kolan
/
Redmine
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Prevent mass-assignment when adding a project member (#10390). 

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9132 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2012-03-06 19:39:37 +00:00
parent 460239d1f9
commit 2c6ad7525a
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/controllers/members_controller.rb
View File

@ -49,16 +49,18 @@ class MembersController < ApplicationController
def create def create
members = [] members = []
if params[:membership] && params[:membership][:user_ids] if params[:membership]
if params[:membership][:user_ids]
attrs = params[:membership].dup attrs = params[:membership].dup
user_ids = attrs.delete(:user_ids) user_ids = attrs.delete(:user_ids)
user_ids.each do |user_id| user_ids.each do |user_id|
members << Member.new(attrs.merge(:user_id => user_id)) members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => user_id)
end end
else else
members << Member.new(params[:membership]) members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => params[:membership][:user_id])
end end
@project.members << members @project.members << members
end
respond_to do |format| respond_to do |format|
if members.present? && members.all? {|m| m.valid? } if members.present? && members.all? {|m| m.valid? }