diff --git a/app/controllers/documents_controller.rb b/app/controllers/documents_controller.rb index 262088ed2..a33f49f66 100644 --- a/app/controllers/documents_controller.rb +++ b/app/controllers/documents_controller.rb @@ -47,11 +47,13 @@ class DocumentsController < ApplicationController end def new - @document = @project.documents.build(params[:document]) + @document = @project.documents.build + @document.safe_attributes = params[:document] end def create - @document = @project.documents.build(params[:document]) + @document = @project.documents.build + @document.safe_attributes = params[:document] @document.save_attachments(params[:attachments]) if @document.save render_attachment_warning_if_needed(@document) @@ -66,7 +68,8 @@ class DocumentsController < ApplicationController end def update - if request.put? and @document.update_attributes(params[:document]) + @document.safe_attributes = params[:document] + if request.put? and @document.save flash[:notice] = l(:notice_successful_update) redirect_to :action => 'show', :id => @document else diff --git a/app/models/document.rb b/app/models/document.rb index 0917f8449..d4a89ffd9 100644 --- a/app/models/document.rb +++ b/app/models/document.rb @@ -16,6 +16,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class Document < ActiveRecord::Base + include Redmine::SafeAttributes belongs_to :project belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id" acts_as_attachable :delete_permission => :manage_documents @@ -32,6 +33,8 @@ class Document < ActiveRecord::Base named_scope :visible, lambda {|*args| { :include => :project, :conditions => Project.allowed_to_condition(args.shift || User.current, :view_documents, *args) } } + safe_attributes 'category_id', 'title', 'description' + def visible?(user=User.current) !user.nil? && user.allowed_to?(:view_documents, project) end