From 585d08765e91fadbbe3abf268339331622746b85 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Tue, 19 Jun 2012 19:47:54 +0000
Subject: [PATCH] Safe attributes for repositories.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9876 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/repositories_controller.rb | 5 +++--
 app/models/repository.rb                   | 9 +++++++++
 app/models/repository/cvs.rb               | 2 ++
 lib/redmine/safe_attributes.rb             | 6 +++++-
 4 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb
index f93bedead..b315a200a 100644
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@@ -47,7 +47,8 @@ class RepositoriesController < ApplicationController
 
   def create
     attrs = pickup_extra_info
-    @repository = Repository.factory(params[:repository_scm], attrs[:attrs])
+    @repository = Repository.factory(params[:repository_scm])
+    @repository.safe_attributes = params[:repository]
     if attrs[:attrs_extra].keys.any?
       @repository.merge_extra_info(attrs[:attrs_extra])
     end
@@ -64,7 +65,7 @@ class RepositoriesController < ApplicationController
 
   def update
     attrs = pickup_extra_info
-    @repository.attributes = attrs[:attrs]
+    @repository.safe_attributes = attrs[:attrs]
     if attrs[:attrs_extra].keys.any?
       @repository.merge_extra_info(attrs[:attrs_extra])
     end
diff --git a/app/models/repository.rb b/app/models/repository.rb
index 873c22313..8f2cd5c67 100644
--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@@ -19,6 +19,7 @@ class ScmFetchError < Exception; end
 
 class Repository < ActiveRecord::Base
   include Redmine::Ciphering
+  include Redmine::SafeAttributes
 
   belongs_to :project
   has_many :changesets, :order => "#{Changeset.table_name}.committed_on DESC, #{Changeset.table_name}.id DESC"
@@ -42,6 +43,14 @@ class Repository < ActiveRecord::Base
   # Checks if the SCM is enabled when creating a repository
   validate :repo_create_validation, :on => :create
 
+  safe_attributes 'identifier',
+    'url',
+    'login',
+    'password',
+    'path_encoding',
+    'log_encoding',
+    'is_default'
+
   def repo_create_validation
     unless Setting.enabled_scm.include?(self.class.name.demodulize)
       errors.add(:type, :invalid)
diff --git a/app/models/repository/cvs.rb b/app/models/repository/cvs.rb
index ebfceb6ab..f43a15620 100644
--- a/app/models/repository/cvs.rb
+++ b/app/models/repository/cvs.rb
@@ -21,6 +21,8 @@ require 'digest/sha1'
 class Repository::Cvs < Repository
   validates_presence_of :url, :root_url, :log_encoding
 
+  safe_attributes 'root_url'
+
   def self.human_attribute_name(attribute_key_name, *args)
     attr_name = attribute_key_name.to_s
     if attr_name == "root_url"
diff --git a/lib/redmine/safe_attributes.rb b/lib/redmine/safe_attributes.rb
index b8694a34d..75c2e43de 100644
--- a/lib/redmine/safe_attributes.rb
+++ b/lib/redmine/safe_attributes.rb
@@ -31,7 +31,11 @@ module Redmine
       def safe_attributes(*args)
         @safe_attributes ||= []
         if args.empty?
-          @safe_attributes
+          if superclass.include?(Redmine::SafeAttributes)
+            @safe_attributes + superclass.safe_attributes 
+          else
+            @safe_attributes
+          end
         else
           options = args.last.is_a?(Hash) ? args.pop : {}
           @safe_attributes << [args, options]