Skip to content

O
OHR Support
Commit ee99b2de authored by Jean-Philippe Lang's avatar Jean-Philippe Lang Committed by Holger Just
Browse files
Options

Prevent mass-assignment vulnerability when adding/updating a news (#922).

parent 4c322d37
Hide whitespace changes
Inline Side-by-side
Showing with 11 additions and 9 deletions
app/controllers/news_controller.rb
View file @ ee99b2de
......@@ -59,14 +59,12 @@ class NewsController < ApplicationController
def create
@news = News.new(:project => @project, :author => User.current)
if request.post?
@news.attributes = params[:news]
if @news.save
flash[:notice] = l(:notice_successful_create)
redirect_to :controller => 'news', :action => 'index', :project_id => @project
else
render :action => 'new'
end
@news.safe_attributes = params[:news]
if @news.save
flash[:notice] = l(:notice_successful_create)
redirect_to :controller => 'news', :action => 'index', :project_id => @project
else
render :action => 'new'
end
end
......@@ -74,7 +72,8 @@ class NewsController < ApplicationController
end
def update
if request.put? and @news.update_attributes(params[:news])
@news.safe_attributes = params[:news]
if @news.save
flash[:notice] = l(:notice_successful_update)
redirect_to :action => 'show', :id => @news
else
......
app/models/news.rb
View file @ ee99b2de
......@@ -13,6 +13,7 @@
#++
class News < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :project
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
has_many :comments, :as => :commented, :dependent => :delete_all, :order => "created_on"
......@@ -32,6 +33,8 @@ class News < ActiveRecord::Base
:conditions => Project.allowed_to_condition(args.first || User.current, :view_news)
}}
safe_attributes 'title', 'summary', 'description'
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_news, project)
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment