kolan
/
Redmine
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Set a white list of issue attributes that can be mass-assigned from controllers. 

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3308 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2010-01-12 20:17:20 +00:00
parent ff77fb6aa9
commit 0a05cc2a37
3 changed files with 35 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/issues_controller.rb
View File

@ -131,7 +131,7 @@ class IssuesController < ApplicationController
return return
end end
if params[:issue].is_a?(Hash) if params[:issue].is_a?(Hash)
@issue.attributes = params[:issue] @issue.safe_attributes = params[:issue]
@issue.watcher_user_ids = params[:issue]['watcher_user_ids'] if User.current.allowed_to?(:add_issue_watchers, @project) @issue.watcher_user_ids = params[:issue]['watcher_user_ids'] if User.current.allowed_to?(:add_issue_watchers, @project)
end end
@issue.author = User.current @issue.author = User.current
@ -181,7 +181,7 @@ class IssuesController < ApplicationController
attrs = params[:issue].dup attrs = params[:issue].dup
attrs.delete_if {|k,v| !UPDATABLE_ATTRS_ON_TRANSITION.include?(k) } unless @edit_allowed attrs.delete_if {|k,v| !UPDATABLE_ATTRS_ON_TRANSITION.include?(k) } unless @edit_allowed
attrs.delete(:status_id) unless @allowed_statuses.detect {|s| s.id.to_s == attrs[:status_id].to_s} attrs.delete(:status_id) unless @allowed_statuses.detect {|s| s.id.to_s == attrs[:status_id].to_s}
@issue.attributes = attrs @issue.safe_attributes = attrs
end end
if request.post? if request.post?

26
app/models/issue.rb
View File

@ -165,6 +165,32 @@ class Issue < ActiveRecord::Base
write_attribute :estimated_hours, (h.is_a?(String) ? h.to_hours : h) write_attribute :estimated_hours, (h.is_a?(String) ? h.to_hours : h)
end end
SAFE_ATTRIBUTES = %w(
tracker_id
status_id
category_id
assigned_to_id
priority_id
fixed_version_id
subject
description
start_date
due_date
done_ratio
estimated_hours
custom_field_values
) unless const_defined?(:SAFE_ATTRIBUTES)
# Safely sets attributes
# Should be called from controllers instead of #attributes=
# attr_accessible is too rough because we still want things like
# Issue.new(:project => foo) to work
# TODO: move workflow/permission checks from controllers to here
def safe_attributes=(attrs, user=User.current)
return if attrs.nil?
self.attributes = attrs.reject {|k,v| !SAFE_ATTRIBUTES.include?(k)}
end
def done_ratio def done_ratio
if Issue.use_status_for_done_ratio? && status && status.default_done_ratio? if Issue.use_status_for_done_ratio? && status && status.default_done_ratio?
status.default_done_ratio status.default_done_ratio

7
test/functional/issues_controller_test.rb
View File

@ -641,6 +641,13 @@ class IssuesControllerTest < ActionController::TestCase
:value => 'Value for field 2'} :value => 'Value for field 2'}
end end
def test_post_new_should_ignore_non_safe_attributes
@request.session[:user_id] = 2
assert_nothing_raised do
post :new, :project_id => 1, :issue => { :tracker => "A param can not be a Tracker" }
end
end
def test_copy_routing def test_copy_routing
assert_routing( assert_routing(
{:method => :get, :path => '/projects/world_domination/issues/567/copy'}, {:method => :get, :path => '/projects/world_domination/issues/567/copy'},