Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
O
OHR Support
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
97
Issues
97
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
image/svg+xml
Discourse
Discourse
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Projects
OHR Support
Commits
aee7d731
Commit
aee7d731
authored
Mar 06, 2012
by
Jean-Philippe Lang
Committed by
Holger Just
Apr 04, 2012
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent mass-assignment vulnerability when adding/updating a version (#922).
parent
1f108174
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
14 additions
and
3 deletions
+14
-3
versions_controller.rb
app/controllers/versions_controller.rb
+4
-3
version.rb
app/models/version.rb
+10
-0
No files found.
app/controllers/versions_controller.rb
View file @
aee7d731
...
...
@@ -56,7 +56,7 @@ class VersionsController < ApplicationController
if
params
[
:version
]
attributes
=
params
[
:version
].
dup
attributes
.
delete
(
'sharing'
)
unless
attributes
.
nil?
||
@version
.
allowed_sharings
.
include?
(
attributes
[
'sharing'
])
@version
.
attributes
=
attributes
@version
.
safe_
attributes
=
attributes
end
end
...
...
@@ -66,7 +66,7 @@ class VersionsController < ApplicationController
if
params
[
:version
]
attributes
=
params
[
:version
].
dup
attributes
.
delete
(
'sharing'
)
unless
attributes
.
nil?
||
@version
.
allowed_sharings
.
include?
(
attributes
[
'sharing'
])
@version
.
attributes
=
attributes
@version
.
safe_
attributes
=
attributes
end
if
request
.
post?
...
...
@@ -101,7 +101,8 @@ class VersionsController < ApplicationController
if
request
.
put?
&&
params
[
:version
]
attributes
=
params
[
:version
].
dup
attributes
.
delete
(
'sharing'
)
unless
@version
.
allowed_sharings
.
include?
(
attributes
[
'sharing'
])
if
@version
.
update_attributes
(
attributes
)
@version
.
safe_attributes
=
attributes
if
@version
.
save
flash
[
:notice
]
=
l
(
:notice_successful_update
)
redirect_to
:controller
=>
'projects'
,
:action
=>
'settings'
,
:tab
=>
'versions'
,
:id
=>
@project
else
...
...
app/models/version.rb
View file @
aee7d731
...
...
@@ -13,6 +13,7 @@
#++
class
Version
<
ActiveRecord
::
Base
include
Redmine
::
SafeAttributes
after_update
:update_issues_from_sharing_change
belongs_to
:project
has_many
:fixed_issues
,
:class_name
=>
'Issue'
,
:foreign_key
=>
'fixed_version_id'
,
:dependent
=>
:nullify
...
...
@@ -34,6 +35,15 @@ class Version < ActiveRecord::Base
named_scope
:visible
,
lambda
{
|*
args
|
{
:include
=>
:project
,
:conditions
=>
Project
.
allowed_to_condition
(
args
.
first
||
User
.
current
,
:view_issues
)
}
}
safe_attributes
'name'
,
'description'
,
'effective_date'
,
'due_date'
,
'wiki_page_title'
,
'status'
,
'sharing'
,
'custom_field_values'
# Returns true if +user+ or current user is allowed to view the version
def
visible?
(
user
=
User
.
current
)
user
.
allowed_to?
(
:view_issues
,
self
.
project
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment