Prevent mass-assignment when adding/updating a forum message (#10390).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9133 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
2c6ad7525a
commit
286bda14f1
|
@ -50,13 +50,10 @@ class MessagesController < ApplicationController
|
||||||
|
|
||||||
# Create a new topic
|
# Create a new topic
|
||||||
def new
|
def new
|
||||||
@message = Message.new(params[:message])
|
@message = Message.new
|
||||||
@message.author = User.current
|
@message.author = User.current
|
||||||
@message.board = @board
|
@message.board = @board
|
||||||
if params[:message] && User.current.allowed_to?(:edit_messages, @project)
|
@message.safe_attributes = params[:message]
|
||||||
@message.locked = params[:message]['locked']
|
|
||||||
@message.sticky = params[:message]['sticky']
|
|
||||||
end
|
|
||||||
if request.post?
|
if request.post?
|
||||||
@message.save_attachments(params[:attachments])
|
@message.save_attachments(params[:attachments])
|
||||||
if @message.save
|
if @message.save
|
||||||
|
@ -69,9 +66,10 @@ class MessagesController < ApplicationController
|
||||||
|
|
||||||
# Reply to a topic
|
# Reply to a topic
|
||||||
def reply
|
def reply
|
||||||
@reply = Message.new(params[:reply])
|
@reply = Message.new
|
||||||
@reply.author = User.current
|
@reply.author = User.current
|
||||||
@reply.board = @board
|
@reply.board = @board
|
||||||
|
@reply.safe_attributes = params[:reply]
|
||||||
@topic.children << @reply
|
@topic.children << @reply
|
||||||
if !@reply.new_record?
|
if !@reply.new_record?
|
||||||
call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply})
|
call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply})
|
||||||
|
@ -84,11 +82,8 @@ class MessagesController < ApplicationController
|
||||||
# Edit a message
|
# Edit a message
|
||||||
def edit
|
def edit
|
||||||
(render_403; return false) unless @message.editable_by?(User.current)
|
(render_403; return false) unless @message.editable_by?(User.current)
|
||||||
if params[:message]
|
@message.safe_attributes = params[:message]
|
||||||
@message.locked = params[:message]['locked']
|
if request.post? && @message.save
|
||||||
@message.sticky = params[:message]['sticky']
|
|
||||||
end
|
|
||||||
if request.post? && @message.update_attributes(params[:message])
|
|
||||||
attachments = Attachment.attach_files(@message, params[:attachments])
|
attachments = Attachment.attach_files(@message, params[:attachments])
|
||||||
render_attachment_warning_if_needed(@message)
|
render_attachment_warning_if_needed(@message)
|
||||||
flash[:notice] = l(:notice_successful_update)
|
flash[:notice] = l(:notice_successful_update)
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||||
|
|
||||||
class Message < ActiveRecord::Base
|
class Message < ActiveRecord::Base
|
||||||
|
include Redmine::SafeAttributes
|
||||||
belongs_to :board
|
belongs_to :board
|
||||||
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
|
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
|
||||||
acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC"
|
acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC"
|
||||||
|
@ -48,6 +49,12 @@ class Message < ActiveRecord::Base
|
||||||
named_scope :visible, lambda {|*args| { :include => {:board => :project},
|
named_scope :visible, lambda {|*args| { :include => {:board => :project},
|
||||||
:conditions => Project.allowed_to_condition(args.shift || User.current, :view_messages, *args) } }
|
:conditions => Project.allowed_to_condition(args.shift || User.current, :view_messages, *args) } }
|
||||||
|
|
||||||
|
safe_attributes 'subject', 'content'
|
||||||
|
safe_attributes 'locked', 'sticky',
|
||||||
|
:if => lambda {|message, user|
|
||||||
|
user.allowed_to?(:edit_messages, message.project)
|
||||||
|
}
|
||||||
|
|
||||||
def visible?(user=User.current)
|
def visible?(user=User.current)
|
||||||
!user.nil? && user.allowed_to?(:view_messages, project)
|
!user.nil? && user.allowed_to?(:view_messages, project)
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue