From cf22053dd583fedbc09ca222bd841cfe52e3327c Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 17 Jul 2016 07:27:23 +0000
Subject: Use safe_attributes for custom field enumerations.

git-svn-id: http://svn.redmine.org/redmine/trunk@15690 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/custom_field_enumerations_controller.rb |  8 ++++++--
 app/models/custom_field_enumeration.rb                  | 12 +++++++++++-
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/app/controllers/custom_field_enumerations_controller.rb b/app/controllers/custom_field_enumerations_controller.rb
index 05c5741b0..f141d0d8a 100644
--- a/app/controllers/custom_field_enumerations_controller.rb
+++ b/app/controllers/custom_field_enumerations_controller.rb
@@ -29,7 +29,8 @@ class CustomFieldEnumerationsController < ApplicationController
   end
 
   def create
-    @value = @custom_field.enumerations.build(params[:custom_field_enumeration])
+    @value = @custom_field.enumerations.build
+    @value.safe_attributes = params[:custom_field_enumeration]
     @value.save
     respond_to do |format|
       format.html { redirect_to custom_field_enumerations_path(@custom_field) }
@@ -38,7 +39,10 @@ class CustomFieldEnumerationsController < ApplicationController
   end
 
   def update_each
-    if CustomFieldEnumeration.update_each(@custom_field, params[:custom_field_enumerations])
+    saved = CustomFieldEnumeration.update_each(@custom_field, params[:custom_field_enumerations]) do |enumeration, enumeration_attributes|
+      enumeration.safe_attributes = enumeration_attributes
+    end
+    if saved
       flash[:notice] = l(:notice_successful_update)
     end
     redirect_to :action => 'index'
diff --git a/app/models/custom_field_enumeration.rb b/app/models/custom_field_enumeration.rb
index b7b3cd60b..6cc9daae9 100644
--- a/app/models/custom_field_enumeration.rb
+++ b/app/models/custom_field_enumeration.rb
@@ -16,6 +16,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class CustomFieldEnumeration < ActiveRecord::Base
+  include Redmine::SafeAttributes
+
   belongs_to :custom_field
   attr_accessible :name, :active, :position
 
@@ -26,6 +28,10 @@ class CustomFieldEnumeration < ActiveRecord::Base
 
   scope :active, lambda { where(:active => true) }
 
+  safe_attributes 'name',
+    'active',
+    'position'
+
   def to_s
     name.to_s
   end
@@ -56,7 +62,11 @@ class CustomFieldEnumeration < ActiveRecord::Base
       attributes.each do |enumeration_id, enumeration_attributes|
         enumeration = custom_field.enumerations.find_by_id(enumeration_id)
         if enumeration
-          enumeration.attributes = enumeration_attributes
+          if block_given?
+            yield enumeration, enumeration_attributes
+          else
+            enumeration.attributes = enumeration_attributes
+          end
           unless enumeration.save
             raise ActiveRecord::Rollback
           end
-- 
cgit v1.2.3