Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
O
OHR Support
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
97
Issues
97
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
image/svg+xml
Discourse
Discourse
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Projects
OHR Support
Commits
c651ba1a
Commit
c651ba1a
authored
Mar 06, 2012
by
Jean-Philippe Lang
Committed by
Holger Just
Apr 04, 2012
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent mass-assignment vulnerability when adding/updating a document (#922).
Conflicts: app/controllers/documents_controller.rb
parent
ad996d78
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
19 additions
and
0 deletions
+19
-0
documents_controller.rb
app/controllers/documents_controller.rb
+16
-0
document.rb
app/models/document.rb
+3
-0
No files found.
app/controllers/documents_controller.rb
View file @
c651ba1a
...
@@ -43,12 +43,28 @@ class DocumentsController < ApplicationController
...
@@ -43,12 +43,28 @@ class DocumentsController < ApplicationController
end
end
def
new
def
new
<<<<<<<
HEAD
@document
=
@project
.
documents
.
build
(
params
[
:document
])
@document
=
@project
.
documents
.
build
(
params
[
:document
])
if
request
.
post?
and
@document
.
save
if
request
.
post?
and
@document
.
save
attachments
=
Attachment
.
attach_files
(
@document
,
params
[
:attachments
])
attachments
=
Attachment
.
attach_files
(
@document
,
params
[
:attachments
])
render_attachment_warning_if_needed
(
@document
)
render_attachment_warning_if_needed
(
@document
)
flash
[
:notice
]
=
l
(
:notice_successful_create
)
flash
[
:notice
]
=
l
(
:notice_successful_create
)
redirect_to
:action
=>
'index'
,
:project_id
=>
@project
redirect_to
:action
=>
'index'
,
:project_id
=>
@project
=======
@document
=
@project
.
documents
.
build
@document
.
safe_attributes
=
params
[
:document
]
if
request
.
post?
if
User
.
current
.
allowed_to?
(
:add_document_watchers
,
@project
)
&&
params
[
:document
][
'watcher_user_ids'
].
present?
@document
.
watcher_user_ids
=
params
[
:document
][
'watcher_user_ids'
]
end
if
@document
.
save
attachments
=
Attachment
.
attach_files
(
@document
,
params
[
:attachments
])
render_attachment_warning_if_needed
(
@document
)
flash
[
:notice
]
=
l
(
:notice_successful_create
)
redirect_to
:action
=>
'index'
,
:project_id
=>
@project
end
>>>>>>>
edaf457
...
Prevent
mass
-
assignment
vulnerability
when
adding
/
updating
a
document
(
#922).
end
end
end
end
...
...
app/models/document.rb
View file @
c651ba1a
...
@@ -13,6 +13,7 @@
...
@@ -13,6 +13,7 @@
#++
#++
class
Document
<
ActiveRecord
::
Base
class
Document
<
ActiveRecord
::
Base
include
Redmine
::
SafeAttributes
belongs_to
:project
belongs_to
:project
belongs_to
:category
,
:class_name
=>
"DocumentCategory"
,
:foreign_key
=>
"category_id"
belongs_to
:category
,
:class_name
=>
"DocumentCategory"
,
:foreign_key
=>
"category_id"
acts_as_attachable
:delete_permission
=>
:manage_documents
acts_as_attachable
:delete_permission
=>
:manage_documents
...
@@ -31,6 +32,8 @@ class Document < ActiveRecord::Base
...
@@ -31,6 +32,8 @@ class Document < ActiveRecord::Base
named_scope
:visible
,
lambda
{
|*
args
|
{
:include
=>
:project
,
named_scope
:visible
,
lambda
{
|*
args
|
{
:include
=>
:project
,
:conditions
=>
Project
.
allowed_to_condition
(
args
.
first
||
User
.
current
,
:view_documents
)
}
}
:conditions
=>
Project
.
allowed_to_condition
(
args
.
first
||
User
.
current
,
:view_documents
)
}
}
safe_attributes
'category_id'
,
'title'
,
'description'
def
visible?
(
user
=
User
.
current
)
def
visible?
(
user
=
User
.
current
)
!
user
.
nil?
&&
user
.
allowed_to?
(
:view_documents
,
project
)
!
user
.
nil?
&&
user
.
allowed_to?
(
:view_documents
,
project
)
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment