Code cleanup.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8200 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2011-12-13 20:40:03 +00:00
parent 59c1141e08
commit 7d501eaf81
5 changed files with 30 additions and 8 deletions

View File

@ -31,7 +31,7 @@
</div> </div>
<div class="splitcontentright"> <div class="splitcontentright">
<% if User.current.allowed_to?(:manage_subtasks, @project) %> <% if @issue.safe_attribute? 'parent_issue_id' %>
<p id="parent_issue"><%= f.text_field :parent_issue_id, :size => 10 %></p> <p id="parent_issue"><%= f.text_field :parent_issue_id, :size => 10 %></p>
<div id="parent_issue_candidates" class="autocomplete"></div> <div id="parent_issue_candidates" class="autocomplete"></div>
<%= javascript_tag "observeParentIssueField('#{auto_complete_issues_path(:id => @issue, :project_id => @project) }')" %> <%= javascript_tag "observeParentIssueField('#{auto_complete_issues_path(:id => @issue, :project_id => @project) }')" %>

View File

@ -1,6 +1,6 @@
<%= call_hook(:view_issues_form_details_top, { :issue => @issue, :form => f }) %> <%= call_hook(:view_issues_form_details_top, { :issue => @issue, :form => f }) %>
<% if @issue.safe_attribute_names.include?('is_private') %> <% if @issue.safe_attribute? 'is_private' %>
<p style="float:right; margin-right:1em;"> <p style="float:right; margin-right:1em;">
<label class="inline" for="issue_is_private" id="issue_is_private_label"><%= f.check_box :is_private, :no_label => true %> <%= l(:field_is_private) %></label> <label class="inline" for="issue_is_private" id="issue_is_private_label"><%= f.check_box :is_private, :no_label => true %> <%= l(:field_is_private) %></label>
</p> </p>

View File

@ -10,7 +10,7 @@
<p id="attachments_form"><%= label_tag('attachments[1][file]', l(:label_attachment_plural))%><%= render :partial => 'attachments/form' %></p> <p id="attachments_form"><%= label_tag('attachments[1][file]', l(:label_attachment_plural))%><%= render :partial => 'attachments/form' %></p>
<% if User.current.allowed_to?(:add_issue_watchers, @project) -%> <% if @issue.safe_attribute? 'watcher_user_ids' -%>
<p id="watchers_form"><label><%= l(:label_issue_watchers) %></label> <p id="watchers_form"><label><%= l(:label_issue_watchers) %></label>
<% @issue.project.users.sort.each do |user| -%> <% @issue.project.users.sort.each do |user| -%>
<label class="floating"><%= check_box_tag 'issue[watcher_user_ids][]', user.id, @issue.watched_by?(user) %> <%=h user %></label> <label class="floating"><%= check_box_tag 'issue[watcher_user_ids][]', user.id, @issue.watched_by?(user) %> <%=h user %></label>

View File

@ -44,14 +44,22 @@ module Redmine
# Example: # Example:
# book.safe_attributes # => ['title', 'pages'] # book.safe_attributes # => ['title', 'pages']
# book.safe_attributes(book.author) # => ['title', 'pages', 'isbn'] # book.safe_attributes(book.author) # => ['title', 'pages', 'isbn']
def safe_attribute_names(user=User.current) def safe_attribute_names(user=nil)
return @safe_attribute_names if @safe_attribute_names && user.nil?
names = [] names = []
self.class.safe_attributes.collect do |attrs, options| self.class.safe_attributes.collect do |attrs, options|
if options[:if].nil? || options[:if].call(self, user) if options[:if].nil? || options[:if].call(self, user || User.current)
names += attrs.collect(&:to_s) names += attrs.collect(&:to_s)
end end
end end
names.uniq names.uniq!
@safe_attribute_names = names if user.nil?
names
end
# Returns true if attr can be set by user or the current user
def safe_attribute?(attr, user=nil)
safe_attribute_names(user).include?(attr.to_s)
end end
# Returns a hash with unsafe attributes removed # Returns a hash with unsafe attributes removed

View File

@ -42,16 +42,30 @@ class Redmine::SafeAttributesTest < ActiveSupport::TestCase
def test_safe_attribute_names def test_safe_attribute_names
p = Person.new p = Person.new
assert_equal ['firstname', 'lastname'], p.safe_attribute_names(User.anonymous) user = User.anonymous
assert_equal ['firstname', 'lastname', 'login'], p.safe_attribute_names(User.find(1)) assert_equal ['firstname', 'lastname'], p.safe_attribute_names(user)
assert p.safe_attribute?('firstname', user)
assert !p.safe_attribute?('login', user)
p = Person.new
user = User.find(1)
assert_equal ['firstname', 'lastname', 'login'], p.safe_attribute_names(user)
assert p.safe_attribute?('firstname', user)
assert p.safe_attribute?('login', user)
end end
def test_safe_attribute_names_without_user def test_safe_attribute_names_without_user
p = Person.new p = Person.new
User.current = nil User.current = nil
assert_equal ['firstname', 'lastname'], p.safe_attribute_names assert_equal ['firstname', 'lastname'], p.safe_attribute_names
assert p.safe_attribute?('firstname')
assert !p.safe_attribute?('login')
p = Person.new
User.current = User.find(1) User.current = User.find(1)
assert_equal ['firstname', 'lastname', 'login'], p.safe_attribute_names assert_equal ['firstname', 'lastname', 'login'], p.safe_attribute_names
assert p.safe_attribute?('firstname')
assert p.safe_attribute?('login')
end end
def test_set_safe_attributes def test_set_safe_attributes