Prevent mass-assignment when adding a project member (#10390).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9132 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2012-03-06 19:39:37 +00:00
parent 460239d1f9
commit 2c6ad7525a
1 changed files with 10 additions and 8 deletions

View File

@ -49,16 +49,18 @@ class MembersController < ApplicationController
def create def create
members = [] members = []
if params[:membership] && params[:membership][:user_ids] if params[:membership]
attrs = params[:membership].dup if params[:membership][:user_ids]
user_ids = attrs.delete(:user_ids) attrs = params[:membership].dup
user_ids.each do |user_id| user_ids = attrs.delete(:user_ids)
members << Member.new(attrs.merge(:user_id => user_id)) user_ids.each do |user_id|
members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => user_id)
end
else
members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => params[:membership][:user_id])
end end
else @project.members << members
members << Member.new(params[:membership])
end end
@project.members << members
respond_to do |format| respond_to do |format|
if members.present? && members.all? {|m| m.valid? } if members.present? && members.all? {|m| m.valid? }