Prevent mass-assignment when adding/updating a forum message (#10390).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9133 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2012-03-06 19:46:59 +00:00
parent 2c6ad7525a
commit 286bda14f1
2 changed files with 13 additions and 11 deletions

View File

@ -50,13 +50,10 @@ class MessagesController < ApplicationController
# Create a new topic # Create a new topic
def new def new
@message = Message.new(params[:message]) @message = Message.new
@message.author = User.current @message.author = User.current
@message.board = @board @message.board = @board
if params[:message] && User.current.allowed_to?(:edit_messages, @project) @message.safe_attributes = params[:message]
@message.locked = params[:message]['locked']
@message.sticky = params[:message]['sticky']
end
if request.post? if request.post?
@message.save_attachments(params[:attachments]) @message.save_attachments(params[:attachments])
if @message.save if @message.save
@ -69,9 +66,10 @@ class MessagesController < ApplicationController
# Reply to a topic # Reply to a topic
def reply def reply
@reply = Message.new(params[:reply]) @reply = Message.new
@reply.author = User.current @reply.author = User.current
@reply.board = @board @reply.board = @board
@reply.safe_attributes = params[:reply]
@topic.children << @reply @topic.children << @reply
if !@reply.new_record? if !@reply.new_record?
call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply}) call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply})
@ -84,11 +82,8 @@ class MessagesController < ApplicationController
# Edit a message # Edit a message
def edit def edit
(render_403; return false) unless @message.editable_by?(User.current) (render_403; return false) unless @message.editable_by?(User.current)
if params[:message] @message.safe_attributes = params[:message]
@message.locked = params[:message]['locked'] if request.post? && @message.save
@message.sticky = params[:message]['sticky']
end
if request.post? && @message.update_attributes(params[:message])
attachments = Attachment.attach_files(@message, params[:attachments]) attachments = Attachment.attach_files(@message, params[:attachments])
render_attachment_warning_if_needed(@message) render_attachment_warning_if_needed(@message)
flash[:notice] = l(:notice_successful_update) flash[:notice] = l(:notice_successful_update)

View File

@ -16,6 +16,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class Message < ActiveRecord::Base class Message < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :board belongs_to :board
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id' belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC" acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC"
@ -48,6 +49,12 @@ class Message < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => {:board => :project}, named_scope :visible, lambda {|*args| { :include => {:board => :project},
:conditions => Project.allowed_to_condition(args.shift || User.current, :view_messages, *args) } } :conditions => Project.allowed_to_condition(args.shift || User.current, :view_messages, *args) } }
safe_attributes 'subject', 'content'
safe_attributes 'locked', 'sticky',
:if => lambda {|message, user|
user.allowed_to?(:edit_messages, message.project)
}
def visible?(user=User.current) def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_messages, project) !user.nil? && user.allowed_to?(:view_messages, project)
end end