Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
O
OHR Support
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
97
Issues
97
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
image/svg+xml
Discourse
Discourse
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Projects
OHR Support
Commits
ee99b2de
Commit
ee99b2de
authored
Mar 06, 2012
by
Jean-Philippe Lang
Committed by
Holger Just
Apr 04, 2012
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent mass-assignment vulnerability when adding/updating a news (#922).
parent
4c322d37
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
11 additions
and
9 deletions
+11
-9
news_controller.rb
app/controllers/news_controller.rb
+8
-9
news.rb
app/models/news.rb
+3
-0
No files found.
app/controllers/news_controller.rb
View file @
ee99b2de
...
@@ -59,14 +59,12 @@ class NewsController < ApplicationController
...
@@ -59,14 +59,12 @@ class NewsController < ApplicationController
def
create
def
create
@news
=
News
.
new
(
:project
=>
@project
,
:author
=>
User
.
current
)
@news
=
News
.
new
(
:project
=>
@project
,
:author
=>
User
.
current
)
if
request
.
post?
@news
.
safe_attributes
=
params
[
:news
]
@news
.
attributes
=
params
[
:news
]
if
@news
.
save
if
@news
.
save
flash
[
:notice
]
=
l
(
:notice_successful_create
)
flash
[
:notice
]
=
l
(
:notice_successful_create
)
redirect_to
:controller
=>
'news'
,
:action
=>
'index'
,
:project_id
=>
@project
redirect_to
:controller
=>
'news'
,
:action
=>
'index'
,
:project_id
=>
@project
else
else
render
:action
=>
'new'
render
:action
=>
'new'
end
end
end
end
end
...
@@ -74,7 +72,8 @@ class NewsController < ApplicationController
...
@@ -74,7 +72,8 @@ class NewsController < ApplicationController
end
end
def
update
def
update
if
request
.
put?
and
@news
.
update_attributes
(
params
[
:news
])
@news
.
safe_attributes
=
params
[
:news
]
if
@news
.
save
flash
[
:notice
]
=
l
(
:notice_successful_update
)
flash
[
:notice
]
=
l
(
:notice_successful_update
)
redirect_to
:action
=>
'show'
,
:id
=>
@news
redirect_to
:action
=>
'show'
,
:id
=>
@news
else
else
...
...
app/models/news.rb
View file @
ee99b2de
...
@@ -13,6 +13,7 @@
...
@@ -13,6 +13,7 @@
#++
#++
class
News
<
ActiveRecord
::
Base
class
News
<
ActiveRecord
::
Base
include
Redmine
::
SafeAttributes
belongs_to
:project
belongs_to
:project
belongs_to
:author
,
:class_name
=>
'User'
,
:foreign_key
=>
'author_id'
belongs_to
:author
,
:class_name
=>
'User'
,
:foreign_key
=>
'author_id'
has_many
:comments
,
:as
=>
:commented
,
:dependent
=>
:delete_all
,
:order
=>
"created_on"
has_many
:comments
,
:as
=>
:commented
,
:dependent
=>
:delete_all
,
:order
=>
"created_on"
...
@@ -32,6 +33,8 @@ class News < ActiveRecord::Base
...
@@ -32,6 +33,8 @@ class News < ActiveRecord::Base
:conditions
=>
Project
.
allowed_to_condition
(
args
.
first
||
User
.
current
,
:view_news
)
:conditions
=>
Project
.
allowed_to_condition
(
args
.
first
||
User
.
current
,
:view_news
)
}}
}}
safe_attributes
'title'
,
'summary'
,
'description'
def
visible?
(
user
=
User
.
current
)
def
visible?
(
user
=
User
.
current
)
!
user
.
nil?
&&
user
.
allowed_to?
(
:view_news
,
project
)
!
user
.
nil?
&&
user
.
allowed_to?
(
:view_news
,
project
)
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
