redmine/trunk@15063 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/issue_relations_controller.rb |  6 ++----
 app/models/issue_relation.rb                  | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/app/controllers/issue_relations_controller.rb b/app/controllers/issue_relations_controller.rb
index 698a64c49..0b1e07b20 100644
--- a/app/controllers/issue_relations_controller.rb
+++ b/app/controllers/issue_relations_controller.rb
@@ -40,11 +40,9 @@ class IssueRelationsController < ApplicationController
   end
 
   def create
-    @relation = IssueRelation.new(params[:relation])
+    @relation = IssueRelation.new
     @relation.issue_from = @issue
-    if params[:relation] && m = params[:relation][:issue_to_id].to_s.strip.match(/^#?(\d+)$/)
-      @relation.issue_to = Issue.visible.find_by_id(m[1].to_i)
-    end
+    @relation.safe_attributes = params[:relation]
     @relation.init_journals(User.current)
     saved = @relation.save
 
diff --git a/app/models/issue_relation.rb b/app/models/issue_relation.rb
index 3e7e4235c..62d873eff 100644
--- a/app/models/issue_relation.rb
+++ b/app/models/issue_relation.rb
@@ -30,6 +30,8 @@ class IssueRelation < ActiveRecord::Base
     end
   end
 
+  include Redmine::SafeAttributes
+
   belongs_to :issue_from, :class_name => 'Issue'
   belongs_to :issue_to, :class_name => 'Issue'
 
@@ -75,6 +77,24 @@ class IssueRelation < ActiveRecord::Base
   after_create  :call_issues_relation_added_callback
   after_destroy :call_issues_relation_removed_callback
 
+  safe_attributes 'relation_type',
+    'delay',
+    'issue_to_id'
+
+  def safe_attributes=(attrs, user=User.current)
+    return unless attrs.is_a?(Hash)
+    attrs = attrs.deep_dup
+
+    if issue_id = attrs.delete('issue_to_id')
+      if issue_id.to_s.strip.match(/\A#?(\d+)\z/)
+        issue_id = $1.to_i
+        self.issue_to = Issue.visible(user).find_by_id(issue_id)
+      end
+    end
+    
+    super(attrs)
+  end
+
   def visible?(user=User.current)
     (issue_from.nil? || issue_from.visible?(user)) && (issue_to.nil? || issue_to.visible?(user))
   end
-- 
cgit v1.2.3