Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
O
OHR Support
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
97
Issues
97
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
image/svg+xml
Discourse
Discourse
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Projects
OHR Support
Commits
296b3173
Commit
296b3173
authored
Mar 06, 2012
by
Jean-Philippe Lang
Committed by
Holger Just
Apr 04, 2012
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent mass-assignment vulnerability when adding/updating an issue category (#922).
parent
c651ba1a
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
10 additions
and
20 deletions
+10
-20
documents_controller.rb
app/controllers/documents_controller.rb
+3
-18
issue_categories_controller.rb
app/controllers/issue_categories_controller.rb
+4
-2
issue_category.rb
app/models/issue_category.rb
+3
-0
No files found.
app/controllers/documents_controller.rb
View file @
296b3173
...
...
@@ -43,29 +43,14 @@ class DocumentsController < ApplicationController
end
def
new
<<<<<<<
HEAD
@document
=
@project
.
documents
.
build
(
params
[
:document
])
if
request
.
post?
and
@document
.
save
attachments
=
Attachment
.
attach_files
(
@document
,
params
[
:attachments
])
render_attachment_warning_if_needed
(
@document
)
flash
[
:notice
]
=
l
(
:notice_successful_create
)
redirect_to
:action
=>
'index'
,
:project_id
=>
@project
=======
@document
=
@project
.
documents
.
build
@document
.
safe_attributes
=
params
[
:document
]
if
request
.
post?
if
User
.
current
.
allowed_to?
(
:add_document_watchers
,
@project
)
&&
params
[
:document
][
'watcher_user_ids'
].
present?
@document
.
watcher_user_ids
=
params
[
:document
][
'watcher_user_ids'
]
end
if
@document
.
save
if
request
.
post?
&&
@document
.
save
attachments
=
Attachment
.
attach_files
(
@document
,
params
[
:attachments
])
render_attachment_warning_if_needed
(
@document
)
flash
[
:notice
]
=
l
(
:notice_successful_create
)
redirect_to
:action
=>
'index'
,
:project_id
=>
@project
end
>>>>>>>
edaf457
...
Prevent
mass
-
assignment
vulnerability
when
adding
/
updating
a
document
(
#922).
end
end
def
edit
...
...
app/controllers/issue_categories_controller.rb
View file @
296b3173
...
...
@@ -23,7 +23,8 @@ class IssueCategoriesController < ApplicationController
verify
:method
=>
:post
,
:only
=>
:destroy
def
new
@category
=
@project
.
issue_categories
.
build
(
params
[
:category
])
@category
=
@project
.
issue_categories
.
build
@category
.
safe_attributes
=
params
[
:category
]
if
request
.
post?
if
@category
.
save
respond_to
do
|
format
|
...
...
@@ -50,7 +51,8 @@ class IssueCategoriesController < ApplicationController
end
def
edit
if
request
.
post?
and
@category
.
update_attributes
(
params
[
:category
])
@category
.
safe_attributes
=
params
[
:category
]
if
request
.
post?
and
@category
.
save
flash
[
:notice
]
=
l
(
:notice_successful_update
)
redirect_to
:controller
=>
'projects'
,
:action
=>
'settings'
,
:tab
=>
'categories'
,
:id
=>
@project
end
...
...
app/models/issue_category.rb
View file @
296b3173
...
...
@@ -13,6 +13,7 @@
#++
class
IssueCategory
<
ActiveRecord
::
Base
include
Redmine
::
SafeAttributes
belongs_to
:project
belongs_to
:assigned_to
,
:class_name
=>
'User'
,
:foreign_key
=>
'assigned_to_id'
has_many
:issues
,
:foreign_key
=>
'category_id'
,
:dependent
=>
:nullify
...
...
@@ -21,6 +22,8 @@ class IssueCategory < ActiveRecord::Base
validates_uniqueness_of
:name
,
:scope
=>
[
:project_id
]
validates_length_of
:name
,
:maximum
=>
30
safe_attributes
'name'
,
'assigned_to_id'
alias
:destroy_without_reassign
:destroy
# Destroy the category
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment