Skip to content

O
OHR Support
Commit aee7d731 authored by Jean-Philippe Lang's avatar Jean-Philippe Lang Committed by Holger Just
Browse files
Options

Prevent mass-assignment vulnerability when adding/updating a version (#922).

parent 1f108174
Hide whitespace changes
Inline Side-by-side
Showing with 14 additions and 3 deletions
app/controllers/versions_controller.rb
View file @ aee7d731
...@@ -56,7 +56,7 @@ class VersionsController < ApplicationController ...@@ -56,7 +56,7 @@ class VersionsController < ApplicationController
if params[:version] if params[:version]
attributes = params[:version].dup attributes = params[:version].dup
attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing']) attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing'])
@version.attributes = attributes @version.safe_attributes = attributes
end end
end end
...@@ -66,7 +66,7 @@ class VersionsController < ApplicationController ...@@ -66,7 +66,7 @@ class VersionsController < ApplicationController
if params[:version] if params[:version]
attributes = params[:version].dup attributes = params[:version].dup
attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing']) attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing'])
@version.attributes = attributes @version.safe_attributes = attributes
end end
if request.post? if request.post?
...@@ -101,7 +101,8 @@ class VersionsController < ApplicationController ...@@ -101,7 +101,8 @@ class VersionsController < ApplicationController
if request.put? && params[:version] if request.put? && params[:version]
attributes = params[:version].dup attributes = params[:version].dup
attributes.delete('sharing') unless @version.allowed_sharings.include?(attributes['sharing']) attributes.delete('sharing') unless @version.allowed_sharings.include?(attributes['sharing'])
if @version.update_attributes(attributes) @version.safe_attributes = attributes
if @version.save
flash[:notice] = l(:notice_successful_update) flash[:notice] = l(:notice_successful_update)
redirect_to :controller => 'projects', :action => 'settings', :tab => 'versions', :id => @project redirect_to :controller => 'projects', :action => 'settings', :tab => 'versions', :id => @project
else else
......
app/models/version.rb
View file @ aee7d731
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
#++ #++
class Version < ActiveRecord::Base class Version < ActiveRecord::Base
include Redmine::SafeAttributes
after_update :update_issues_from_sharing_change after_update :update_issues_from_sharing_change
belongs_to :project belongs_to :project
has_many :fixed_issues, :class_name => 'Issue', :foreign_key => 'fixed_version_id', :dependent => :nullify has_many :fixed_issues, :class_name => 'Issue', :foreign_key => 'fixed_version_id', :dependent => :nullify
...@@ -34,6 +35,15 @@ class Version < ActiveRecord::Base ...@@ -34,6 +35,15 @@ class Version < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => :project, named_scope :visible, lambda {|*args| { :include => :project,
:conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } } :conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } }
safe_attributes 'name',
'description',
'effective_date',
'due_date',
'wiki_page_title',
'status',
'sharing',
'custom_field_values'
# Returns true if +user+ or current user is allowed to view the version # Returns true if +user+ or current user is allowed to view the version
def visible?(user=User.current) def visible?(user=User.current)
user.allowed_to?(:view_issues, self.project) user.allowed_to?(:view_issues, self.project)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment