Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
O
OHR Support
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
97
Issues
97
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
image/svg+xml
Discourse
Discourse
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Projects
OHR Support
Commits
f12b9fca
Commit
f12b9fca
authored
Mar 06, 2012
by
Jean-Philippe Lang
Committed by
Holger Just
Apr 04, 2012
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent mass-assignment vulnerability when adding a project member (#922).
parent
296b3173
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
7 additions
and
5 deletions
+7
-5
members_controller.rb
app/controllers/members_controller.rb
+7
-5
No files found.
app/controllers/members_controller.rb
View file @
f12b9fca
...
...
@@ -21,17 +21,19 @@ class MembersController < ApplicationController
def
new
members
=
[]
if
params
[
:member
]
&&
request
.
post?
if
params
[
:member
]
if
params
[
:member
][
:user_ids
]
attrs
=
params
[
:member
].
dup
if
(
user_ids
=
attrs
.
delete
(
:user_ids
)
)
user_ids
=
attrs
.
delete
(
:user_ids
)
user_ids
.
each
do
|
user_id
|
members
<<
Member
.
new
(
attrs
.
merge
(
:user_id
=>
user_id
)
)
members
<<
Member
.
new
(
:role_ids
=>
params
[
:member
][
:role_ids
],
:user_id
=>
user_id
)
end
else
members
<<
Member
.
new
(
attrs
)
members
<<
Member
.
new
(
:role_ids
=>
params
[
:member
][
:role_ids
],
:user_id
=>
params
[
:member
][
:user_id
]
)
end
@project
.
members
<<
members
end
respond_to
do
|
format
|
if
members
.
present?
&&
members
.
all?
{
|
m
|
m
.
valid?
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment