Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
O
OHR Support
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
97
Issues
97
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
image/svg+xml
Discourse
Discourse
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Projects
OHR Support
Commits
1f108174
Commit
1f108174
authored
Mar 06, 2012
by
Jean-Philippe Lang
Committed by
Holger Just
Apr 04, 2012
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent mass-assignment vulnerability when adding/updating a time entry (#922).
parent
ea3ff66b
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
7 additions
and
4 deletions
+7
-4
timelog_controller.rb
app/controllers/timelog_controller.rb
+4
-4
time_entry.rb
app/models/time_entry.rb
+3
-0
No files found.
app/controllers/timelog_controller.rb
View file @
1f108174
...
@@ -97,7 +97,7 @@ class TimelogController < ApplicationController
...
@@ -97,7 +97,7 @@ class TimelogController < ApplicationController
def
new
def
new
@time_entry
||=
TimeEntry
.
new
(
:project
=>
@project
,
:issue
=>
@issue
,
:user
=>
User
.
current
,
:spent_on
=>
User
.
current
.
today
)
@time_entry
||=
TimeEntry
.
new
(
:project
=>
@project
,
:issue
=>
@issue
,
:user
=>
User
.
current
,
:spent_on
=>
User
.
current
.
today
)
@time_entry
.
attributes
=
params
[
:time_entry
]
@time_entry
.
safe_
attributes
=
params
[
:time_entry
]
call_hook
(
:controller_timelog_edit_before_save
,
{
:params
=>
params
,
:time_entry
=>
@time_entry
})
call_hook
(
:controller_timelog_edit_before_save
,
{
:params
=>
params
,
:time_entry
=>
@time_entry
})
render
:action
=>
'edit'
render
:action
=>
'edit'
...
@@ -106,7 +106,7 @@ class TimelogController < ApplicationController
...
@@ -106,7 +106,7 @@ class TimelogController < ApplicationController
verify
:method
=>
:post
,
:only
=>
:create
,
:render
=>
{
:nothing
=>
true
,
:status
=>
:method_not_allowed
}
verify
:method
=>
:post
,
:only
=>
:create
,
:render
=>
{
:nothing
=>
true
,
:status
=>
:method_not_allowed
}
def
create
def
create
@time_entry
||=
TimeEntry
.
new
(
:project
=>
@project
,
:issue
=>
@issue
,
:user
=>
User
.
current
,
:spent_on
=>
User
.
current
.
today
)
@time_entry
||=
TimeEntry
.
new
(
:project
=>
@project
,
:issue
=>
@issue
,
:user
=>
User
.
current
,
:spent_on
=>
User
.
current
.
today
)
@time_entry
.
attributes
=
params
[
:time_entry
]
@time_entry
.
safe_
attributes
=
params
[
:time_entry
]
call_hook
(
:controller_timelog_edit_before_save
,
{
:params
=>
params
,
:time_entry
=>
@time_entry
})
call_hook
(
:controller_timelog_edit_before_save
,
{
:params
=>
params
,
:time_entry
=>
@time_entry
})
...
@@ -127,14 +127,14 @@ class TimelogController < ApplicationController
...
@@ -127,14 +127,14 @@ class TimelogController < ApplicationController
end
end
def
edit
def
edit
@time_entry
.
attributes
=
params
[
:time_entry
]
@time_entry
.
safe_
attributes
=
params
[
:time_entry
]
call_hook
(
:controller_timelog_edit_before_save
,
{
:params
=>
params
,
:time_entry
=>
@time_entry
})
call_hook
(
:controller_timelog_edit_before_save
,
{
:params
=>
params
,
:time_entry
=>
@time_entry
})
end
end
verify
:method
=>
:put
,
:only
=>
:update
,
:render
=>
{
:nothing
=>
true
,
:status
=>
:method_not_allowed
}
verify
:method
=>
:put
,
:only
=>
:update
,
:render
=>
{
:nothing
=>
true
,
:status
=>
:method_not_allowed
}
def
update
def
update
@time_entry
.
attributes
=
params
[
:time_entry
]
@time_entry
.
safe_
attributes
=
params
[
:time_entry
]
call_hook
(
:controller_timelog_edit_before_save
,
{
:params
=>
params
,
:time_entry
=>
@time_entry
})
call_hook
(
:controller_timelog_edit_before_save
,
{
:params
=>
params
,
:time_entry
=>
@time_entry
})
...
...
app/models/time_entry.rb
View file @
1f108174
...
@@ -13,6 +13,7 @@
...
@@ -13,6 +13,7 @@
#++
#++
class
TimeEntry
<
ActiveRecord
::
Base
class
TimeEntry
<
ActiveRecord
::
Base
include
Redmine
::
SafeAttributes
# could have used polymorphic association
# could have used polymorphic association
# project association here allows easy loading of time entries at project level with one database trip
# project association here allows easy loading of time entries at project level with one database trip
belongs_to
:project
belongs_to
:project
...
@@ -37,6 +38,8 @@ class TimeEntry < ActiveRecord::Base
...
@@ -37,6 +38,8 @@ class TimeEntry < ActiveRecord::Base
:conditions
=>
Project
.
allowed_to_condition
(
args
.
first
||
User
.
current
,
:view_time_entries
)
:conditions
=>
Project
.
allowed_to_condition
(
args
.
first
||
User
.
current
,
:view_time_entries
)
}}
}}
safe_attributes
'hours'
,
'comments'
,
'issue_id'
,
'activity_id'
,
'spent_on'
,
'custom_field_values'
def
after_initialize
def
after_initialize
if
new_record?
&&
self
.
activity
.
nil?
if
new_record?
&&
self
.
activity
.
nil?
if
default_activity
=
TimeEntryActivity
.
default
if
default_activity
=
TimeEntryActivity
.
default
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment