Prevent mass-assignment vulnerability when adding/updating an issue category (#922).

296b3173 · Jean-Philippe Lang · Holger Just · c651ba1a · 296b3173 · 296b3173
Commit 296b3173 authored Mar 06, 2012 by Jean-Philippe Lang Committed by Holger Just Apr 04, 2012
Showing with 10 additions and 20 deletions

documents_controller.rb app/controllers/documents_controller.rb +3 -18

issue_categories_controller.rb app/controllers/issue_categories_controller.rb +4 -2

issue_category.rb app/models/issue_category.rb +3 -0

No files found.
--- a/app/controllers/documents_controller.rb
+++ b/app/controllers/documents_controller.rb
@@ -43,29 +43,14 @@ class DocumentsController < ApplicationController
  end

  def new
-<<<<<<< HEAD
-    @document = @project.documents.build(params[:document])
-    if request.post? and @document.save
-      attachments = Attachment.attach_files(@document, params[:attachments])
-      render_attachment_warning_if_needed(@document)
-      flash[:notice] = l(:notice_successful_create)
-      redirect_to :action => 'index', :project_id => @project
-=======
    @document = @project.documents.build
    @document.safe_attributes = params[:document]
-    if request.post?
-      if User.current.allowed_to?(:add_document_watchers, @project) && params[:document]['watcher_user_ids'].present?
-        @document.watcher_user_ids = params[:document]['watcher_user_ids']
-      end
-
-      if @document.save
+    if request.post? && @document.save
      attachments = Attachment.attach_files(@document, params[:attachments])
      render_attachment_warning_if_needed(@document)
      flash[:notice] = l(:notice_successful_create)
      redirect_to :action => 'index', :project_id => @project
    end
->>>>>>> edaf457... Prevent mass-assignment vulnerability when adding/updating a document (#922).
-    end
  end

  def edit

--- a/app/controllers/issue_categories_controller.rb
+++ b/app/controllers/issue_categories_controller.rb
@@ -23,7 +23,8 @@ class IssueCategoriesController < ApplicationController
  verify :method => :post, :only => :destroy

  def new
-    @category = @project.issue_categories.build(params[:category])
+    @category = @project.issue_categories.build
+    @category.safe_attributes = params[:category]
    if request.post?
      if @category.save
        respond_to do |format|
@@ -50,7 +51,8 @@ class IssueCategoriesController < ApplicationController
  end

  def edit
-    if request.post? and @category.update_attributes(params[:category])
+    @category.safe_attributes = params[:category]
+    if request.post? and @category.save
      flash[:notice] = l(:notice_successful_update)
      redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project
    end

--- a/app/models/issue_category.rb
+++ b/app/models/issue_category.rb
@@ -13,6 +13,7 @@
 #++

 class IssueCategory < ActiveRecord::Base
+  include Redmine::SafeAttributes
  belongs_to :project
  belongs_to :assigned_to, :class_name => 'User', :foreign_key => 'assigned_to_id'
  has_many :issues, :foreign_key => 'category_id', :dependent => :nullify
@@ -21,6 +22,8 @@ class IssueCategory < ActiveRecord::Base
  validates_uniqueness_of :name, :scope => [:project_id]
  validates_length_of :name, :maximum => 30

+  safe_attributes 'name', 'assigned_to_id'
+
  alias :destroy_without_reassign :destroy

  # Destroy the category