Prevent mass-assignment vulnerability when adding/updating a time entry (#922).

1f108174 · Jean-Philippe Lang · Holger Just · ea3ff66b · 1f108174 · 1f108174
Commit 1f108174 authored Mar 06, 2012 by Jean-Philippe Lang Committed by Holger Just Apr 04, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 4 deletions

timelog_controller.rb app/controllers/timelog_controller.rb +4 -4

time_entry.rb app/models/time_entry.rb +3 -0

No files found.
--- a/app/controllers/timelog_controller.rb
+++ b/app/controllers/timelog_controller.rb
@@ -97,7 +97,7 @@ class TimelogController < ApplicationController

  def new
    @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
-    @time_entry.attributes = params[:time_entry]
+    @time_entry.safe_attributes = params[:time_entry]

    call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
    render :action => 'edit'
@@ -106,7 +106,7 @@ class TimelogController < ApplicationController
  verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
  def create
    @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
-    @time_entry.attributes = params[:time_entry]
+    @time_entry.safe_attributes = params[:time_entry]

    call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })

@@ -127,14 +127,14 @@ class TimelogController < ApplicationController
  end

  def edit
-    @time_entry.attributes = params[:time_entry]
+    @time_entry.safe_attributes = params[:time_entry]

    call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
  end

  verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
  def update
-    @time_entry.attributes = params[:time_entry]
+    @time_entry.safe_attributes = params[:time_entry]

    call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })


--- a/app/models/time_entry.rb
+++ b/app/models/time_entry.rb
@@ -13,6 +13,7 @@
 #++

 class TimeEntry < ActiveRecord::Base
+  include Redmine::SafeAttributes
  # could have used polymorphic association
  # project association here allows easy loading of time entries at project level with one database trip
  belongs_to :project
@@ -37,6 +38,8 @@ class TimeEntry < ActiveRecord::Base
    :conditions => Project.allowed_to_condition(args.first || User.current, :view_time_entries)
  }}

+  safe_attributes 'hours', 'comments', 'issue_id', 'activity_id', 'spent_on', 'custom_field_values'
+
  def after_initialize
    if new_record? && self.activity.nil?
      if default_activity = TimeEntryActivity.default