Prevent mass-assignment vulnerability when adding a project member (#922).

f12b9fca · Jean-Philippe Lang · Holger Just · 296b3173 · f12b9fca
Commit f12b9fca authored Mar 06, 2012 by Jean-Philippe Lang Committed by Holger Just Apr 04, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 5 deletions

members_controller.rb app/controllers/members_controller.rb +7 -5

No files found.
--- a/app/controllers/members_controller.rb
+++ b/app/controllers/members_controller.rb
@@ -21,17 +21,19 @@ class MembersController < ApplicationController
  def new
    members = []
-    if params[:member] && request.post?
+    if params[:member]
-      attrs = params[:member].dup
+      if params[:member][:user_ids]
-      if (user_ids = attrs.delete(:user_ids))
+        attrs = params[:member].dup
+        user_ids = attrs.delete(:user_ids)
        user_ids.each do |user_id|
-          members << Member.new(attrs.merge(:user_id => user_id))
+          members << Member.new(:role_ids => params[:member][:role_ids], :user_id => user_id)
        end
      else
-        members << Member.new(attrs)
+        members << Member.new(:role_ids => params[:member][:role_ids], :user_id => params[:member][:user_id])
      end
      @project.members << members
    end
    respond_to do |format|
      if members.present? && members.all? {|m| m.valid? }